From 90df3d1805db645f6735e25cac72c16a0066d741 Mon Sep 17 00:00:00 2001
From: Benjamin Sergeant <bsergean@gmail.com>
Date: Thu, 12 Mar 2020 16:27:25 -0700
Subject: [PATCH] (openssl tls backend) Fix a hand in OpenSSL when using TLS
 v1.3 ... by disabling TLS v1.3

---
 docs/CHANGELOG.md                |  4 ++++
 ixwebsocket/IXSocketOpenSSL.cpp  | 10 ++++++++--
 ixwebsocket/IXWebSocketVersion.h |  2 +-
 test/IXCobraToSentryBotTest.cpp  |  4 ++--
 ws/ws.cpp                        |  2 +-
 5 files changed, 16 insertions(+), 6 deletions(-)

diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md
index 9628fcbd..b3497c6b 100644
--- a/docs/CHANGELOG.md
+++ b/docs/CHANGELOG.md
@@ -1,6 +1,10 @@
 # Changelog
 All changes to this project will be documented in this file.
 
+## [8.2.2] - 2020-03-12
+
+(openssl tls backend) Fix a hand in OpenSSL when using TLS v1.3 ... by disabling TLS v1.3
+
 ## [8.2.1] - 2020-03-11
 
 (cobra) IXCobraConfig struct has tlsOptions and per message deflate options
diff --git a/ixwebsocket/IXSocketOpenSSL.cpp b/ixwebsocket/IXSocketOpenSSL.cpp
index d73bc5d3..ed7df04e 100644
--- a/ixwebsocket/IXSocketOpenSSL.cpp
+++ b/ixwebsocket/IXSocketOpenSSL.cpp
@@ -131,8 +131,14 @@ namespace ix
             SSL_CTX_set_mode(ctx,
                              SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
 
-            SSL_CTX_set_options(
-                ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_CIPHER_SERVER_PREFERENCE);
+            int options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_CIPHER_SERVER_PREFERENCE;
+
+#ifdef SSL_OP_NO_TLSv1_3
+            // (partially?) work around hang in openssl 1.1.1b, by disabling TLS V1.3
+            // https://github.com/openssl/openssl/issues/7967
+            options |= SSL_OP_NO_TLSv1_3;
+#endif
+            SSL_CTX_set_options(ctx, options);
         }
         return ctx;
     }
diff --git a/ixwebsocket/IXWebSocketVersion.h b/ixwebsocket/IXWebSocketVersion.h
index 1dfac371..08c64420 100644
--- a/ixwebsocket/IXWebSocketVersion.h
+++ b/ixwebsocket/IXWebSocketVersion.h
@@ -6,4 +6,4 @@
 
 #pragma once
 
-#define IX_WEBSOCKET_VERSION "8.2.1"
+#define IX_WEBSOCKET_VERSION "8.2.2"
diff --git a/test/IXCobraToSentryBotTest.cpp b/test/IXCobraToSentryBotTest.cpp
index f9205983..a5b9d61c 100644
--- a/test/IXCobraToSentryBotTest.cpp
+++ b/test/IXCobraToSentryBotTest.cpp
@@ -12,11 +12,11 @@
 #include <ixcobra/IXCobraConnection.h>
 #include <ixcobra/IXCobraMetricsPublisher.h>
 #include <ixcrypto/IXUuid.h>
+#include <ixsentry/IXSentryClient.h>
 #include <ixsnake/IXRedisServer.h>
 #include <ixsnake/IXSnakeServer.h>
 #include <ixwebsocket/IXHttpServer.h>
 #include <ixwebsocket/IXUserAgent.h>
-#include <ixsentry/IXSentryClient.h>
 
 using namespace ix;
 
@@ -159,7 +159,7 @@ TEST_CASE("Cobra_to_sentry_bot", "[foo]")
         bool enableHeartbeat = false;
 
         // FIXME: try to get this working with https instead of http
-        //        to regress the TLS 1.3 OpenSSL bug 
+        //        to regress the TLS 1.3 OpenSSL bug
         //        -> https://github.com/openssl/openssl/issues/7967
         // https://xxxxx:yyyyyy@sentry.io/1234567
         std::stringstream oss;
diff --git a/ws/ws.cpp b/ws/ws.cpp
index cc031994..7f8d95db 100644
--- a/ws/ws.cpp
+++ b/ws/ws.cpp
@@ -14,10 +14,10 @@
 #include <ixbots/IXCobraToSentryBot.h>
 #include <ixbots/IXCobraToStatsdBot.h>
 #include <ixcore/utils/IXCoreLogger.h>
+#include <ixsentry/IXSentryClient.h>
 #include <ixwebsocket/IXNetSystem.h>
 #include <ixwebsocket/IXSocket.h>
 #include <ixwebsocket/IXUserAgent.h>
-#include <ixsentry/IXSentryClient.h>
 #include <spdlog/spdlog.h>
 #include <sstream>
 #include <string>