openssl: implement TLS version bounds and cipher config

Hiroshi Hatake · edsiper · commit f5854e29f59c · 2025-03-26T19:14:54.000-06:00
Adds support for parsing TLS protocol versions and disabling specific ones using SSL options.
Also enables cipher selection via `SSL_CTX_set_cipher_list()`.

Signed-off-by: Eduardo Silva &lt;eduardo@chronosphere.io&gt;
diff --git a/src/tls/openssl.c b/src/tls/openssl.c
@@ -651,6 +651,122 @@ static void *tls_context_create(int verify,
     return NULL;
 }
 
+#if !defined(TLS1_3_VERSION)
+#  define TLS1_3_VERSION 0x0304
+#endif
+
+struct tls_proto_def {
+    char *name;
+    int ver;
+};
+
+struct tls_proto_options {
+    int ver;
+    int no_opt;
+};
+
+static int parse_proto_version(const char *proto_ver)
+{
+    int i;
+    struct tls_proto_def defs[] = {
+        { "SSLv2", SSL2_VERSION },
+        { "SSLv3", SSL3_VERSION },
+        { "TLSv1", TLS1_VERSION },
+        { "TLSv1.1", TLS1_1_VERSION },
+        { "TLSv1.2", TLS1_2_VERSION },
+#if defined(TLS1_3_VERSION)
+        { "TLSv1.3", TLS1_3_VERSION },
+#endif
+        { NULL, 0 },
+    };
+
+    if (proto_ver == NULL) {
+        return 0;
+    }
+
+    for (i = 0; i < sizeof(defs) / sizeof(struct tls_proto_def); i++) {
+        if (strncasecmp(defs[i].name, proto_ver, strlen(proto_ver)) == 0) {
+            return defs[i].ver;
+        }
+    }
+
+    return -1;
+}
+
+#if defined(TLS1_3_VERSION)
+#define DEFAULT_MAX_VERSION TLS1_3_VERSION
+#else
+#define DEFAULT_MAX_VERSION TLS1_2_VERSION
+#endif
+
+static int tls_set_minmax_proto(struct flb_tls *tls,
+                                const char *min_version,
+                                const char *max_version)
+{
+    int i;
+    unsigned long sum = 0, opts = 0;
+    int min = TLS1_1_VERSION;
+    int max = DEFAULT_MAX_VERSION;
+    int val = -1;
+    struct tls_context *ctx = tls->ctx;
+
+    struct tls_proto_options tls_options[] = {
+        { SSL2_VERSION, SSL_OP_NO_SSLv2 },
+        { SSL3_VERSION, SSL_OP_NO_SSLv3 },
+        { TLS1_VERSION, SSL_OP_NO_TLSv1 },
+        { TLS1_1_VERSION, SSL_OP_NO_TLSv1_1 },
+        { TLS1_2_VERSION, SSL_OP_NO_TLSv1_2 },
+#if defined(TLS1_3_VERSION) && defined(SSL_OP_NO_TLSv1_3)
+        { TLS1_3_VERSION, SSL_OP_NO_TLSv1_3 },
+#endif
+    };
+
+    if (!ctx) {
+        return -1;
+    }
+
+    val = parse_proto_version(min_version);
+    if (val >= 0) {
+        min = val;
+    }
+
+    val = parse_proto_version(max_version);
+    if (val >= 0) {
+        max = val;
+    }
+
+    pthread_mutex_lock(&ctx->mutex);
+
+    for (i = 0; i < sizeof(tls_options) / sizeof(struct tls_proto_options); i++) {
+        sum |= tls_options[i].no_opt;
+        if ((min && min > tls_options[i].ver) ||
+            (max && max < tls_options[i].ver)) {
+            opts |= tls_options[i].no_opt;
+        }
+    }
+    SSL_CTX_clear_options(ctx->ctx, sum);
+    SSL_CTX_set_options(ctx->ctx, opts);
+
+    pthread_mutex_unlock(&ctx->mutex);
+
+    return 0;
+}
+
+static int tls_set_ciphers(struct flb_tls *tls, const char *ciphers)
+{
+    struct tls_context *ctx = tls->ctx;
+
+    pthread_mutex_lock(&ctx->mutex);
+
+    if (!SSL_CTX_set_cipher_list(ctx->ctx, ciphers)) {
+        return -1;
+    }
+
+    pthread_mutex_unlock(&ctx->mutex);
+
+    return 0;
+}
+
 static void *tls_session_create(struct flb_tls *tls,
                                 int fd)
 {
@@ -1043,6 +1159,8 @@ static struct flb_tls_backend tls_openssl = {
     .context_destroy      = tls_context_destroy,
     .context_alpn_set     = tls_context_alpn_set,
     .session_alpn_get     = tls_session_alpn_get,
+    .set_minmax_proto     = tls_set_minmax_proto,
+    .set_ciphers          = tls_set_ciphers,
     .session_create       = tls_session_create,
     .session_destroy      = tls_session_destroy,
     .net_read             = tls_net_read,
