fluentd 1.9.0-x64-mingw32 → 1.9.1-x64-mingw32

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of fluentd might be problematic. Click here for more details.

Files changed (47) hide show
  1. checksums.yaml +4 -4
  2. data/.github/PULL_REQUEST_TEMPLATE.md +2 -1
  3. data/CHANGELOG.md +24 -0
  4. data/Gemfile +0 -2
  5. data/appveyor.yml +5 -14
  6. data/fluentd.gemspec +2 -1
  7. data/lib/fluent/config/section.rb +4 -0
  8. data/lib/fluent/plugin/in_monitor_agent.rb +1 -1
  9. data/lib/fluent/plugin/in_tail.rb +12 -139
  10. data/lib/fluent/plugin/in_tail/position_file.rb +171 -0
  11. data/lib/fluent/plugin/out_forward.rb +3 -2
  12. data/lib/fluent/plugin/out_http.rb +10 -4
  13. data/lib/fluent/plugin/output.rb +1 -1
  14. data/lib/fluent/plugin/parser_syslog.rb +5 -2
  15. data/lib/fluent/plugin_helper/cert_option.rb +5 -2
  16. data/lib/fluent/plugin_helper/http_server.rb +62 -2
  17. data/lib/fluent/plugin_helper/http_server/compat/server.rb +14 -3
  18. data/lib/fluent/plugin_helper/http_server/compat/ssl_context_extractor.rb +52 -0
  19. data/lib/fluent/plugin_helper/http_server/server.rb +14 -8
  20. data/lib/fluent/plugin_helper/http_server/ssl_context_builder.rb +41 -0
  21. data/lib/fluent/plugin_helper/server.rb +5 -10
  22. data/lib/fluent/plugin_helper/socket.rb +4 -8
  23. data/lib/fluent/tls.rb +81 -0
  24. data/lib/fluent/version.rb +1 -1
  25. data/test/config/test_section.rb +0 -2
  26. data/test/plugin/in_tail/test_position_file.rb +192 -0
  27. data/test/plugin/test_in_tail.rb +13 -0
  28. data/test/plugin/test_out_http.rb +15 -2
  29. data/test/plugin/test_output_as_buffered_backup.rb +2 -1
  30. data/test/plugin/test_parser_syslog.rb +36 -0
  31. data/test/plugin_helper/data/cert/generate_cert.rb +87 -0
  32. data/test/plugin_helper/data/cert/with_ca/ca-cert-key-pass.pem +30 -0
  33. data/test/plugin_helper/data/cert/with_ca/ca-cert-key.pem +27 -0
  34. data/test/plugin_helper/data/cert/with_ca/ca-cert-pass.pem +20 -0
  35. data/test/plugin_helper/data/cert/with_ca/ca-cert.pem +20 -0
  36. data/test/plugin_helper/data/cert/with_ca/cert-key-pass.pem +30 -0
  37. data/test/plugin_helper/data/cert/with_ca/cert-key.pem +27 -0
  38. data/test/plugin_helper/data/cert/with_ca/cert-pass.pem +21 -0
  39. data/test/plugin_helper/data/cert/with_ca/cert.pem +21 -0
  40. data/test/plugin_helper/data/cert/without_ca/cert-key-pass.pem +30 -0
  41. data/test/plugin_helper/data/cert/without_ca/cert-key.pem +27 -0
  42. data/test/plugin_helper/data/cert/without_ca/cert-pass.pem +20 -0
  43. data/test/plugin_helper/data/cert/without_ca/cert.pem +20 -0
  44. data/test/plugin_helper/test_http_server_helper.rb +168 -7
  45. data/test/plugin_helper/test_server.rb +40 -9
  46. data/test/test_tls.rb +65 -0
  47. metadata +52 -4
@@ -17,6 +17,7 @@
17
17
  require 'fluent/output'
18
18
  require 'fluent/config/error'
19
19
  require 'fluent/clock'
20
+ require 'fluent/tls'
20
21
  require 'base64'
21
22
  require 'forwardable'
22
23
 
@@ -89,9 +90,9 @@ module Fluent::Plugin
89
90
  config_param :compress, :enum, list: [:text, :gzip], default: :text
90
91
 
