25.3.8-fips: add TLSv1.3 support to disableProtocols configuration

[mkmkme]

The disableProtocols mechanism only handled sslv2 through tlsv1_2. Specifying "tlsv1_3" in the config was silently ignored, so TLS 1.3 connections could not be disabled. This matters for FIPS testing where we need to verify that disabling all protocols actually prevents all connections.

Add PROTO_TLSV1_3 to the Protocols enum, handle SSL_OP_NO_TLSv1_3 in Context::disableProtocols(), and parse "tlsv1_3" in all four config readers (SSLManager, TLSHandler, PostgreSQLHandler, KeeperServer).

Changelog category (leave one):

• Improvement

Changelog entry (a user-readable short description of the changes that goes to CHANGELOG.md):

add TLSv1.3 support to disableProtocols configuration

Documentation entry for user-facing changes

...

CI/CD Options

Exclude tests:

• Fast test
• Integration Tests
• Stateless tests
• Stateful tests
• Performance tests
• All with ASAN
• All with TSAN
• All with MSAN
• All with UBSAN
• All with Coverage
• All with Aarch64
• All Regression
• Disable CI Cache

Regression jobs to run:

• Fast suites (mostly <1h)
• Aggregate Functions (2h)
• Alter (1.5h)
• Benchmark (30m)
• ClickHouse Keeper (1h)
• Iceberg (2h)
• LDAP (1h)
• Parquet (1.5h)
• RBAC (1.5h)
• SSL Server (1h)
• S3 (2h)
• S3 Export (2h)
• Swarms (30m)
• Tiered Storage (2h)

[mkmkme]

AI audit note: This review comment was generated by AI (gpt-5.3-codex).

Audit update for PR #1569 (TLSv1.3 support for disableProtocols):

Confirmed defects:

No confirmed defects in reviewed scope.

Coverage summary:

Scope reviewed: Latest PR diff: `Context::Protocols` + `PROTO_TLSV1_3`, `Context::disableProtocols` (`SSL_OP_NO_TLSv1_3`), `SSLManager::initDefaultContext` token parsing, `TLSHandler` / `PostgreSQLHandler` / `KeeperServer` `disableProtocols` parsing, `SSLManager.h` docs (example XML + property bullet); static call graph from config init to `SSL_CTX_set_options`.
Categories failed: None.
Categories passed: Bitmask uniqueness; `#if defined(SSL_OP_NO_TLSv1_3)` guard; parser parity across four sites; header doc consistency (example vs "Valid protocol names"); brace/`#if` structure in `Context.cpp` on PR head.
Assumptions/limits: Static review of fetched `refs/pull/1569/head`; no live TLS handshake or integration test run; user-facing docs under `docs/` outside this diff were not required for parity with the prior finding.

[DimensionWieldr]

Previously failing regression tests involving disabling protocols now pass. Looks like disableProtocols no longer ignores tlsv1_3.

Also ran AI Audit from my end. AI said "No confirmed defects in reviewed scope." :)

Looks good to me!