Skip to content

tls: add support for setting min/max TLS version and cipher list #10133

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Mar 27, 2025
Merged

tls: add support for setting min/max TLS version and cipher list #10133

merged 4 commits into from
Mar 27, 2025

Conversation

edsiper
Copy link
Member

@edsiper edsiper commented Mar 26, 2025

This PR introduces three new TLS configuration options for both input and output plugins:

  • tls.min_version: specifies the minimum allowed TLS version (e.g., TLSv1.1, TLSv1.2).
  • tls.max_version: specifies the maximum allowed TLS version (e.g., TLSv1.2, TLSv1.3).
  • tls.ciphers: allows users to define a specific set of TLS ciphers (up to TLSv1.2).

The options are added to the input/output configuration map and respected during TLS context initialization. This enhances TLS flexibility and allows better control over security compliance and compatibility with external systems.

Fluent Bit is licensed under Apache 2.0, by submitting this pull request I understand that this code will be released under the terms of that license.

Hiroshi Hatake added 4 commits March 26, 2025 12:50
@edsiper
input: add TLS version and cipher config support
cd6f75e 
introduces `tls_min_version`, `tls_max_version`, and `tls_ciphers` fields to input instances.
These options are parsed during config loading and applied during TLS initialization."

Signed-off-by: Eduardo Silva <[email protected]>
@edsiper
output: support TLS version and cipher configuration
61ba857 
Adds support for `tls.min_version`, `tls.max_version`, and `tls.ciphers` in output instances.
Values are parsed and enforced during TLS context setup.

Signed-off-by: Eduardo Silva <[email protected]>
@edsiper
tls: introduce API for TLS version and cipher settings
cc99531 
Adds backend API hooks `set_minmax_proto` and `set_ciphers`, and utility functions
`flb_tls_set_minmax_proto()` and `flb_tls_set_ciphers()` for applying TLS constraints.

Signed-off-by: Eduardo Silva <[email protected]>
@edsiper
openssl: implement TLS version bounds and cipher config
ebfff15 
Adds support for parsing TLS protocol versions and disabling specific ones using SSL options.
Also enables cipher selection via `SSL_CTX_set_cipher_list()`.

Signed-off-by: Eduardo Silva <[email protected]>
@edsiper edsiper added this to the Fluent Bit v4.0.0 milestone Mar 26, 2025
@edsiper edsiper merged commit f5854e2 into master Mar 27, 2025
48 of 50 checks passed
@edsiper edsiper deleted the tls-cipher-list branch March 27, 2025 01:14
@BrewTestBot BrewTestBot mentioned this pull request Apr 1, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@leonardo-albertovich leonardo-albertovich Awaiting requested review from leonardo-albertovich leonardo-albertovich is a code owner

@fujimotos fujimotos Awaiting requested review from fujimotos fujimotos is a code owner

@koleini koleini Awaiting requested review from koleini koleini is a code owner

Assignees
No one assigned
Labels
docs-required
Projects
None yet
Milestone
Fluent Bit v4.0.0
Development

Successfully merging this pull request may close these issues.
1 participant
@edsiper