91
92
  desc 'The default version of TLS transport.'
92
- config_param :tls_version, :enum, list: Fluent::PluginHelper::Socket::TLS_SUPPORTED_VERSIONS, default: Fluent::PluginHelper::Socket::TLS_DEFAULT_VERSION
93
+ config_param :tls_version, :enum, list: Fluent::TLS::SUPPORTED_VERSIONS, default: Fluent::TLS::DEFAULT_VERSION
93
94
  desc 'The cipher configuration of TLS transport.'
94
- config_param :tls_ciphers, :string, default: Fluent::PluginHelper::Socket::CIPHERS_DEFAULT
95
+ config_param :tls_ciphers, :string, default: Fluent::TLS::CIPHERS_DEFAULT
95
96
  desc 'Skip all verification of certificates or not.'
96
97
  config_param :tls_insecure_mode, :bool, default: false
97
98
  desc 'Allow self signed certificates or not.'
@@ -17,6 +17,7 @@
17
17
  require 'net/http'
18
18
  require 'uri'
19
19
  require 'openssl'
20
+ require 'fluent/tls'
20
21
  require 'fluent/plugin/output'
21
22
  require 'fluent/plugin_helper/socket'
22
23
 
@@ -57,14 +58,14 @@ module Fluent::Plugin
57
58
  desc 'The verify mode of TLS'
58
59
  config_param :tls_verify_mode, :enum, list: [:none, :peer], default: :peer
59
60
  desc 'The default version of TLS'
60
- config_param :tls_version, :enum, list: Fluent::PluginHelper::Socket::TLS_SUPPORTED_VERSIONS, default: Fluent::PluginHelper::Socket::TLS_DEFAULT_VERSION
61
+ config_param :tls_version, :enum, list: Fluent::TLS::SUPPORTED_VERSIONS, default: Fluent::TLS::DEFAULT_VERSION
61
62
  desc 'The cipher configuration of TLS'
62
- config_param :tls_ciphers, :string, default: Fluent::PluginHelper::Socket::CIPHERS_DEFAULT
63
+ config_param :tls_ciphers, :string, default: Fluent::TLS::CIPHERS_DEFAULT
63
64
 
64
65
  desc 'Raise UnrecoverableError when the response is non success, 4xx/5xx'
65
66
  config_param :error_response_as_unrecoverable, :bool, default: true
66
67
  desc 'The list of retryable response code'
67
- config_param :retryable_response_codes, :array, value_type: :integer, default: [503]
68
+ config_param :retryable_response_codes, :array, value_type: :integer, default: nil
68
69
 
69
70
  config_section :format do
70
71
  config_set_default :@type, 'json'
@@ -90,6 +91,11 @@ module Fluent::Plugin
90
91
  def configure(conf)
91
92
  super
92
93
 
94
+ if @retryable_response_codes.nil?
95
+ log.warn('Status code 503 is going to be removed from default `retryable_response_codes` from fluentd v2. Please add it by yourself if you wish')
96
+ @retryable_response_codes = [503]
97
+ end
98
+
93
99
  @http_opt = setup_http_option
94
100
  @proxy_uri = URI.parse(@proxy) if @proxy
95
101
  @formatter = formatter_create
@@ -172,7 +178,7 @@ module Fluent::Plugin
172
178
  end
173
179
 
174
180
  def parse_endpoint(chunk)
175
- endpoint = extract_placeholders(@endpoint, chunk)
181
+ endpoint = extract_placeholders(@endpoint, chunk)
176
182
  URI.parse(endpoint)
177
183
  end
178
184
 
@@ -1091,7 +1091,7 @@ module Fluent
1091
1091
  end
1092
1092
  end
1093
1093
 
1094
- UNRECOVERABLE_ERRORS = [Fluent::UnrecoverableError, TypeError, ArgumentError, NoMethodError, MessagePack::UnpackError]
1094
+ UNRECOVERABLE_ERRORS = [Fluent::UnrecoverableError, TypeError, ArgumentError, NoMethodError, MessagePack::UnpackError, EncodingError]
1095
1095
 
