From 0732f6b4d76b789ae98feb6723b7599ca0bbd0ba Mon Sep 17 00:00:00 2001 From: dmachard <5562930+dmachard@users.noreply.github.com> Date: Wed, 1 Nov 2023 21:55:57 +0100 Subject: [PATCH] tcp client: tls-support marked as deprecated --- dnsutils/config.go | 12 --------- dnsutils/tls_config.go | 13 ++++++++++ dnsutils/tls_config_test.go | 2 +- docs/loggers/logger_tcp.md | 8 +++--- loggers/syslog.go | 6 ++--- loggers/tcpclient.go | 51 ++++++++++++++++++++++++------------- 6 files changed, 53 insertions(+), 39 deletions(-) diff --git a/dnsutils/config.go b/dnsutils/config.go index 69c3af4a..00b6bffe 100644 --- a/dnsutils/config.go +++ b/dnsutils/config.go @@ -18,18 +18,6 @@ func IsValidMode(mode string) bool { return false } -func IsValidTLS(mode string) bool { - switch mode { - case - TLS_v10, - TLS_v11, - TLS_v12, - TLS_v13: - return true - } - return false -} - type MultiplexInOut struct { Name string `yaml:"name"` Transforms map[string]interface{} `yaml:"transforms"` diff --git a/dnsutils/tls_config.go b/dnsutils/tls_config.go index 9f6292c1..d58e4f05 100644 --- a/dnsutils/tls_config.go +++ b/dnsutils/tls_config.go @@ -14,6 +14,18 @@ var clientCipherSuites = []uint16{ tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, } +func IsValidTLS(mode string) bool { + switch mode { + case + TLS_v10, + TLS_v11, + TLS_v12, + TLS_v13: + return true + } + return false +} + type TlsOptions struct { CAFile string CertFile string @@ -23,6 +35,7 @@ type TlsOptions struct { } func TlsClientConfig(options TlsOptions) (*tls.Config, error) { + tlsConfig := &tls.Config{ MinVersion: tls.VersionTLS12, InsecureSkipVerify: false, diff --git a/dnsutils/tls_config_test.go b/dnsutils/tls_config_test.go index ba5e072f..540e7f89 100644 --- a/dnsutils/tls_config_test.go +++ b/dnsutils/tls_config_test.go @@ -7,7 +7,7 @@ import ( ) func TestConfigClientTLSNoVerify(t *testing.T) { - tlsConfig, err := TlsClientConfig(TlsOptions{InsecureSkipVerify: true}) + tlsConfig, err := TlsClientConfig(TlsOptions{InsecureSkipVerify: true, MinVersion: TLS_v12}) if err != nil || tlsConfig == nil { t.Fatal("Unable to configure client TLS", err) diff --git a/docs/loggers/logger_tcp.md b/docs/loggers/logger_tcp.md index 8783c6b2..a6c99f87 100644 --- a/docs/loggers/logger_tcp.md +++ b/docs/loggers/logger_tcp.md @@ -10,14 +10,14 @@ Tcp/unix stream client logger. Options: -* `transport`: (string) network transport to use: tcp|unix +* `transport`: (string) network transport to use: tcp|unix|tcp+tls * `remote-ip`: (string) remote address * `remote-port`: (integer) remote tcp port -* `sock-path`: (string) unix socket path +* `sock-path` **DEPRECATED**: (string) unix socket path * `connect-timeout`: (integer) connect timeout in second * `retry-interval`: (integer) interval in second between retry reconnect * `flush-interval`: (integer) interval in second before to flush the buffer -* `tls-support`: (boolean) enable tls +* `tls-support` **DEPRECATED**: (boolean) enable tls * `tls-insecure`: (boolean) insecure skip verify * `tls-min-version`: (string) min tls version, default to 1.2 * `ca-file`: (string) provide CA file to verify the server certificate @@ -35,11 +35,9 @@ tcpclient: transport: tcp remote-address: 127.0.0.1 remote-port: 9999 - sock-path: null connect-timeout: 5 retry-interval: 10 flush-interval: 30 - tls-support: false tls-insecure: false tls-min-version: 1.2 ca-file: "" diff --git a/loggers/syslog.go b/loggers/syslog.go index 3e67445c..540e4513 100644 --- a/loggers/syslog.go +++ b/loggers/syslog.go @@ -151,8 +151,6 @@ func (o *Syslog) Stop() { } func (o *Syslog) ConnectToRemote() { - //connTimeout := time.Duration(o.config.Loggers.Dnstap.ConnectTimeout) * time.Second - for { if o.syslogWriter != nil { o.syslogWriter.Close() @@ -168,14 +166,14 @@ func (o *Syslog) ConnectToRemote() { o.LogInfo("connecting to local syslog...") logWriter, err = syslog.New(o.facility|o.severity, "") case