[jruby] enable TLSv1.3 support (#2886)

* [jruby] enable TLSv1.3 support

* JRuby - TestPumaServerSSLClient - add IOError for macOS

ext/puma_http11/org/jruby/puma/MiniSSL.java

@@ -226,13 +226,13 @@ public class MiniSSL extends RubyObject { // MiniSSL::Engine
 
     String[] protocols;
     if (miniSSLContext.callMethod(context, "no_tlsv1").isTrue()) {
-        protocols = new String[] { "TLSv1.1", "TLSv1.2" };
+        protocols = new String[] { "TLSv1.1", "TLSv1.2", "TLSv1.3" };
     } else {
-        protocols = new String[] { "TLSv1", "TLSv1.1", "TLSv1.2" };
+        protocols = new String[] { "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3" };
     }
 
     if (miniSSLContext.callMethod(context, "no_tlsv1_1").isTrue()) {
-        protocols = new String[] { "TLSv1.2" };
+        protocols = new String[] { "TLSv1.2", "TLSv1.3" };
     }
 
     engine.setEnabledProtocols(protocols);

lib/puma/minissl.rb

@@ -13,9 +13,9 @@ module Puma
     # Define constant at runtime, as it's easy to determine at built time,
     # but Puma could (it shouldn't) be loaded with an older OpenSSL version
     # @version 5.0.0
-    HAS_TLS1_3 = !IS_JRUBY &&
-      (OPENSSL_VERSION[/ \d+\.\d+\.\d+/].split('.').map(&:to_i) <=> [1,1,1]) != -1 &&
-      (OPENSSL_LIBRARY_VERSION[/ \d+\.\d+\.\d+/].split('.').map(&:to_i) <=> [1,1,1]) !=-1
+    HAS_TLS1_3 = IS_JRUBY ||
+        ((OPENSSL_VERSION[/ \d+\.\d+\.\d+/].split('.').map(&:to_i) <=> [1,1,1]) != -1 &&
+         (OPENSSL_LIBRARY_VERSION[/ \d+\.\d+\.\d+/].split('.').map(&:to_i) <=> [1,1,1]) !=-1)
 
     class Socket
       def initialize(socket, engine)
@@ -50,7 +50,7 @@ module Puma
       # is made with TLSv1.3 as an available protocol
       # @version 5.0.0
       def bad_tlsv1_3?
-        HAS_TLS1_3 && @engine.ssl_vers_st == ['TLSv1.3', 'SSLERR']
+        HAS_TLS1_3 && ssl_version_state == ['TLSv1.3', 'SSLERR']
       end
       private :bad_tlsv1_3?
 

test/test_puma_server_ssl.rb

@@ -193,6 +193,25 @@ class TestPumaServerSSL < Minitest::Test
     end
   end
 
+  def test_tls_v1_3
+    skip("TLSv1.3 protocol can not be set") unless OpenSSL::SSL::SSLContext.instance_methods(false).include?(:min_version=)
+
+    start_server
+
+    @http.min_version = :TLS1_3
+
+    body = nil
+    @http.start do
+      req = Net::HTTP::Get.new '/'
+      @http.request(req) do |rep|
+        assert_equal 'OK', rep.message
+        body = rep.body
+      end
+    end
+
+    assert_equal "https", body
+  end
+
   def test_http_rejection
     body_http  = nil
     body_https = nil
@@ -316,8 +335,8 @@ class TestPumaServerSSLClient < Minitest::Test
         req = Net::HTTP::Get.new "/", {}
         http.request(req)
       end
-    rescue OpenSSL::SSL::SSLError, EOFError, Errno::ECONNRESET => e
-      # Errno::ECONNRESET TruffleRuby
+    rescue OpenSSL::SSL::SSLError, EOFError, Errno::ECONNRESET, IOError => e
+      # Errno::ECONNRESET TruffleRuby, IOError macOS JRuby
       client_error = e
       # closes socket if open, may not close on error
       http.send :do_finish
@@ -335,7 +354,7 @@ class TestPumaServerSSLClient < Minitest::Test
   end
 
   def test_verify_fail_if_no_client_cert
-    error = Puma.jruby? ? /Empty server certificate chain/ : 'peer did not return a certificate'
+    error = Puma.jruby? ? /Empty client certificate chain/ : 'peer did not return a certificate'
     assert_ssl_client_error_match(error) do |http|
       # nothing
     end