1096
1096
  def try_flush
1097
1097
  chunk = @buffer.dequeue_chunk
@@ -27,8 +27,8 @@ module Fluent
27
27
  REGEXP = /^(?<time>[^ ]*\s*[^ ]* [^ ]*) (?<host>[^ ]*) (?<ident>[^ :\[]*)(?:\[(?<pid>[0-9]+)\])?(?:[^\:]*\:)? *(?<message>.*)$/
28
28
  # From in_syslog default pattern
29
29
  REGEXP_WITH_PRI = /^\<(?<pri>[0-9]+)\>(?<time>[^ ]* {1,2}[^ ]* [^ ]*) (?<host>[^ ]*) (?<ident>[^ :\[]*)(?:\[(?<pid>[0-9]+)\])?(?:[^\:]*\:)? *(?<message>.*)$/
30
- REGEXP_RFC5424 = /\A^(?<time>[^ ]+) (?<host>[!-~]{1,255}) (?<ident>[!-~]{1,48}) (?<pid>[!-~]{1,128}) (?<msgid>[!-~]{1,32}) (?<extradata>(?:\-|\[(.*)\]))(?: (?<message>.+))?$\z/
31
- REGEXP_RFC5424_WITH_PRI = /\A^\<(?<pri>[0-9]{1,3})\>[1-9]\d{0,2} (?<time>[^ ]+) (?<host>[!-~]{1,255}) (?<ident>[!-~]{1,48}) (?<pid>[!-~]{1,128}) (?<msgid>[!-~]{1,32}) (?<extradata>(?:\-|\[(.*)\]))(?: (?<message>.+))?$\z/
30
+ REGEXP_RFC5424 = /\A(?<time>[^ ]+) (?<host>[!-~]{1,255}) (?<ident>[!-~]{1,48}) (?<pid>[!-~]{1,128}) (?<msgid>[!-~]{1,32}) (?<extradata>(?:\-|\[(.*)\]))(?: (?<message>.+))?\z/m
31
+ REGEXP_RFC5424_WITH_PRI = /\A\<(?<pri>[0-9]{1,3})\>[1-9]\d{0,2} (?<time>[^ ]+) (?<host>[!-~]{1,255}) (?<ident>[!-~]{1,48}) (?<pid>[!-~]{1,128}) (?<msgid>[!-~]{1,32}) (?<extradata>(?:\-|\[(.*)\]))(?: (?<message>.+))?\z/m
32
32
  REGEXP_DETECT_RFC5424 = /^\<.*\>[1-9]\d{0,2}/
33
33
 
34
34
  config_set_default :time_format, "%b %d %H:%M:%S"
@@ -141,6 +141,9 @@ module Fluent
141
141
  end
142
142
  end
143
143
  record[name] = value if @keep_time_key
144
+ when "message"
145
+ value.chomp!
146
+ record[name] = value
144
147
  else
145
148
  record[name] = value
146
149
  end
@@ -17,14 +17,16 @@
17
17
  require 'openssl'
18
18
  require 'socket'
19
19
 
20
- # this module is only for Socket/Server plugin helpers
20
+ require 'fluent/tls'
21
+
22
+ # this module is only for Socket/Server/HttpServer plugin helpers
21
23
  module Fluent
22
24
  module PluginHelper
23
25
  module CertOption
24
26
  def cert_option_create_context(version, insecure, ciphers, conf)
25
27
  cert, key, extra = cert_option_server_validate!(conf)
26
28
 
27
- ctx = OpenSSL::SSL::SSLContext.new(version)
29
+ ctx = OpenSSL::SSL::SSLContext.new
28
30
  unless insecure
29
31
  # inject OpenSSL::SSL::SSLContext::DEFAULT_PARAMS
30
32
  # https://bugs.ruby-lang.org/issues/9424
@@ -43,6 +45,7 @@ module Fluent
43
45
  if extra && !extra.empty?
44
46
  ctx.extra_chain_cert = extra
45
47
  end
48
+ Fluent::TLS.set_version_to_context(ctx, version, conf.min_version, conf.max_version)
46
49
 
