feat(tls): enable configurable tls cipher suites and support legacy ciphers (#1384)

kongfei605 · web-flow · commit 144846930dbb · 2025-12-25T09:36:42.000+08:00
diff --git a/conf/input.http_response/http_response.toml b/conf/input.http_response/http_response.toml
@@ -69,3 +69,27 @@ targets = [
 # tls_key = "/etc/categraf/key.pem"
 ## Use TLS but skip chain & host verification
 # insecure_skip_verify = false
+# tls_min_version = "1.2"
+# tls_max_version = "1.3"
+# tls_cipher_suites = [
+#   "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+#   "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+#   "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+#   "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+#   "TLS_AES_128_GCM_SHA256",
+#   "TLS_AES_256_GCM_SHA384",
+#   "TLS_CHACHA20_POLY1305_SHA256",
+#   "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
+#   "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
+#   "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
+#   "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
+#   "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
+#   "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
+#   "TLS_RSA_WITH_AES_128_GCM_SHA256",
+#   "TLS_RSA_WITH_AES_256_GCM_SHA384",
+#   "TLS_RSA_WITH_AES_128_CBC_SHA",
+#   "TLS_RSA_WITH_AES_256_CBC_SHA",
+#   "TLS_RSA_WITH_AES_128_CBC_SHA256",
+#   "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
+#   "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"
+# ]
diff --git a/pkg/tls/config.go b/pkg/tls/config.go
@@ -12,15 +12,16 @@ import (
 
 // ClientConfig represents the standard client TLS config.
 type ClientConfig struct {
-	UseTLS             bool   `toml:"use_tls"`
-	TLSCA              string `toml:"tls_ca"`
-	TLSCert            string `toml:"tls_cert"`
-	TLSKey             string `toml:"tls_key"`
-	TLSKeyPwd          string `toml:"tls_key_pwd"`
-	InsecureSkipVerify bool   `toml:"insecure_skip_verify"`
-	ServerName         string `toml:"tls_server_name"`
-	TLSMinVersion      string `toml:"tls_min_version"`
-	TLSMaxVersion      string `toml:"tls_max_version"`
+	UseTLS             bool     `toml:"use_tls"`
+	TLSCA              string   `toml:"tls_ca"`
+	TLSCert            string   `toml:"tls_cert"`
+	TLSKey             string   `toml:"tls_key"`
+	TLSKeyPwd          string   `toml:"tls_key_pwd"`
+	InsecureSkipVerify bool     `toml:"insecure_skip_verify" json:"insecure_skip_verify"`
+	ServerName         string   `toml:"tls_server_name" json:"tls_server_name"`
+	TLSMinVersion      string   `toml:"tls_min_version"`
+	TLSMaxVersion      string   `toml:"tls_max_version"`
+	TLSCipherSuites    []string `toml:"tls_cipher_suites"`
 }
 
 // ServerConfig represents the standard server TLS config.
@@ -62,6 +63,15 @@ func (c *ClientConfig) TLSConfig() (*tls.Config, error) {
 		}
 	}
 
+	if len(c.TLSCipherSuites) != 0 {
+		cipherSuites, err := ParseCiphers(c.TLSCipherSuites)
+		if err != nil {
+			return nil, fmt.Errorf(
+				"could not parse client cipher suites %s: %v", strings.Join(c.TLSCipherSuites, ","), err)
+		}
+		tlsConfig.CipherSuites = cipherSuites
+	}
+
 	if c.ServerName != "" {
 		tlsConfig.ServerName = c.ServerName
 	}
