LOG-3398: Apply TLSSecurityProfile settings to TLS listeners in log c…

…ollectors

Cargo.toml

@@ -337,6 +337,7 @@ chrono = { git = "https://github.com/vectordotdev/chrono.git", branch = "no-defa
 aws-config = { path = "patch/aws-config" }
 aws-sigv4 = { path = "patch/aws-sigv4" }
 hyper-openssl = { path = "patch/hyper-openssl" }
+openssl = { path = "patch/openssl" }
 
 [features]
 ocp-logging = [

Dockerfile.unit

@@ -1,8 +1,9 @@
-FROM registry.redhat.io/ubi8:6-754 as builder
+FROM registry.redhat.io/ubi8:8.6-754 as builder
 
 RUN INSTALL_PKGS=" \
       cmake \
       libarchive \
+      gcc-c++ \
       make \
       git \
       openssl-devel \

vendor/openssl/src/ssl/connector.rs → patch/openssl/src/ssl/connector.rs

@@ -6,7 +6,7 @@ use crate::dh::Dh;
 use crate::error::ErrorStack;
 use crate::ssl::{
     HandshakeError, Ssl, SslContext, SslContextBuilder, SslContextRef, SslMethod, SslMode,
-    SslOptions, SslRef, SslStream, SslVerifyMode,
+    SslOptions, SslRef, SslStream, SslVerifyMode, SslVersion,
 };
 use crate::version;
 
@@ -217,6 +217,28 @@ impl DerefMut for ConnectConfiguration {
 pub struct SslAcceptor(SslContext);
 
 impl SslAcceptor {
+    pub fn custom(method: SslMethod, min_tls_version: &String, ciphersuites: &String) -> Result<SslAcceptorBuilder, ErrorStack> {
+        let mut ctx = ctx(method)?;
+        let min_proto_version: SslVersion;
+        match min_tls_version.as_str() {
+            "VersionTLS10" => min_proto_version = SslVersion::TLS1,
+            "VersionTLS11" => min_proto_version = SslVersion::TLS1_1,
+            "VersionTLS12" => min_proto_version = SslVersion::TLS1_2,
+            "VersionTLS13" => min_proto_version = SslVersion::TLS1_3,
+            _ => min_proto_version = SslVersion::TLS1,
+        }
+        ctx.set_min_proto_version(Some(min_proto_version))?;
+        let dh = Dh::params_from_pem(FFDHE_2048.as_bytes())?;
+        ctx.set_tmp_dh(&dh)?;
+        setup_curves(&mut ctx)?;
+        ctx.set_cipher_list(ciphersuites.replace(",", ":").as_str())?;
+        #[cfg(ossl111)]
+        ctx.set_ciphersuites(
+            "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256",
+        )?;
+        Ok(SslAcceptorBuilder(ctx))
+    }
+
     /// Creates a new builder configured to connect to non-legacy clients. This should generally be
     /// considered a reasonable default choice.
     ///

src/tls/incoming.rs

@@ -30,6 +30,14 @@ impl TlsSettings {
         match self.identity {
             None => Err(TlsError::MissingRequiredIdentity),
             Some(_) => {
+                if let Some(min_tls_version) = &self.min_tls_version {
+                    if let Some (ciphersuites) = &self.ciphersuites {
+                        let mut acceptor = SslAcceptor::custom(SslMethod::tls(), min_tls_version, ciphersuites)
+                        .context(CreateAcceptorSnafu)?;
+                        self.apply_context(&mut acceptor)?;
+                        return Ok(acceptor.build())
+                    }
+                }
                 let mut acceptor = SslAcceptor::mozilla_intermediate_v5(SslMethod::tls())
                     .context(CreateAcceptorSnafu)?;
                 self.apply_context(&mut acceptor)?;

src/tls/settings.rs

@@ -68,6 +68,8 @@ pub struct TlsOptions {
     #[serde(alias = "key_path")]
     pub key_file: Option<PathBuf>,
     pub key_pass: Option<String>,
+    pub min_tls_version: Option<String>,
+    pub ciphersuites: Option<String>,
 }
 
 impl TlsOptions {
@@ -89,6 +91,8 @@ pub struct TlsSettings {
     pub(super) verify_hostname: bool,
     authorities: Vec<X509>,
     pub(super) identity: Option<IdentityStore>, // openssl::pkcs12::ParsedPkcs12 doesn't impl Clone yet
+    pub min_tls_version: Option<String>,
+    pub ciphersuites: Option<String>,
 }
 
 #[derive(Clone)]
@@ -125,6 +129,8 @@ impl TlsSettings {
             verify_hostname: options.verify_hostname.unwrap_or(!for_server),
             authorities: options.load_authorities()?,
             identity: options.load_identity()?,
+            min_tls_version: options.min_tls_version.clone(),
+            ciphersuites: options.ciphersuites.clone(),
         })
     }