47
50
  ctx
48
51
  end
@@ -23,27 +23,77 @@ rescue LoadError => _
23
23
  end
24
24
 
25
25
  require 'fluent/plugin_helper/thread'
26
+ require 'fluent/plugin_helper/server' # For Server::ServerTransportParams
27
+ require 'fluent/plugin_helper/http_server/ssl_context_builder'
26
28
 
27
29
  module Fluent
28
30
  module PluginHelper
29
31
  module HttpServer
30
32
  include Fluent::PluginHelper::Thread
33
+ include Fluent::Configurable
34
+
31
35
  # stop : stop http server and mark callback thread as stopped
32
36
  # shutdown : [-]
33
37
  # close : correct stopped threads
34
38
  # terminate: kill thread
35
39
 
40
+ def self.included(mod)
41
+ mod.include Fluent::PluginHelper::Server::ServerTransportParams
42
+ end
43
+
44
+ def initialize(*)
45
+ super
46
+ @_http_server = nil
47
+ end
48
+
49
+ def create_http_server(title, addr:, port:, logger:, default_app: nil, proto: nil, tls_opts: nil, &block)
50
+ logger.warn('this method is deprecated. Use #http_server_create_http_server instead')
51
+ http_server_create_http_server(title, addr: addr, port: port, logger: logger, default_app: default_app, proto: proto, tls_opts: tls_opts, &block)
52
+ end
53
+
36
54
  # @param title [Symbol] the thread name. this value should be unique.
37
55
  # @param addr [String] Listen address
38
56
  # @param port [String] Listen port
39
57
  # @param logger [Logger] logger used in this server
40
58
  # @param default_app [Object] This method must have #call.
41
- def create_http_server(title, addr:, port:, logger:, default_app: nil)
59
+ # @param proto [Symbol] :tls or :tcp
60
+ # @param tls_opts [Hash] options for TLS.
61
+ def http_server_create_http_server(title, addr:, port:, logger:, default_app: nil, proto: nil, tls_opts: nil, &block)
42
62
  unless block_given?
43
63
  raise ArgumentError, 'BUG: callback not specified'
44
64
  end
45
65
 
46
- @_http_server = HttpServer::Server.new(addr: addr, port: port, logger: logger, default_app: default_app) do |serv|
66
+ if proto == :tls || (@transport_config && @transport_config.protocol == :tls)
67
+ http_server_create_https_server(title, addr: addr, port: port, logger: logger, default_app: default_app, tls_opts: tls_opts, &block)
68
+ else
69
+ @_http_server = HttpServer::Server.new(addr: addr, port: port, logger: logger, default_app: default_app) do |serv|
70
+ yield(serv)
71
+ end
72
+
73
+ _block_until_http_server_start do |notify|
74
+ thread_create(title) do
75
+ @_http_server.start(notify)
76
+ end
77
+ end
78
+ end
79
+ end
80
+
81
+ # @param title [Symbol] the thread name. this value should be unique.
82
+ # @param addr [String] Listen address
83
+ # @param port [String] Listen port
84
+ # @param logger [Logger] logger used in this server
85
+ # @param default_app [Object] This method must have #call.
86
+ # @param tls_opts [Hash] options for TLS.
87
+ def http_server_create_https_server(title, addr:, port:, logger:, default_app: nil, tls_opts: nil)
88
+ topt =
89
+ if tls_opts
90
+ _http_server_overwrite_config(@transport_config, tls_opts)
91
+ else
92
+ @transport_config
93
+ end
94
+ ctx = Fluent::PluginHelper::HttpServer::SSLContextBuilder.new($log).build(topt)
95
+
96
+ @_http_server = HttpServer::Server.new(addr: addr, port: port, logger: logger, default_app: default_app, tls_context: ctx) do |serv|
47
97
  yield(serv)
48
98
  end
49
99
 
