feat(tls): allow setting renegotiation method (#12302)

2022-12-06 20:09:58 -07:00 · 2022-12-06 20:09:58 -07:00 · da0c186a71
parent eea9021771
commit da0c186a71
3 changed files with 31 additions and 11 deletions
--- a/plugins/common/tls/config.go
+++ b/plugins/common/tls/config.go
@ -14,13 +14,14 @@ const TLSMinVersionDefault = tls.VersionTLS12
 // ClientConfig represents the standard client TLS config.
 type ClientConfig struct {
-	TLSCA              string `toml:"tls_ca"`
+	TLSCA               string `toml:"tls_ca"`
-	TLSCert            string `toml:"tls_cert"`
+	TLSCert             string `toml:"tls_cert"`
-	TLSKey             string `toml:"tls_key"`
+	TLSKey              string `toml:"tls_key"`
-	TLSKeyPwd          string `toml:"tls_key_pwd"`
+	TLSKeyPwd           string `toml:"tls_key_pwd"`
-	TLSMinVersion      string `toml:"tls_min_version"`
+	TLSMinVersion       string `toml:"tls_min_version"`
-	InsecureSkipVerify bool   `toml:"insecure_skip_verify"`
+	InsecureSkipVerify  bool   `toml:"insecure_skip_verify"`
-	ServerName         string `toml:"tls_server_name"`
+	ServerName          string `toml:"tls_server_name"`
 	RenegotiationMethod string `toml:"tls_renegotiation_method"`
 	SSLCA   string `toml:"ssl_ca" deprecated:"1.7.0;use 'tls_ca' instead"`
 	SSLCert string `toml:"ssl_cert" deprecated:"1.7.0;use 'tls_cert' instead"`
@ -58,15 +59,30 @@ func (c *ClientConfig) TLSConfig() (*tls.Config, error) {
 	// a TLS connection. That is, any of:
 	//     * client certificate settings,
 	//     * peer certificate authorities,
-	//     * disabled security, or
+	//     * disabled security,
-	//     * an SNI server name.
+	//     * an SNI server name, or
-	if c.TLSCA == "" && c.TLSKey == "" && c.TLSCert == "" && !c.InsecureSkipVerify && c.ServerName == "" {
+	//     * empty/never renegotiation method
 	if c.TLSCA == "" && c.TLSKey == "" && c.TLSCert == "" &&
 		!c.InsecureSkipVerify && c.ServerName == "" &&
 		(c.RenegotiationMethod == "" || c.RenegotiationMethod == "never") {
 		return nil, nil
 	}
 	var renegotiationMethod tls.RenegotiationSupport
 	switch c.RenegotiationMethod {
 	case "", "never":
 		renegotiationMethod = tls.RenegotiateNever
 	case "once":
 		renegotiationMethod = tls.RenegotiateOnceAsClient
 	case "freely":
 		renegotiationMethod = tls.RenegotiateFreelyAsClient
 	default:
 		return nil, fmt.Errorf("unrecognized renegotation method '%s', choose from: 'never', 'once', 'freely'", c.RenegotiationMethod)
 	}
 	tlsConfig := &tls.Config{
 		InsecureSkipVerify: c.InsecureSkipVerify,
-		Renegotiation:      tls.RenegotiateNever,
+		Renegotiation:      renegotiationMethod,
 	}
 	if c.TLSCA != "" {
--- a/plugins/inputs/http_response/README.md
+++ b/plugins/inputs/http_response/README.md
@ -76,6 +76,8 @@ See the [CONFIGURATION.md][CONFIGURATION.md] for more details.
  # insecure_skip_verify = false
  ## Use the given name as the SNI server name on each URL
  # tls_server_name = ""
  ## TLS renegotiation method, choose from "never", "once", "freely"
  # tls_renegotiation_method = "never"
  ## HTTP Request Headers (all values must be strings)
  # [inputs.http_response.headers]
--- a/plugins/inputs/http_response/sample.conf
+++ b/plugins/inputs/http_response/sample.conf
@ -60,6 +60,8 @@
  # insecure_skip_verify = false
  ## Use the given name as the SNI server name on each URL
  # tls_server_name = ""
  ## TLS renegotiation method, choose from "never", "once", "freely"
  # tls_renegotiation_method = "never"
  ## HTTP Request Headers (all values must be strings)
  # [inputs.http_response.headers]