Add TLS 1.3 support

[DengYiping]

@jhaber @PaulFurtado

[DengYiping]

We can also add protocols as a config in our own SslConfig, but I think defaulting with TLSv1.2 and TLSv1.3 should be sufficient for most cases.

[jhaber]

Do you know what protocols were being inferred before and how Netty was inferring them?

Specifically I'm wondering about:

1. Instead of doing this manually, is there a JVM flag we can set that enables TLSv1.3? (and hopefully that Netty would also respect)
2. Are we removing any protocols that were previously enabled? Because people use Horizon to hit arbitrary sites on the internet, which might still be using older versions or other protocols

[DengYiping]

Instead of doing this manually, is there a JVM flag we can set that enables TLSv1.3? (and hopefully that Netty would also respect)

This is a clear no. Lower version of Netty has TLSv1.3 set as disabled by default, only Netty 4.1.52 started to default it as enabled.

Are we removing any protocols that were previously enabled? Because people use Horizon to hit arbitrary sites on the internet, which might still be using older versions or other protocols.

This is a great point. I will add all TLS version there to be backward compatible, but I think we should also put in some efforts inside HubSpot to investigate how is still using TLS 1.0 and TLS 1.1 because those protocols are less secure and it is deprecated since 2021.

[kenbreeman]

We officially sunset TLS 1.0 and 1.1 for incoming connections back in March 2021:
https://developers.hubspot.com/changelog/tls-1-and-1-11-sunset

Outgoing connections we've continued to support falling back to older protocols if the server doesn't support 1.2 but we should eventually sunset that as well.