@@ -64,6 +114,16 @@ module Fluent
64
114
 
65
115
  private
66
116
 
117
+ def _http_server_overwrite_config(config, opts)
118
+ conf = config.dup
119
+ Fluent::PluginHelper::Server::SERVER_TRANSPORT_PARAMS.map(&:to_s).each do |param|
120
+ if opts.key?(param)
121
+ conf[param] = opts[param]
122
+ end
123
+ end
124
+ conf
125
+ end
126
+
67
127
  # To block until server is ready to listen
68
128
  def _block_until_http_server_start
69
129
  que = Queue.new
@@ -16,6 +16,7 @@
16
16
 
17
17
  require 'fluent/plugin_helper/http_server/methods'
18
18
  require 'fluent/plugin_helper/http_server/compat/webrick_handler'
19
+ require 'fluent/plugin_helper/http_server/compat/ssl_context_extractor'
19
20
 
20
21
  module Fluent
21
22
  module PluginHelper
@@ -24,16 +25,26 @@ module Fluent
24
25
  class Server
25
26
  # @param logger [Logger]
26
27
  # @param default_app [Object] ignored option. only for compat
27
- def initialize(addr:, port:, logger:, default_app: nil)
28
+ # @param tls_context [OpenSSL::SSL::SSLContext]
29
+ def initialize(addr:, port:, logger:, default_app: nil, tls_context: nil)
28
30
  @addr = addr
29
31
  @port = port
30
32
  @logger = logger
31
- @server = WEBrick::HTTPServer.new(
33
+
34
+ config = {
32
35
  BindAddress: @addr,
33
36
  Port: @port,
34
37
  Logger: WEBrick::Log.new(STDERR, WEBrick::Log::FATAL),
35
38
  AccessLog: [],
36
- )
39
+ }
40
+ if tls_context
41
+ require 'webrick/https'
42
+ @logger.warn('Webrick ignores given TLS version')
43
+ tls_opt = Fluent::PluginHelper::HttpServer::Compat::SSLContextExtractor.extract(tls_context)
44
+ config = tls_opt.merge(**config)
45
+ end
46
+
47
+ @server = WEBrick::HTTPServer.new(config)
37
48
 
38
49
  # @example ["/example.json", :get, handler object]
39
50
  @methods = []
@@ -0,0 +1,52 @@
1
+ #
2
+ # Fluentd
3
+ #
4
+ # Licensed under the Apache License, Version 2.0 (the "License");
5
+ # you may not use this file except in compliance with the License.
6
+ # You may obtain a copy of the License at
7
+ #
8
+ # http://www.apache.org/licenses/LICENSE-2.0
9
+ #
10
+ # Unless required by applicable law or agreed to in writing, software
11
+ # distributed under the License is distributed on an "AS IS" BASIS,
12
+ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13
+ # See the License for the specific language governing permissions and
14
+ # limitations under the License.
15
+ #
16
+
17
+ module Fluent
18
+ module PluginHelper
19
+ module HttpServer
20
+ module Compat
21
+ # This class converts OpenSSL::SSL::SSLContext to Webrick SSL Config because webrick does not have interface to pass OpenSSL::SSL::SSLContext directory
22
+ # https://github.com/ruby/webrick/blob/v1.6.0/lib/webrick/ssl.rb#L67-L88
23
+ class SSLContextExtractor
24
+
25
+ #
26
+ # memo: https://github.com/ruby/webrick/blob/v1.6.0/lib/webrick/ssl.rb#L180-L205
27
+ # @param ctx [OpenSSL::SSL::SSLContext]
28
+ def self.extract(ctx)
29
+ {
30
+ SSLEnable: true,
31
+ SSLPrivateKey: ctx.key,
32
+ SSLCertificate: ctx.cert,
33
+ SSLClientCA: ctx.client_ca,
34
+ SSLExtraChainCert: ctx.extra_chain_cert,
35
+ SSLCACertificateFile: ctx.ca_file,
36
+ SSLCACertificatePath: ctx.ca_path,
37
+ SSLCertificateStore: ctx.cert_store,
38
+ SSLTmpDhCallback: ctx.tmp_dh_callback,
39
+ SSLVerifyClient: ctx.verify_mode,
40
+ SSLVerifyDepth: ctx.verify_depth,
41
+ SSLVerifyCallback: ctx.verify_callback,
42
+ SSLServerNameCallback: ctx.servername_cb,
43
+ SSLTimeout: ctx.timeout,
44
+ SSLOptions: ctx.options,
45
+ SSLCiphers: ctx.ciphers,
46
+ }
47
+ end
48
+ end
49
+ end
50
+ end
51
+ end
52
+ end
@@ -26,20 +26,26 @@ module Fluent
26
26
  module PluginHelper
27
27
  module HttpServer
28
28
  class Server
29
+ # @param logger [Logger]
29
30
  # @param default_app [Object] This method must have #call.
30
- def initialize(addr:, port:, logger:, default_app: nil)
31
+ # @param tls_context [OpenSSL::SSL::SSLContext]
32
+ def initialize(addr:, port:, logger:, default_app: nil, tls_context: nil)
31
33
  @addr = addr
32
34
  @port = port
33
35
  @logger = logger
34
36
 
