fluentd icon indicating copy to clipboard operation
fluentd copied to clipboard

Published 20 hours ago verified publisher icon fluent

TLS 1.3 support in http output plugin

Open ashie opened this issue 8 months ago • 1 comments

Discussed in https://github.com/fluent/fluentd/discussions/4329

Originally posted by mikakatua October 22, 2023 I'm trying to use fluentd to send logs to a http endpoint. This endpoint only supports TLS 1.3

My configuration is as follows:

<source>
  @type forward
  @label @mainstream
  port 24224
  bind 0.0.0.0
</source>

<label @mainstream>
  <match **>
    @type http
    endpoint https://haproxy:8443/data/logs
    tls_verify_mode none
    tls_version TLSv1_3
    <format>
      @type json
    </format>
    json_array true
    <buffer>
      flush_interval 2s
    </buffer>
  </match>
</label>

This does not work. I get the error:

[warn]: #0 got unrecoverable error in primary and no secondary error_class=ArgumentError error="unknown SSL method `TLSv1_3'"

Looking at the http output documentation it looks like the max version is TLS 1.2. I have verified that it works removing the tls_version parameter and downgrading the ssl configuration of the endpoint to support TLS 1.2.

If I remove the tls_version parameter without downgrading the endpoint, the error is:

[warn]: #0 failed to flush the buffer. retry_times=0 next_retry_time=2023-10-21 15:55:12 +0000 chunk="6083c037d2f85b70a8f464156a75b22d" error_class=OpenSSL::SSL::SSLError error="SSL_connect returned=1 errno=0 peeraddr=172.18.0.4:8443 state=error: tlsv1 alert protocol version"

Is there any way to get it working with TLS 1.3?

I'm using Fluentd v1.16.2-1.0 docker image

ashie avatar Oct 23 '23 01:10 ashie