feat(socket) change LuaSec ssl_protocol default options

[jeremymv2]

The underlying LuaSec SSL library allows for setting the encryption protocol
to 'any' [1]. When set as such, the client negotiates the highest
encryption protocol available. This any protocol version setting is
widely in use in the luasec repository [2].

In addition, this change limits the lowest allowable ssl protocol
version to a version not less than TLSv1.1.

In support of the above, the implementation is two-fold:

• add no_sslv2, no_sslv3, and no_tlsv1 LuaSec options similar to what
  has been done in lua-cassandra [3]
• set default LuaSec ssl_protocol to 'any' also similar to what has
  been done in lua-cassandra [4]

[1] - https://github.com/brunoos/luasec/blob/711a98b7605ad87b521ba607024947113bc1f527/CHANGELOG#L101
[2] - https://github.com/brunoos/luasec/search?q=protocol+%3D+%22any%22
[3] - thibaultcha/lua-cassandra@b6dff88
[4] - thibaultcha/lua-cassandra@d742d5c

Signed-off-by: Jeremy J. Miller jeremy.miller@konghq.com

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.

---

Jeremy J. Miller seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[jeremymv2]

This closes https://konghq.atlassian.net/browse/FT-1682 cc: @Kong/team-fast-track

[jeremymv2]

cc: @thibaultcha I think I could use your insight here on this change. It effectively boils down to the same fixes we made for lua-cassandra. Ultimately this will be needed to remove the pg_ssl_version (https://github.com/Kong/kong-ee/blob/fd6e2461e69976a23fdb7d7f4a2b06eae3c0aa08/kong.conf.default#L969) setting in Kong-ee.

[thibaultcha]

Sounds good; we will also need to document the "no_sslv2", "no_sslv3", "no_tlsv1" options for database connections in the Kong release changelog.

The base branch was changed.

[jeremymv2]

I wanted to do some triple checking specifically with Kong and this change. Everything checks out. With the change Kong can connect to PG9.5 and PG13 instances using TLSV1.1, TLSV1.2 and TLSV1.3 (in PG13).

When trying to connect with TLSv1 or lower you will get:
Error: [PostgreSQL error] failed to retrieve PostgreSQL server_version_num: no protocols available

I think this is ready to go!

Following this merge I will begin work on removing the pg_ssl_version Kong configuration (https://konghq.atlassian.net/browse/FT-1680) and bump the Kong pgmoon dep to the new released version of this repo such that Kong will connect at the highest TLS protocol version available when using pgmoon in the init phases.

[jeremymv2]

@thibaultcha fyi, after some analysis and discussion with the team, I discovered we still must use this fork due to some changes we've added here that aren't in leafo/pgmoon 🙁

[ghost]

would be nice to have tests for those no_ssl* options but this PR is in good state nevertheless!