35
- # TODO: support https and http2
36
- @uri = URI("http://#{@addr}:#{@port}").to_s
37
+ # TODO: support http2
38
+ scheme = tls_context ? 'https' : 'http'
39
+ @uri = URI("#{scheme}://#{@addr}:#{@port}").to_s
37
40
  @router = Router.new(default_app)
38
- @reactor = Async::Reactor.new
39
- @server = Async::HTTP::Server.new(
40
- App.new(@router, @logger),
41
- Async::HTTP::Endpoint.parse(@uri)
42
- )
41
+ @reactor = Async::Reactor.new(nil, logger: @logger)
42
+
43
+ opts = if tls_context
44
+ { ssl_context: tls_context }
45
+ else
46
+ {}
47
+ end
48
+ @server = Async::HTTP::Server.new(App.new(@router, @logger), Async::HTTP::Endpoint.parse(@uri, **opts))
43
49
 
44
50
  if block_given?
45
51
  yield(self)
@@ -0,0 +1,41 @@
1
+ #
2
+ # Fluentd
3
+ #
4
+ # Licensed under the Apache License, Version 2.0 (the "License");
5
+ # you may not use this file except in compliance with the License.
6
+ # You may obtain a copy of the License at
7
+ #
8
+ # http://www.apache.org/licenses/LICENSE-2.0
9
+ #
10
+ # Unless required by applicable law or agreed to in writing, software
11
+ # distributed under the License is distributed on an "AS IS" BASIS,
12
+ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13
+ # See the License for the specific language governing permissions and
14
+ # limitations under the License.
15
+ #
16
+
17
+ require 'fluent/plugin_helper/cert_option'
18
+
19
+ module Fluent
20
+ module PluginHelper
21
+ module HttpServer
22
+ # In order not to expose CertOption's methods unnecessary
23
+ class SSLContextBuilder
24
+ include Fluent::PluginHelper::CertOption
25
+
26
+ def initialize(log)
27
+ @log = log
28
+ end
29
+
30
+ # @param config [Fluent::Config::Section] @transport_config
31
+ def build(config)
32
+ cert_option_create_context(config.version, config.insecure, config.ciphers, config)
33
+ end
34
+
35
+ private
36
+
37
+ attr_reader :log
38
+ end
39
+ end
40
+ end
41
+ end
@@ -240,7 +240,7 @@ module Fluent
240
240
  end
241
241
 
242
242
  SERVER_TRANSPORT_PARAMS = [
243
- :protocol, :version, :ciphers, :insecure,
243
+ :protocol, :version, :min_version, :max_version, :ciphers, :insecure,
244
244
  :ca_path, :cert_path, :private_key_path, :private_key_passphrase, :client_cert_auth,
245
245
  :ca_cert_path, :ca_private_key_path, :ca_private_key_passphrase,
246
246
  :generate_private_key_length,
@@ -260,18 +260,13 @@ module Fluent
260
260
  end
261
261
 
