Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

tls: add support for setting min/max TLS version and cipher list #10133

Merged
merged 4 commits into from
Mar 27, 2025

Conversation

edsiper
Copy link
Member

@edsiper edsiper commented Mar 26, 2025

This PR introduces three new TLS configuration options for both input and output plugins:

  • tls.min_version: specifies the minimum allowed TLS version (e.g., TLSv1.1, TLSv1.2).
  • tls.max_version: specifies the maximum allowed TLS version (e.g., TLSv1.2, TLSv1.3).
  • tls.ciphers: allows users to define a specific set of TLS ciphers (up to TLSv1.2).

The options are added to the input/output configuration map and respected during TLS context initialization. This enhances TLS flexibility and allows better control over security compliance and compatibility with external systems.


Fluent Bit is licensed under Apache 2.0, by submitting this pull request I understand that this code will be released under the terms of that license.

Hiroshi Hatake added 4 commits March 26, 2025 12:50
introduces `tls_min_version`, `tls_max_version`, and `tls_ciphers` fields to input instances.
These options are parsed during config loading and applied during TLS initialization."

Signed-off-by: Eduardo Silva <[email protected]>
Adds support for `tls.min_version`, `tls.max_version`, and `tls.ciphers` in output instances.
Values are parsed and enforced during TLS context setup.

Signed-off-by: Eduardo Silva <[email protected]>
Adds backend API hooks `set_minmax_proto` and `set_ciphers`, and utility functions
`flb_tls_set_minmax_proto()` and `flb_tls_set_ciphers()` for applying TLS constraints.

Signed-off-by: Eduardo Silva <[email protected]>
Adds support for parsing TLS protocol versions and disabling specific ones using SSL options.
Also enables cipher selection via `SSL_CTX_set_cipher_list()`.

Signed-off-by: Eduardo Silva <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant