support TLS v1.3

[oberstet]

currently, a node configured with best/state-of-the-art TLS configuration/certs looks like:

[oberstet]

@meejah do you know if/when twisted has it?

[meejah]

AFAIK Twisted support should "come with" the underlying pyOpenSSL + OpenSSL libraries .. unless the actual Python-level APIs have to do something special to activate 1.3?

[oberstet]

ok .. couple of more notes:

oberstet@intel-nuci7:~$ openssl version
OpenSSL 1.1.1  11 Sep 2018
oberstet@intel-nuci7:~$ lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 18.04.5 LTS
Release:	18.04
Codename:	bionic
oberstet@intel-nuci7:~$ 

• https://www.phoronix.com/scan.php?page=news_item&px=Ubuntu-18.04-OpenSSL-1.1.1-TLS
• https://wiki.openssl.org/index.php/TLS1.3
• https://github.com/twisted/twisted/pull/1100
• https://twisted.readthedocs.io/en/twisted-20.3.0/core/howto/ssl.html#tls-protocol-options

and

options = CertificateOptions(..., raiseMinimumTo=TLSVersion.TLSv1_3)

[oberstet]

more notes:

• https://stackoverflow.com/questions/68271994/disable-tls-1-3-in-twisted-python
• https://www.pyopenssl.org/en/stable/api/ssl.html?highlight=#OpenSSL.SSL.TLS1_3_VERSION
• https://twistedmatrix.com/documents/current/api/twisted.internet.ssl.CertificateOptions.html

twisted.internet.ssl.CertificateOptions:

   raiseMinimumTo=ssl.TLSVersion.TLSv1_3
   lowerMaximumSecurityTo=ssl.TLSVersion.TLSv1_3

[oberstet]

we should also check and make sure the following default ciphers are enabled:

https://ciphersuite.info/cs/TLS_AES_256_GCM_SHA384/ https://ciphersuite.info/cs/TLS_CHACHA20_POLY1305_SHA256/