Open ashie opened 11 months ago
Hmm, current out_http
implementation doesn't seem able to set TLSv1.3
because it doesn't use Fluent::TLS:#set_version_to_context
, it passes the version string directly to Net::HTTP#start
:
https://github.com/fluent/fluentd/blob/dd1a6e59b059af3d2e84a1c10be7a2baf637a748/lib/fluent/plugin/out_http.rb#L207 https://github.com/fluent/fluentd/blob/dd1a6e59b059af3d2e84a1c10be7a2baf637a748/lib/fluent/plugin/out_http.rb#L248-L256
and it still uses deprecated method ssl_version
:
https://github.com/ruby/openssl/blob/f948e6bbd371046b880be50b9613fca110dbd27a/lib/openssl/ssl.rb#L209-L231
def ssl_version=(meth)
meth = meth.to_s if meth.is_a?(Symbol)
if /(?<type>_client|_server)\z/ =~ meth
meth = $`
if $VERBOSE
warn "#{caller(1, 1)[0]}: method type #{type.inspect} is ignored"
end
end
version = METHODS_MAP[meth.intern] or
raise ArgumentError, "unknown SSL method `%s'" % meth
set_minmax_proto_version(version, version)
@min_proto_version = @max_proto_version = version
end
METHODS_MAP = {
SSLv23: 0,
SSLv2: OpenSSL::SSL::SSL2_VERSION,
SSLv3: OpenSSL::SSL::SSL3_VERSION,
TLSv1: OpenSSL::SSL::TLS1_VERSION,
TLSv1_1: OpenSSL::SSL::TLS1_1_VERSION,
TLSv1_2: OpenSSL::SSL::TLS1_2_VERSION,
}.freeze
private_constant :METHODS_MAP
We should fix this.
Discussed in https://github.com/fluent/fluentd/discussions/4329