TLS 1.3 support in http output plugin

[ashie]

Discussed in #4329

^{Originally posted by mikakatua October 22, 2023}
I'm trying to use fluentd to send logs to a http endpoint. This endpoint only supports TLS 1.3

My configuration is as follows:

<source>
  @type forward
  @label @mainstream
  port 24224
  bind 0.0.0.0
</source>

<label @mainstream>
  <match **>
    @type http
    endpoint https://haproxy:8443/data/logs
    tls_verify_mode none
    tls_version TLSv1_3
    <format>
      @type json
    </format>
    json_array true
    <buffer>
      flush_interval 2s
    </buffer>
  </match>
</label>

This does not work. I get the error:

[warn]: #0 got unrecoverable error in primary and no secondary error_class=ArgumentError error="unknown SSL method `TLSv1_3'"

Looking at the http output documentation it looks like the max version is TLS 1.2. I have verified that it works removing the tls_version parameter and downgrading the ssl configuration of the endpoint to support TLS 1.2.

If I remove the tls_version parameter without downgrading the endpoint, the error is:

[warn]: #0 failed to flush the buffer. retry_times=0 next_retry_time=2023-10-21 15:55:12 +0000 chunk="6083c037d2f85b70a8f464156a75b22d" error_class=OpenSSL::SSL::SSLError error="SSL_connect returned=1 errno=0 peeraddr=172.18.0.4:8443 state=error: tlsv1 alert protocol version"

Is there any way to get it working with TLS 1.3?

I'm using Fluentd v1.16.2-1.0 docker image

[ashie]

Hmm, current out_http implementation doesn't seem able to set TLSv1.3 because it doesn't use Fluent::TLS:#set_version_to_context, it passes the version string directly to Net::HTTP#start:

fluentd/lib/fluent/plugin/out_http.rb

Line 207 in dd1a6e5

opt[:ssl_version] = @tls_version

fluentd/lib/fluent/plugin/out_http.rb

Lines 248 to 256 in dd1a6e5

	res = if @proxy_uri
	Net::HTTP.start(uri.host, uri.port, @proxy_uri.host, @proxy_uri.port, @proxy_uri.user, @proxy_uri.password, @http_opt) { |http|
	http.request(req)
	}
	else
	Net::HTTP.start(uri.host, uri.port, @http_opt) { |http|
	http.request(req)
	}
	end

and it still uses deprecated method ssl_version:
https://github.com/ruby/openssl/blob/f948e6bbd371046b880be50b9613fca110dbd27a/lib/openssl/ssl.rb#L209-L231

      def ssl_version=(meth)
        meth = meth.to_s if meth.is_a?(Symbol)
        if /(?<type>_client|_server)\z/ =~ meth
          meth = $`
          if $VERBOSE
            warn "#{caller(1, 1)[0]}: method type #{type.inspect} is ignored"
          end
        end
        version = METHODS_MAP[meth.intern] or
          raise ArgumentError, "unknown SSL method `%s'" % meth
        set_minmax_proto_version(version, version)
        @min_proto_version = @max_proto_version = version
      end

      METHODS_MAP = {
        SSLv23: 0,
        SSLv2: OpenSSL::SSL::SSL2_VERSION,
        SSLv3: OpenSSL::SSL::SSL3_VERSION,
        TLSv1: OpenSSL::SSL::TLS1_VERSION,
        TLSv1_1: OpenSSL::SSL::TLS1_1_VERSION,
        TLSv1_2: OpenSSL::SSL::TLS1_2_VERSION,
      }.freeze
      private_constant :METHODS_MAP

We should fix this.