LOG-8968: Enhance TLS config of OpenSSL to allow setting curves

Author: jcantrill

lib/vector-core/src/tls/incoming.rs

@@ -29,8 +29,8 @@ use crate::tcp::{self, TcpKeepaliveConfig};
 impl TlsSettings {
     pub fn acceptor(&self) -> crate::tls::Result<SslAcceptor> {
         if self.identity.is_some() {
-            let mut acceptor = if self.min_tls_version.is_some() || self.ciphersuites.is_some() {
-                SslAcceptor::custom(SslMethod::tls(), &self.min_tls_version, &self.ciphersuites)
+            let mut acceptor = if self.min_tls_version.is_some() || self.ciphersuites.is_some() || self.curves.is_some() {
+                SslAcceptor::custom(SslMethod::tls(), &self.min_tls_version, &self.ciphersuites, &self.curves)
                     .map_err(|error_ex| match error_ex {
                         ErrorEx::OpenSslError { error_stack: e } => {
                             TlsError::CreateAcceptor { source: e }

lib/vector-core/src/tls/mod.rs

@@ -185,7 +185,7 @@ pub fn tls_connector_builder(settings: &MaybeTlsSettings) -> Result<SslConnector
     if let Some(settings) = settings.tls() {
         settings.apply_context(&mut builder)?;
         builder
-            .set_min_tls_version_and_ciphersuites(&settings.min_tls_version, &settings.ciphersuites)
+            .set_min_tls_version_and_ciphersuites(&settings.min_tls_version, &settings.ciphersuites, &settings.curves)
             .map_err(|error_ex| match error_ex {
                 ErrorEx::OpenSslError { error_stack: e } => TlsError::SslBuildError { source: e },
                 ErrorEx::InvalidTlsVersion => TlsError::InvalidTlsVersion,

lib/vector-core/src/tls/settings.rs

@@ -163,6 +163,13 @@ pub struct TlsConfig {
 
     /// TLS ciphersuites to enable.
     pub ciphersuites: Option<String>,
+
+    /// Elliptic curve groups to enable.
+    ///
+    /// Comma-separated list of supported elliptic curve groups (e.g., "P-256", "P-384", "P-521").
+    /// Only available with OpenSSL 1.1.1+, BoringSSL, or LibreSSL 2.5.1+.
+    #[configurable(metadata(docs::examples = "P-256,P-384"))]
+    pub curves: Option<String>,
 }
 
 impl TlsConfig {
@@ -187,6 +194,7 @@ pub struct TlsSettings {
     server_name: Option<String>,
     pub min_tls_version: Option<String>,
     pub ciphersuites: Option<String>,
+    pub curves: Option<String>,
 }
 
 #[derive(Clone)]
@@ -224,6 +232,7 @@ impl TlsSettings {
             server_name: options.server_name.clone(),
             min_tls_version: options.min_tls_version.clone(),
             ciphersuites: options.ciphersuites.clone(),
+            curves: options.curves.clone(),
         })
     }
 
@@ -889,7 +898,7 @@ mod test {
             },
         ];
         for t in tests {
-            match builder.set_min_tls_version_and_ciphersuites(&t.text, &None) {
+            match builder.set_min_tls_version_and_ciphersuites(&t.text, &None, &None) {
                 Ok(()) => {
                     assert!(t.want.is_ok());
                     assert_eq!(builder.min_proto_version(), t.num);
@@ -930,7 +939,7 @@ mod test {
             },
         ];
         for t in tests {
-            match builder.set_min_tls_version_and_ciphersuites(&t.min_tls_version, &t.ciphersuite) {
+            match builder.set_min_tls_version_and_ciphersuites(&t.min_tls_version, &t.ciphersuite, &None) {
                 Ok(()) => assert!(t.want.is_ok()),
                 Err(e) => assert_eq!(t.want.err().unwrap(), e),
             }

patch/openssl/src/ssl/connector.rs

@@ -320,14 +320,17 @@ impl SslAcceptor {
         Ok(SslAcceptorBuilder(ctx))
     }
 
-    /// Creates a new builder configured with a minimum supported TLS version and a set of ciphersuites
+    /// Creates a new builder configured with a minimum supported TLS version, ciphersuites, and curves
     ///
-    pub fn custom(method: SslMethod, min_tls_version: &Option<String>, ciphersuites: &Option<String>) -> Result<SslAcceptorBuilder, ErrorEx> {
+    pub fn custom(method: SslMethod, min_tls_version: &Option<String>, ciphersuites: &Option<String>, curves: &Option<String>) -> Result<SslAcceptorBuilder, ErrorEx> {
         let mut ctx = ctx(method).map_err(|e| ErrorEx::OpenSslError { error_stack: e })?;
         let dh = Dh::params_from_pem(FFDHE_2048.as_bytes()).map_err(|e| ErrorEx::OpenSslError { error_stack: e })?;
         ctx.set_tmp_dh(&dh).map_err(|e| ErrorEx::OpenSslError { error_stack: e })?;
-        setup_curves(&mut ctx).map_err(|e| ErrorEx::OpenSslError { error_stack: e })?;
-        ctx.set_min_tls_version_and_ciphersuites(min_tls_version, ciphersuites)?;
+        // Only setup default curves if no custom curves are specified
+        if curves.is_none() {
+            setup_curves(&mut ctx).map_err(|e| ErrorEx::OpenSslError { error_stack: e })?;
+        }
+        ctx.set_min_tls_version_and_ciphersuites(min_tls_version, ciphersuites, curves)?;
         Ok(SslAcceptorBuilder(ctx))
     }
 

patch/openssl/src/ssl/mod.rs

@@ -1788,7 +1788,7 @@ impl SslContextBuilder {
 
     /// Sets the context's minimal TLS version, specified as "VersionTLS1[0..3]", and a comma-separated list of ciphersuites.
     ///
-    pub fn set_min_tls_version_and_ciphersuites(&mut self, min_tls_version: &Option<String>, ciphersuites: &Option<String>) -> Result<(), ErrorEx>{
+    pub fn set_min_tls_version_and_ciphersuites(&mut self, min_tls_version: &Option<String>, ciphersuites: &Option<String>, curves: &Option<String>) -> Result<(), ErrorEx>{
         let mut min_proto_version = SslVersion::TLS1;
         if let Some(min_tls_version) = min_tls_version {
             min_proto_version = match min_tls_version.as_str() {
@@ -1812,6 +1812,13 @@ impl SslContextBuilder {
                 return Err(ErrorEx::InvalidCiphersuite);
             }
         }
+        #[cfg(any(ossl111, boringssl, libressl251, awslc))]
+        if let Some(curves) = curves {
+            if !curves.is_empty() {
+                let curves = &curves.replace(",", ":");
+                self.set_groups_list(&curves).map_err(|e| ErrorEx::OpenSslError { error_stack: e })?;
+            }
+        }
         Ok(())
     }
 }