tls: introduce API for TLS version and cipher settings

Hiroshi Hatake · Vanessa Zhang · commit 503ed9fd9e28 · 2025-04-08T13:57:38.000-07:00
Adds backend API hooks `set_minmax_proto` and `set_ciphers`, and utility functions
`flb_tls_set_minmax_proto()` and `flb_tls_set_ciphers()` for applying TLS constraints.

Signed-off-by: Eduardo Silva &lt;eduardo@chronosphere.io&gt;
diff --git a/include/fluent-bit/tls/flb_tls.h b/include/fluent-bit/tls/flb_tls.h
@@ -77,6 +77,11 @@ struct flb_tls_backend {
     /* Additional settings */
     int (*context_alpn_set) (void *, const char *);
 
+    /* TLS Protocol version */
+    int (*set_minmax_proto) (struct flb_tls *tls, const char *, const char *);
+    /* TLS Ciphers */
+    int (*set_ciphers) (struct flb_tls *tls, const char *);
+
     /* Session management */
     void *(*session_create) (struct flb_tls *, int);
     int (*session_destroy) (void *);
@@ -119,6 +124,9 @@ int flb_tls_set_alpn(struct flb_tls *tls, const char *alpn);
 int flb_tls_set_verify_hostname(struct flb_tls *tls, int verify_hostname);
 
 int flb_tls_load_system_certificates(struct flb_tls *tls);
+int flb_tls_set_minmax_proto(struct flb_tls *tls,
+                             const char *min_version, const char *max_version);
+int flb_tls_set_ciphers(struct flb_tls *tls, const char *ciphers);
 
 struct mk_list *flb_tls_get_config_map(struct flb_config *config);
 
diff --git a/src/tls/flb_tls.c b/src/tls/flb_tls.c
@@ -80,6 +80,24 @@ struct flb_config_map tls_configmap[] = {
      "Enable or disable to verify hostname"
     },
 
+    {
+     FLB_CONFIG_MAP_STR, "tls.min_version", NULL,
+     0, FLB_FALSE, 0,
+     "Specify the minimum version of TLS"
+    },
+
+    {
+     FLB_CONFIG_MAP_STR, "tls.max_version", NULL,
+     0, FLB_FALSE, 0,
+     "Specify the maximum version of TLS"
+    },
+
+    {
+     FLB_CONFIG_MAP_STR, "tls.ciphers", NULL,
+     0, FLB_FALSE, 0,
+     "Specify TLS ciphers up to TLSv1.2"
+    },
+
     /* EOF */
     {0}
 };
@@ -209,6 +227,25 @@ struct flb_tls *flb_tls_create(int mode,
     return tls;
 }
 
+int flb_tls_set_minmax_proto(struct flb_tls *tls,
+                             const char *min_version, const char *max_version)
+{
+    if (tls->ctx) {
+        return tls->api->set_minmax_proto(tls, min_version, max_version);
+    }
+
+    return 0;
+}
+
+int flb_tls_set_ciphers(struct flb_tls *tls, const char *ciphers)
+{
+    if (tls->ctx) {
+        return tls->api->set_ciphers(tls, ciphers);
+    }
+
+    return 0;
+}
+
 int flb_tls_init()
 {
     return tls_init();
