S03.07: Walking skeleton — SolidSyslogPosixTlsStream (OpenSSL) + TLS BDD scenario
Goal
Add an OpenSSL-backed TLS Stream on POSIX and prove the library's Stream abstraction
supports RFC 5425 by having the threaded example deliver a syslog message to a
syslog-ng TLS endpoint, with zero changes to core.
Parent epic: #5
Architecture recap
- Core unchanged:
SolidSyslogStreamSender (from S03.06) handles RFC 6587 / 5425
octet-counting framing.
- New platform component:
Platform/Posix/Interface/SolidSyslogPosixTlsStream.h
Platform/Posix/Source/SolidSyslogPosixTlsStream.c — implements the
SolidSyslogStream vtable using OpenSSL.
- Example:
Example/Common/ExampleTlsConfig.{h,c} + EXAMPLE_SWITCH_TLS in
ExampleSwitchConfig + --transport tls + interactive switch tls.
- BDD: new
syslog-ng-tls container, self-signed test CA in Bdd/syslog-ng-tls/,
new feature file.
API sketch
struct SolidSyslogPosixTlsStreamConfig
{
const char* caBundlePath; /* path to PEM-encoded CA bundle */
/* TLS 1.2+ with OpenSSL secure defaults for the skeleton. Explicit
validation, hostname/SAN, cipher hardening, mTLS and rotation arrive
in later stories. */
};
struct SolidSyslogStream* SolidSyslogPosixTlsStream_Create(const struct SolidSyslogPosixTlsStreamConfig* config);
void SolidSyslogPosixTlsStream_Destroy(void);
enum
{
SOLIDSYSLOG_TLS_DEFAULT_PORT = 6514 /* RFC 5425 */
};
Walking-skeleton scope
Minimum to prove the abstraction end-to-end:
- CA verification against the test CA
- Hostname check on connect (OpenSSL default; explicit SAN knobs in S03.08)
- TLS 1.2 floor (OpenSSL default)
- No client certs (mTLS in S03.09)
- No custom cipher list (OpenSSL defaults; hardening in S03.08)
- No cert rotation (S03.10)
BDD infrastructure
Bdd/syslog-ng-tls/syslog-ng.conf — syslog-ng with TLS source on 6514.
Bdd/syslog-ng-tls/ca.pem, server.pem, server.key — version-controlled
self-signed test materials, clearly marked test-only.
- New Compose service
syslog-ng-tls alongside existing syslog-ng.
- Feature
Bdd/features/tls_transport.feature:
@tls @buffered
Feature: TLS message delivery
Scenario: Message delivered over TLS
Given syslog-ng-tls is running
When the threaded example sends a syslog message with transport tls
Then syslog-ng-tls receives a message with priority "134"
Unit-test approach — design discussion expected
SolidSyslogPosixTlsStream sits on top of OpenSSL. Unit testing without a real TLS
endpoint means either intercepting OpenSSL at the BIO layer (new fake) or at the
POSIX socket layer (extending SocketFake). Which approach delivers the right
coverage without fakes that duplicate half of OpenSSL is an open design question —
discuss at red-step time.
Dependencies
- S03.06 (rename) merged.
- OpenSSL dev headers + libssl in the POSIX container image — confirm before start;
a container bump may be needed.
Acceptance
- All presets green (debug, clang-debug, sanitize, tidy, cppcheck, format).
- Coverage 100% on new
SolidSyslogPosixTlsStream code.
tls_transport.feature scenario green; no regressions elsewhere.
- Windows CI unchanged (TLS scenario tagged
@tls, excluded on Windows same as
@buffered).
Out of scope (in the epic, not this story)
- SAN / CN validation + cipher hardening → S03.08
- Mutual TLS → S03.09
- Cert rotation → S03.10
docs/iec62443.md SL4 promotion → S03.11
S03.07: Walking skeleton — SolidSyslogPosixTlsStream (OpenSSL) + TLS BDD scenario
Goal
Add an OpenSSL-backed TLS Stream on POSIX and prove the library's Stream abstraction
supports RFC 5425 by having the threaded example deliver a syslog message to a
syslog-ng TLS endpoint, with zero changes to core.
Parent epic: #5
Architecture recap
SolidSyslogStreamSender(from S03.06) handles RFC 6587 / 5425octet-counting framing.
Platform/Posix/Interface/SolidSyslogPosixTlsStream.hPlatform/Posix/Source/SolidSyslogPosixTlsStream.c— implements theSolidSyslogStreamvtable using OpenSSL.Example/Common/ExampleTlsConfig.{h,c}+EXAMPLE_SWITCH_TLSinExampleSwitchConfig+--transport tls+ interactiveswitch tls.syslog-ng-tlscontainer, self-signed test CA inBdd/syslog-ng-tls/,new feature file.
API sketch
Walking-skeleton scope
Minimum to prove the abstraction end-to-end:
BDD infrastructure
Bdd/syslog-ng-tls/syslog-ng.conf— syslog-ng with TLS source on 6514.Bdd/syslog-ng-tls/ca.pem,server.pem,server.key— version-controlledself-signed test materials, clearly marked test-only.
syslog-ng-tlsalongside existingsyslog-ng.Bdd/features/tls_transport.feature:Unit-test approach — design discussion expected
SolidSyslogPosixTlsStreamsits on top of OpenSSL. Unit testing without a real TLSendpoint means either intercepting OpenSSL at the BIO layer (new fake) or at the
POSIX socket layer (extending
SocketFake). Which approach delivers the rightcoverage without fakes that duplicate half of OpenSSL is an open design question —
discuss at red-step time.
Dependencies
a container bump may be needed.
Acceptance
SolidSyslogPosixTlsStreamcode.tls_transport.featurescenario green; no regressions elsewhere.@tls, excluded on Windows same as@buffered).Out of scope (in the epic, not this story)
docs/iec62443.mdSL4 promotion → S03.11