input: add TLS version and cipher config support

Hiroshi Hatake · nourdouf · commit 1bc2671f1c65 · 2025-09-23T15:05:29.000-04:00
introduces `tls_min_version`, `tls_max_version`, and `tls_ciphers` fields to input instances.
These options are parsed during config loading and applied during TLS initialization."

Signed-off-by: Eduardo Silva &lt;eduardo@chronosphere.io&gt;
diff --git a/include/fluent-bit/flb_input.h b/include/fluent-bit/flb_input.h
@@ -445,6 +445,9 @@ struct flb_input_instance {
     char *tls_crt_file;                  /* Certificate                  */
     char *tls_key_file;                  /* Cert Key                     */
     char *tls_key_passwd;                /* Cert Key Password            */
+    char *tls_min_version;               /* Minimum protocol version of TLS */
+    char *tls_max_version;               /* Maximum protocol version of TLS */
+    char *tls_ciphers;                   /* TLS ciphers */
 
     struct mk_list *tls_config_map;
 
diff --git a/src/flb_input.c b/src/flb_input.c
@@ -596,6 +596,15 @@ int flb_input_set_property(struct flb_input_instance *ins,
     else if (prop_key_check("tls.key_passwd", k, len) == 0) {
         flb_utils_set_plugin_string_property("tls.key_passwd", &ins->tls_key_passwd, tmp);
     }
+    else if (prop_key_check("tls.min_version", k, len) == 0) {
+        flb_utils_set_plugin_string_property("tls.min_version", &ins->tls_min_version, tmp);
+    }
+    else if (prop_key_check("tls.max_version", k, len) == 0) {
+        flb_utils_set_plugin_string_property("tls.max_version", &ins->tls_max_version, tmp);
+    }
+    else if (prop_key_check("tls.ciphers", k, len) == 0) {
+        flb_utils_set_plugin_string_property("tls.ciphers", &ins->tls_ciphers, tmp);
+    }
 #endif
     else if (prop_key_check("storage.type", k, len) == 0 && tmp) {
         /* Set the storage type */
@@ -742,6 +751,18 @@ void flb_input_instance_destroy(struct flb_input_instance *ins)
         flb_sds_destroy(ins->tls_key_passwd);
     }
 
+    if (ins->tls_min_version) {
+        flb_sds_destroy(ins->tls_min_version);
+    }
+
+    if (ins->tls_max_version) {
+        flb_sds_destroy(ins->tls_max_version);
+    }
+
+    if (ins->tls_ciphers) {
+        flb_sds_destroy(ins->tls_ciphers);
+    }
+
     /* release the tag if any */
     flb_sds_destroy(ins->tag);
 
@@ -1321,6 +1342,26 @@ int flb_input_init_all(struct flb_config *config)
             flb_input_instance_destroy(ins);
             return -1;
         }
+
+        if (ins->tls_min_version != NULL || ins->tls_max_version != NULL) {
+            ret = flb_tls_set_minmax_proto(ins->tls, ins->tls_min_version, ins->tls_max_version);
+            if (ret != 0) {
+                flb_error("[input %s] error setting up minmax protocol version of TLS",
+                          ins->name);
+                flb_input_instance_destroy(ins);
+                return -1;
+            }
+        }
+
+        if (ins->tls_ciphers != NULL) {
+            ret = flb_tls_set_ciphers(ins->tls, ins->tls_ciphers);
+            if (ret != 0) {
+                flb_error("[input %s] error setting up TLS ciphers up to TLSv1.2",
+                          ins->name);
+                flb_input_instance_destroy(ins);
+                return -1;
+            }
+        }
     }
 
     return 0;
