support tls1.3

Author: zarqman

CHANGELOG.md

@@ -1,3 +1,9 @@
+#### 2.1.0
+
+* Require Ruby 2.5
+* Allow TLS 1.3 (minimum remains TLS 1.2)
+
+
 #### 2.0.0
 
 * Require Ruby 2.4

Gemfile.lock

@@ -1,25 +1,25 @@
 PATH
   remote: .
   specs:
-    fluent-plugin-syslog-tls (2.0.0)
+    fluent-plugin-syslog-tls (2.1.0.rc1)
       fluentd (>= 0.14.0, < 2)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    addressable (2.8.0)
-      public_suffix (>= 2.0.2, < 5.0)
-    concurrent-ruby (1.1.9)
+    addressable (2.8.1)
+      public_suffix (>= 2.0.2, < 6.0)
+    concurrent-ruby (1.1.10)
     cool.io (1.7.1)
     crack (0.4.5)
       rexml
     docile (1.4.0)
-    fluentd (1.14.5)
+    fluentd (1.15.3)
       bundler
       cool.io (>= 1.4.5, < 2.0.0)
       http_parser.rb (>= 0.5.1, < 0.9.0)
       msgpack (>= 1.3.1, < 2.0.0)
-      serverengine (>= 2.2.5, < 3.0.0)
+      serverengine (>= 2.3.0, < 3.0.0)
       sigdump (~> 0.2.2)
       strptime (>= 0.2.4, < 1.0.0)
       tzinfo (>= 1.0, < 3.0)
@@ -28,35 +28,35 @@ GEM
       yajl-ruby (~> 1.0)
     hashdiff (1.0.1)
     http_parser.rb (0.8.0)
-    minitest (5.15.0)
+    minitest (5.17.0)
     minitest-stub_any_instance (1.0.3)
-    msgpack (1.4.5)
-    power_assert (2.0.1)
-    public_suffix (4.0.6)
+    msgpack (1.6.0)
+    power_assert (2.0.3)
+    public_suffix (5.0.1)
     rake (13.0.6)
     rexml (3.2.5)
-    serverengine (2.2.5)
+    serverengine (2.3.1)
       sigdump (~> 0.2.2)
     sigdump (0.2.4)
-    simplecov (0.21.2)
+    simplecov (0.22.0)
       docile (~> 1.1)
       simplecov-html (~> 0.11)
       simplecov_json_formatter (~> 0.1)
     simplecov-html (0.12.3)
     simplecov_json_formatter (0.1.4)
     strptime (0.2.5)
-    test-unit (3.5.3)
+    test-unit (3.5.7)
       power_assert
-    tzinfo (2.0.4)
+    tzinfo (2.0.5)
       concurrent-ruby (~> 1.0)
-    tzinfo-data (1.2021.5)
+    tzinfo-data (1.2022.7)
       tzinfo (>= 1.0.0)
-    webmock (3.14.0)
+    webmock (3.18.1)
       addressable (>= 2.8.0)
       crack (>= 0.3.2)
       hashdiff (>= 0.4.0, < 2.0.0)
     webrick (1.7.0)
-    yajl-ruby (1.4.1)
+    yajl-ruby (1.4.3)
 
 PLATFORMS
   ruby
@@ -71,4 +71,4 @@ DEPENDENCIES
   webmock (~> 3.0)
 
 BUNDLED WITH
-   2.2.22
+   2.3.26

fluent-plugin-syslog-tls.gemspec

@@ -1,5 +1,5 @@
 # Copyright 2016 Acquia, Inc.
-# Copyright 2016-2022 t.e.morgan.
+# Copyright 2016-2023 t.e.morgan.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -30,7 +30,7 @@ Gem::Specification.new do |s|
   s.executables   = s.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
   s.test_files    = s.files.grep(%r{^(test|spec|features)/})
   s.require_paths = ['lib']
-  s.required_ruby_version = '>= 2.4'
+  s.required_ruby_version = '>= 2.5'
 
   s.add_runtime_dependency 'fluentd', [">= 0.14.0", "< 2"]
 

