Tracking issue: Update "default" and "default_fips" to support TLS1.3

[toidiu]

Security issue notifications

As a modern TLS library, s2n-tls aims to provide sane and safe default. The goal of this task is to add TLS1.3 support to the "default" and "default_fips" policies.

Solution: add a TLS 1.2 CI job

To de-risk the loss of TLS 1.2 coverage, this solution will add a new TLS 1.2 test to our CI. This new job will toggle the default policy to TLS 1.2 and execute all unit tests. Since this will be a single job, we will lose some coverage (platform, feature probing, libcrypto), but we expect this to be an acceptable risk.

Project plan:

• Fix tests which assume TLS1.2 policy
  • test: avoid mutating static configs in tests #4749
  • test: remove load system certs functionality for s2n_default_tls13_config #4897
  • tests: pin tests to a numbered TLS1.2 policy #4905
  • test: expand s2n_record_read testing to both TLS1.3 and TLS1.2 #4903
  • test: pin optional client auth test to a TLS 1.2 policy #4914
  • test: pin tests to TLS 1.2/TLS 1.3 policy #4926
• Set up a single GeneralBatch job which tests with a default TLS 1.2 policy.
  • This will preserve majority of the current testing behavior when TLS 1.3 becomes the default. However, due to conditional compilation/feature probing (libcrypto, platform), this does sacrifice some code coverage. We consider this an acceptable risk.
  • Create CI job in General Batch (TLS12)
  • Create a git patch to revert the TLS1.3 policy change (revert the PR changes in the next step)
• Add TLS1.3 support to the "default" and "default_fips" policies
  • Draft PR (need rebase to main after test pinning PRs are merged): feat: add TLS1.3 support to "default" and "default_fips" policies #4916

---

Solution: Pin to number policy:

Solution not implemented due to new findings
This solution was attempting to pin TLS-1.2-tests to the numbered equivalent "20240501". However, we also have tests that actually want to test the "default" policy. ("default"-policy-tests), and should not be pinned. There is no easy way to detect "default"-policy-tests vs TLS-1.2-tests, which means so we cannot implement this solution.

• Pin tests to the old "default" and "default_fips" policies to prevent regression
  • Fix tests which modify the static configs test: avoid mutating static configs in tests #4749
  • Disallow explicit use of the "default" policy test: disallow explict use of "default" policy in tests #4750
    • Revert "test: disallow explict use of "default" policy in tests (#4750)" #4812