Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TLS 1.3 support in http output plugin #4332

Open
ashie opened this issue Oct 23, 2023 Discussed in #4329 · 8 comments · May be fixed by #4859
Open

TLS 1.3 support in http output plugin #4332

ashie opened this issue Oct 23, 2023 Discussed in #4329 · 8 comments · May be fixed by #4859
Assignees
@ashie
Labels
bug Something isn't working
Milestone
v1.19.0

Comments

@ashie
Copy link
Member

ashie commented Oct 23, 2023

Discussed in #4329

Originally posted by mikakatua October 22, 2023
I'm trying to use fluentd to send logs to a http endpoint. This endpoint only supports TLS 1.3

My configuration is as follows:

<source>
  @type forward
  @label @mainstream
  port 24224
  bind 0.0.0.0
</source>

<label @mainstream>
  <match **>
    @type http
    endpoint https://haproxy:8443/data/logs
    tls_verify_mode none
    tls_version TLSv1_3
    <format>
      @type json
    </format>
    json_array true
    <buffer>
      flush_interval 2s
    </buffer>
  </match>
</label>

This does not work. I get the error:

[warn]: #0 got unrecoverable error in primary and no secondary error_class=ArgumentError error="unknown SSL method `TLSv1_3'"

Looking at the http output documentation it looks like the max version is TLS 1.2. I have verified that it works removing the tls_version parameter and downgrading the ssl configuration of the endpoint to support TLS 1.2.

If I remove the tls_version parameter without downgrading the endpoint, the error is:

[warn]: #0 failed to flush the buffer. retry_times=0 next_retry_time=2023-10-21 15:55:12 +0000 chunk="6083c037d2f85b70a8f464156a75b22d" error_class=OpenSSL::SSL::SSLError error="SSL_connect returned=1 errno=0 peeraddr=172.18.0.4:8443 state=error: tlsv1 alert protocol version"

Is there any way to get it working with TLS 1.3?

I'm using Fluentd v1.16.2-1.0 docker image
@ashie
Copy link
Member Author

ashie commented Oct 23, 2023

Hmm, current out_http implementation doesn't seem able to set TLSv1.3 because it doesn't use Fluent::TLS:#set_version_to_context, it passes the version string directly to Net::HTTP#start:

fluentd/lib/fluent/plugin/out_http.rb

Line 207 in dd1a6e5

opt[:ssl_version] = @tls_version

fluentd/lib/fluent/plugin/out_http.rb

Lines 248 to 256 in dd1a6e5

res = if @proxy_uri
Net::HTTP.start(uri.host, uri.port, @proxy_uri.host, @proxy_uri.port, @proxy_uri.user, @proxy_uri.password, @http_opt) { |http|
http.request(req)
}
else
Net::HTTP.start(uri.host, uri.port, @http_opt) { |http|
http.request(req)
}
end

and it still uses deprecated method ssl_version:
https://github.com/ruby/openssl/blob/f948e6bbd371046b880be50b9613fca110dbd27a/lib/openssl/ssl.rb#L209-L231

      def ssl_version=(meth)
        meth = meth.to_s if meth.is_a?(Symbol)
        if /(?<type>_client|_server)\z/ =~ meth
          meth = $`
          if $VERBOSE
            warn "#{caller(1, 1)[0]}: method type #{type.inspect} is ignored"
          end
        end
        version = METHODS_MAP[meth.intern] or
          raise ArgumentError, "unknown SSL method `%s'" % meth
        set_minmax_proto_version(version, version)
        @min_proto_version = @max_proto_version = version
      end

      METHODS_MAP = {
        SSLv23: 0,
        SSLv2: OpenSSL::SSL::SSL2_VERSION,
        SSLv3: OpenSSL::SSL::SSL3_VERSION,
        TLSv1: OpenSSL::SSL::TLS1_VERSION,
        TLSv1_1: OpenSSL::SSL::TLS1_1_VERSION,
        TLSv1_2: OpenSSL::SSL::TLS1_2_VERSION,
      }.freeze
      private_constant :METHODS_MAP

We should fix this.

@ashie ashie added bug Something isn't working enhancement Feature request or improve operations labels Oct 23, 2023
@ashie ashie self-assigned this Oct 23, 2023
@ashie ashie added this to the v1.17.0 milestone Oct 23, 2023
@ashie ashie removed the enhancement Feature request or improve operations label Oct 23, 2023
@ashie ashie removed this from the v1.17.0 milestone Oct 23, 2023
@ashie ashie added this to the v1.18.0 milestone Sep 2, 2024
@daipom daipom moved this to To-Do in Fluentd Kanban Nov 28, 2024
@daipom daipom modified the milestones: v1.18.0, v1.19.0 Nov 28, 2024
@muaaaz
Copy link

muaaaz commented Mar 4, 2025

Is there an approximated release date? thanks

@Athishpranav2003
Copy link
Contributor

Is the intended fix for this problem is to add support for TLS1.3 in fluentd itself? @daipom

@Athishpranav2003
Copy link
Contributor

Seems that openssl-ruby doesnt have support for TLS1.3 so how this needs to be solved?

@daipom
Copy link
Contributor

daipom commented Mar 7, 2025

@Athishpranav2003
Thanks for taking a look at this!

I haven't seen it in detail, but #4332 (comment) would be important.

Fluentd has Fluent::TLS:#set_version_to_context feature.
Probably out_forward can use TLS 1.3 because of this.
Isn't this about whether out_http can use TLS 1.3 in the same way?"

@Athishpranav2003
Copy link
Contributor

Athishpranav2003 commented Mar 8, 2025
edited
Loading

@daipom i guess i had a misunderstanding,

@Athishpranav2003 Athishpranav2003 linked a pull request Mar 8, 2025 that will close this issue
Draft
@Athishpranav2003
Copy link
Contributor

@ashie can u please provide a dockerfile or something for ur tls1.3 server so that i can test locally

@daipom
Copy link
Contributor

daipom commented Mar 11, 2025

@Athishpranav2003 Thanks!

can u please provide a dockerfile or something for ur tls1.3 server so that i can test locally

Do you need a tlsv1.3 server for test?
Could we use a test server like this one?

openssl req -new -nodes -x509 -sha256 -days 1000 -newkey rsa:2048 -keyout server.key -out server.crt
openssl s_server -cert server.crt -key server.key -accept 8000 -www -tls1_3

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ashie ashie

Labels
bug Something isn't working
Projects
Fluentd Kanban
Status: To-Do
Milestone
v1.19.0
Development

Successfully merging a pull request may close this issue.

TLS1.3 support for out_http Athishpranav2003/fluentd
4 participants
@ashie @daipom @muaaaz @Athishpranav2003