From da0c186a717164127e0a18e10b514a372d82a200 Mon Sep 17 00:00:00 2001 From: Joshua Powers Date: Tue, 6 Dec 2022 20:09:58 -0700 Subject: [PATCH] feat(tls): allow setting renegotiation method (#12302) --- plugins/common/tls/config.go | 38 +++++++++++++++++------- plugins/inputs/http_response/README.md | 2 ++ plugins/inputs/http_response/sample.conf | 2 ++ 3 files changed, 31 insertions(+), 11 deletions(-) diff --git a/plugins/common/tls/config.go b/plugins/common/tls/config.go index bc7f09b41..df6d3269e 100644 --- a/plugins/common/tls/config.go +++ b/plugins/common/tls/config.go @@ -14,13 +14,14 @@ const TLSMinVersionDefault = tls.VersionTLS12 // ClientConfig represents the standard client TLS config. type ClientConfig struct { - TLSCA string `toml:"tls_ca"` - TLSCert string `toml:"tls_cert"` - TLSKey string `toml:"tls_key"` - TLSKeyPwd string `toml:"tls_key_pwd"` - TLSMinVersion string `toml:"tls_min_version"` - InsecureSkipVerify bool `toml:"insecure_skip_verify"` - ServerName string `toml:"tls_server_name"` + TLSCA string `toml:"tls_ca"` + TLSCert string `toml:"tls_cert"` + TLSKey string `toml:"tls_key"` + TLSKeyPwd string `toml:"tls_key_pwd"` + TLSMinVersion string `toml:"tls_min_version"` + InsecureSkipVerify bool `toml:"insecure_skip_verify"` + ServerName string `toml:"tls_server_name"` + RenegotiationMethod string `toml:"tls_renegotiation_method"` SSLCA string `toml:"ssl_ca" deprecated:"1.7.0;use 'tls_ca' instead"` SSLCert string `toml:"ssl_cert" deprecated:"1.7.0;use 'tls_cert' instead"` @@ -58,15 +59,30 @@ func (c *ClientConfig) TLSConfig() (*tls.Config, error) { // a TLS connection. That is, any of: // * client certificate settings, // * peer certificate authorities, - // * disabled security, or - // * an SNI server name. - if c.TLSCA == "" && c.TLSKey == "" && c.TLSCert == "" && !c.InsecureSkipVerify && c.ServerName == "" { + // * disabled security, + // * an SNI server name, or + // * empty/never renegotiation method + if c.TLSCA == "" && c.TLSKey == "" && c.TLSCert == "" && + !c.InsecureSkipVerify && c.ServerName == "" && + (c.RenegotiationMethod == "" || c.RenegotiationMethod == "never") { return nil, nil } + var renegotiationMethod tls.RenegotiationSupport + switch c.RenegotiationMethod { + case "", "never": + renegotiationMethod = tls.RenegotiateNever + case "once": + renegotiationMethod = tls.RenegotiateOnceAsClient + case "freely": + renegotiationMethod = tls.RenegotiateFreelyAsClient + default: + return nil, fmt.Errorf("unrecognized renegotation method '%s', choose from: 'never', 'once', 'freely'", c.RenegotiationMethod) + } + tlsConfig := &tls.Config{ InsecureSkipVerify: c.InsecureSkipVerify, - Renegotiation: tls.RenegotiateNever, + Renegotiation: renegotiationMethod, } if c.TLSCA != "" { diff --git a/plugins/inputs/http_response/README.md b/plugins/inputs/http_response/README.md index 03552f552..2a8d0baa9 100644 --- a/plugins/inputs/http_response/README.md +++ b/plugins/inputs/http_response/README.md @@ -76,6 +76,8 @@ See the [CONFIGURATION.md][CONFIGURATION.md] for more details. # insecure_skip_verify = false ## Use the given name as the SNI server name on each URL # tls_server_name = "" + ## TLS renegotiation method, choose from "never", "once", "freely" + # tls_renegotiation_method = "never" ## HTTP Request Headers (all values must be strings) # [inputs.http_response.headers] diff --git a/plugins/inputs/http_response/sample.conf b/plugins/inputs/http_response/sample.conf index 598368079..d8d3652a2 100644 --- a/plugins/inputs/http_response/sample.conf +++ b/plugins/inputs/http_response/sample.conf @@ -60,6 +60,8 @@ # insecure_skip_verify = false ## Use the given name as the SNI server name on each URL # tls_server_name = "" + ## TLS renegotiation method, choose from "never", "once", "freely" + # tls_renegotiation_method = "never" ## HTTP Request Headers (all values must be strings) # [inputs.http_response.headers]