Always allow both TLS 1.2 and 1.3 (#2978)

The JDK version of SSL has long supported TLS v1.3 (since version 11) so
fortunately we can use TLS v1.3 regardless if which implementation of
SSL we're using.

We prefer OpenSSL in general so I'm not entirely sure why we were using
the JDK version of SSL on the proxy before, but this should work and be
a good idea regardless.

Tested on alpha by running

```
$ openssl s_client -connect epp.registryalpha.foo:700 -tls1_3 -ciphersuites "TLS_AES_128_GCM_SHA256"
```

Previously we'd get a failure, now it returns the proper cert data.

Author: gbrodman

networking/src/main/java/google/registry/networking/handler/SslServerInitializer.java

@@ -70,10 +70,10 @@ public class SslServerInitializer<C extends Channel> extends ChannelInitializer<
   /**
    * The list of cipher suites that are currently acceptable to create a successful handshake.
    *
-   * <p>This list includes all of the current TLS1.3 ciphers and a collection of TLS1.2 ciphers with
-   * no known security vulnerabilities. Note that OpenSSL uses a separate nomenclature for the
-   * ciphers internally but the IANA names listed here will be transparently translated by the
-   * OpenSSL provider (if used), so there is no need to include the OpenSSL name variants here. More
+   * <p>This list includes all the current TLS1.3 ciphers and a collection of TLS1.2 ciphers with no
+   * known security vulnerabilities. Note that OpenSSL uses a separate nomenclature for the ciphers
+   * internally but the IANA names listed here will be transparently translated by the OpenSSL
+   * provider (if used), so there is no need to include the OpenSSL name variants here. More
    * information about these cipher suites and their OpenSSL names can be found at ciphersuite.info.
    */
   private static final ImmutableList<String> ALLOWED_TLS_CIPHERS =
@@ -90,6 +90,10 @@ public class SslServerInitializer<C extends Channel> extends ChannelInitializer<
           "TLS_AES_128_CCM_SHA256",
           "TLS_AES_128_CCM_8_SHA256");
 
+  /** Thankfully, the JDK supports TLS version 1.3 now. */
+  private static final ImmutableList<String> SUPPORTED_TLS_VERSIONS =
+      ImmutableList.of("TLSv1.3", "TLSv1.2");
+
   private static final FluentLogger logger = FluentLogger.forEnclosingClass();
   private final boolean requireClientCert;
   // TODO(jianglai): Always validate client certs (if required).
@@ -99,7 +103,6 @@ public class SslServerInitializer<C extends Channel> extends ChannelInitializer<
   // change when the artifacts on GCS changes.
   private final Supplier<PrivateKey> privateKeySupplier;
   private final Supplier<ImmutableList<X509Certificate>> certificatesSupplier;
-  private final ImmutableList<String> supportedSslVersions;
 
   public SslServerInitializer(
       boolean requireClientCert,
@@ -116,12 +119,6 @@ public SslServerInitializer(
     this.sslProvider = sslProvider;
     this.privateKeySupplier = privateKeySupplier;
     this.certificatesSupplier = certificatesSupplier;
-    this.supportedSslVersions =
-        sslProvider == SslProvider.OPENSSL
-            ? ImmutableList.of("TLSv1.3", "TLSv1.2")
-            // JDK support for TLS 1.3 won't be available until 2021-04-20 at the earliest.
-            // See: https://java.com/en/jre-jdk-cryptoroadmap.html
-            : ImmutableList.of("TLSv1.2");
   }
 
   @Override
@@ -133,7 +130,7 @@ protected void initChannel(C channel) throws Exception {
             .sslProvider(sslProvider)
             .trustManager(InsecureTrustManagerFactory.INSTANCE)
             .clientAuth(requireClientCert ? ClientAuth.REQUIRE : ClientAuth.NONE)
-            .protocols(supportedSslVersions)
+            .protocols(SUPPORTED_TLS_VERSIONS)
             .ciphers(ALLOWED_TLS_CIPHERS, SupportedCipherSuiteFilter.INSTANCE)
             .build();