lib/syslog_tls/ssl_transport.rb

@@ -1,5 +1,5 @@
 # Copyright 2016 Acquia, Inc.
-# Copyright 2016-2019 t.e.morgan.
+# Copyright 2016-2023 t.e.morgan.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -29,7 +29,7 @@ class SSLTransport
 
     attr_writer :retries
 
-    def initialize(host, port, idle_timeout: nil, ca_cert: 'system', client_cert: nil, client_key: nil, verify_cert_name: true, ssl_version: :TLSv1_2, max_retries: 1)
+    def initialize(host, port, idle_timeout: nil, ca_cert: 'system', client_cert: nil, client_key: nil, verify_cert_name: true, ssl_version: :TLS1_2, max_retries: 1)
       @host = host
       @port = port
       @idle_timeout = idle_timeout
@@ -96,7 +96,7 @@ def get_ssl_connection
 
       ctx = OpenSSL::SSL::SSLContext.new
       ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER
-      ctx.ssl_version = ssl_version
+      ctx.min_version = ssl_version
 
       ctx.verify_hostname = verify_cert_name != false
 

lib/syslog_tls/version.rb

@@ -14,5 +14,5 @@
 # limitations under the License.
 
 module SyslogTls
-  VERSION = '2.0.0'
+  VERSION = '2.1.0.rc1'
 end

test/ssl.rb

@@ -2,12 +2,14 @@
 require 'openssl'
 
 module SSLTestHelper
-  def ssl_server
+  def ssl_server(min_version: nil, max_version: nil)
     @ssl_server ||= begin
       tcp_server = TCPServer.new("localhost", 33000 + Random.rand(1000))
       ssl_context = OpenSSL::SSL::SSLContext.new
       ssl_context.cert = certificate
       ssl_context.key = rsa_key
+      ssl_context.min_version = min_version if min_version
+      ssl_context.max_version = max_version if max_version
       OpenSSL::SSL::SSLServer.new(tcp_server, ssl_context)
     end
   end

test/syslog_tls/test_ssl_transport.rb

@@ -1,5 +1,5 @@
 # Copyright 2016 Acquia, Inc.
-# Copyright 2016 t.e.morgan.
+# Copyright 2016-2023 t.e.morgan.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -20,19 +20,36 @@
 class SSLTransportTest < Test::Unit::TestCase
   include SSLTestHelper
 
-  def test_ok_connection
-    server = ssl_server
-    st = Thread.new {
-      client = server.accept
-      assert_equal "TESTTEST2\n", client.gets
-      client.close
-    }
-    SyslogTls::SSLTransport.stub_any_instance(:get_ssl_connection, ssl_client) do
-      t = SyslogTls::SSLTransport.new("localhost", server.addr[1], max_retries: 3)
-      t.write("TEST")
-      t.write("TEST2\n")
+  # srvr-min  srvr-max clnt-min should-raise?
+  [ [:TLS1_2, :TLS1_2, :TLS1_2],
+    [:TLS1_2, :TLS1_3, :TLS1_2],
+    [:TLS1_3, :TLS1_3, :TLS1_2],
+    [:TLS1_2, :TLS1_2, :TLS1_3, true],
+    [:TLS1_2, :TLS1_3, :TLS1_3],
+    [:TLS1_3, :TLS1_3, :TLS1_3],
+  ].each do |(server_min, server_max, client_min, should_raise)|
+    define_method "test_#{server_min}-#{server_max}_server_#{client_min}_client" do
+      Thread.report_on_exception = false
+      blk = lambda do
+        server = ssl_server(min_version: server_min, max_version: server_max)
+        st = Thread.new {
+          client = server.accept
+          assert_equal "TESTTEST2\n", client.gets
+          client.close
+        }
+        t = SyslogTls::SSLTransport.new("localhost", server.addr[1], ca_cert: false, ssl_version: client_min)
+        t.write("TEST")
+        t.write("TEST2\n")
+        st.join
+      end
+      if should_raise
+        assert_raises OpenSSL::SSL::SSLError, &blk
+      else
+        blk.call
+      end
+    ensure
+      Thread.report_on_exception = true
     end
-    st.join
   end
 
   def test_retry