dnsutils.SOCKET_UNIX, dnsutils.SOCKET_UDP, dnsutils.SOCKET_TCP: - o.LogInfo("connecting to syslog %s://%s ...", + o.LogInfo("connecting to %s://%s ...", o.config.Loggers.Syslog.Transport, o.config.Loggers.Syslog.RemoteAddress) logWriter, err = syslog.Dial(o.config.Loggers.Syslog.Transport, o.config.Loggers.Syslog.RemoteAddress, o.facility|o.severity, o.config.Loggers.Syslog.Tag) case dnsutils.SOCKET_TLS: - o.LogInfo("connecting to syslog %s://%s ...", + o.LogInfo("connecting to %s://%s ...", o.config.Loggers.Syslog.Transport, o.config.Loggers.Syslog.RemoteAddress) diff --git a/loggers/tcpclient.go b/loggers/tcpclient.go index 8c703090..9f2d7a73 100644 --- a/loggers/tcpclient.go +++ b/loggers/tcpclient.go @@ -26,6 +26,7 @@ type TcpClient struct { logger *logger.Logger textFormat []string name string + transport string transportWriter *bufio.Writer transportConn net.Conn transportReady chan bool @@ -60,9 +61,16 @@ func (c *TcpClient) GetName() string { return c.name } func (c *TcpClient) SetLoggers(loggers []dnsutils.Worker) {} func (o *TcpClient) ReadConfig() { - if !dnsutils.IsValidTLS(o.config.Loggers.TcpClient.TlsMinVersion) { - o.logger.Fatal("logger tcp - invalid tls min version") + o.transport = o.config.Loggers.TcpClient.Transport + + // begin backward compatibility + if o.config.Loggers.TcpClient.TlsSupport { + o.transport = dnsutils.SOCKET_TLS + } + if len(o.config.Loggers.TcpClient.SockPath) > 0 { + o.transport = dnsutils.SOCKET_UNIX } + // end if len(o.config.Loggers.TcpClient.TextFormat) > 0 { o.textFormat = strings.Fields(o.config.Loggers.TcpClient.TextFormat) @@ -106,14 +114,6 @@ func (o *TcpClient) Disconnect() { } func (o *TcpClient) ConnectToRemote() { - // prepare the address - var address string - if len(o.config.Loggers.TcpClient.SockPath) > 0 { - address = o.config.Loggers.TcpClient.SockPath - } else { - address = o.config.Loggers.TcpClient.RemoteAddress + ":" + strconv.Itoa(o.config.Loggers.TcpClient.RemotePort) - } - connTimeout := time.Duration(o.config.Loggers.TcpClient.ConnectTimeout) * time.Second for { if o.transportConn != nil { @@ -121,12 +121,30 @@ func (o *TcpClient) ConnectToRemote() { o.transportConn = nil } + address := o.config.Loggers.TcpClient.RemoteAddress + ":" + strconv.Itoa(o.config.Loggers.TcpClient.RemotePort) + connTimeout := time.Duration(o.config.Loggers.TcpClient.ConnectTimeout) * time.Second + // make the connection var conn net.Conn var err error - var tlsConfig *tls.Config - if o.config.Loggers.TcpClient.TlsSupport { - o.LogInfo("connecting to tls://%s", address) + + switch o.transport { + case dnsutils.SOCKET_UNIX: + address = o.config.Loggers.TcpClient.RemoteAddress + if len(o.config.Loggers.TcpClient.SockPath) > 0 { + address = o.config.Loggers.TcpClient.SockPath + } + o.LogInfo("connecting to %s://%s", o.transport, address) + conn, err = net.DialTimeout(o.transport, address, connTimeout) + + case dnsutils.SOCKET_TCP: + o.LogInfo("connecting to %s://%s", o.transport, address) + conn, err = net.DialTimeout(o.transport, address, connTimeout) + + case dnsutils.SOCKET_TLS: + o.LogInfo("connecting to %s://%s", o.transport, address) + + var tlsConfig *tls.Config tlsOptions := dnsutils.TlsOptions{ InsecureSkipVerify: o.config.Loggers.TcpClient.TlsInsecure, @@ -139,11 +157,10 @@ func (o *TcpClient) ConnectToRemote() { tlsConfig, err = dnsutils.TlsClientConfig(tlsOptions) if err == nil { dialer := &net.Dialer{Timeout: connTimeout} - conn, err = tls.DialWithDialer(dialer, o.config.Loggers.TcpClient.Transport, address, tlsConfig) + conn, err = tls.DialWithDialer(dialer, dnsutils.SOCKET_TCP, address, tlsConfig) } - } else { - o.LogInfo("connecting to tcp://%s", address) - conn, err = net.DialTimeout(o.config.Loggers.TcpClient.Transport, address, connTimeout) + default: + o.logger.Fatal("logger=dnstap - invalid transport:", o.transport, err) } // something is wrong during connection ?