262
262
  module ServerTransportParams
263
- TLS_DEFAULT_VERSION = :'TLSv1_2'
264
- TLS_SUPPORTED_VERSIONS = [:'TLSv1_1', :'TLSv1_2']
265
- ### follow httpclient configuration by nahi
266
- # OpenSSL 0.9.8 default: "ALL:!ADH:!LOW:!EXP:!MD5:+SSLv2:@STRENGTH"
267
- CIPHERS_DEFAULT = "ALL:!aNULL:!eNULL:!SSLv2" # OpenSSL >1.0.0 default
268
-
269
263
  include Fluent::Configurable
270
264
  config_section :transport, required: false, multi: false, init: true, param_name: :transport_config do
271
265
  config_argument :protocol, :enum, list: [:tcp, :tls], default: :tcp
272
- config_param :version, :enum, list: TLS_SUPPORTED_VERSIONS, default: TLS_DEFAULT_VERSION
273
-
274
- config_param :ciphers, :string, default: CIPHERS_DEFAULT
266
+ config_param :version, :enum, list: Fluent::TLS::SUPPORTED_VERSIONS, default: Fluent::TLS::DEFAULT_VERSION
267
+ config_param :min_version, :enum, list: Fluent::TLS::SUPPORTED_VERSIONS, default: nil
268
+ config_param :max_version, :enum, list: Fluent::TLS::SUPPORTED_VERSIONS, default: nil
269
+ config_param :ciphers, :string, default: Fluent::TLS::CIPHERS_DEFAULT
275
270
  config_param :insecure, :bool, default: false
276
271
 
277
272
  # Cert signed by public CA
@@ -21,6 +21,7 @@ if Fluent.windows?
21
21
  require 'certstore'
22
22
  end
23
23
 
24
+ require 'fluent/tls'
24
25
  require_relative 'socket_option'
25
26
 
26
27
  module Fluent
@@ -33,12 +34,6 @@ module Fluent
33
34
 
34
35
  include Fluent::PluginHelper::SocketOption
35
36
 
36
- TLS_DEFAULT_VERSION = :'TLSv1_2'
37
- TLS_SUPPORTED_VERSIONS = [:'TLSv1_1', :'TLSv1_2']
38
- ### follow httpclient configuration by nahi
39
- # OpenSSL 0.9.8 default: "ALL:!ADH:!LOW:!EXP:!MD5:+SSLv2:@STRENGTH"
40
- CIPHERS_DEFAULT = "ALL:!aNULL:!eNULL:!SSLv2" # OpenSSL >1.0.0 default
41
-
42
37
  attr_reader :_sockets # for tests
43
38
 
44
39
  # TODO: implement connection pool for specified host
@@ -97,7 +92,7 @@ module Fluent
97
92
 
98
93
  def socket_create_tls(
99
94
  host, port,
100
- version: TLS_DEFAULT_VERSION, ciphers: CIPHERS_DEFAULT, insecure: false, verify_fqdn: true, fqdn: nil,
95
+ version: Fluent::TLS::DEFAULT_VERSION, min_version: nil, max_version: nil, ciphers: Fluent::TLS::CIPHERS_DEFAULT, insecure: false, verify_fqdn: true, fqdn: nil,
101
96
  enable_system_cert_store: true, allow_self_signed_cert: false, cert_paths: nil,
102
97
  cert_path: nil, private_key_path: nil, private_key_passphrase: nil,
103
98
  cert_thumbprint: nil, cert_logical_store_name: nil, cert_use_enterprise_store: true,
@@ -106,7 +101,7 @@ module Fluent
106
101
  host_is_ipaddress = IPAddr.new(host) rescue false
107
102
  fqdn ||= host unless host_is_ipaddress
108
103
 
109
- context = OpenSSL::SSL::SSLContext.new(version)
104
+ context = OpenSSL::SSL::SSLContext.new
110
105
 
111
106
  if insecure
112
107
  log.trace "setting TLS verify_mode NONE"
@@ -154,6 +149,7 @@ module Fluent
154
149
  context.cert = OpenSSL::X509::Certificate.new(File.read(cert_path)) if cert_path
155
150
  context.key = OpenSSL::PKey::read(File.read(private_key_path), private_key_passphrase) if private_key_path
156
151
  end
152
+ Fluent::TLS.set_version_to_context(context, version, min_version, max_version)
157
153
 
158
154
  tcpsock = socket_create_tcp(host, port, **kwargs)
159
155
  sock = WrappedSocket::TLS.new(tcpsock, context)