Skip to content

S03.07: Walking skeleton — SolidSyslogPosixTlsStream (OpenSSL) + TLS BDD #165

Description

@DavidCozens

S03.07: Walking skeleton — SolidSyslogPosixTlsStream (OpenSSL) + TLS BDD scenario

Goal

Add an OpenSSL-backed TLS Stream on POSIX and prove the library's Stream abstraction
supports RFC 5425 by having the threaded example deliver a syslog message to a
syslog-ng TLS endpoint, with zero changes to core.

Parent epic: #5

Architecture recap

  • Core unchanged: SolidSyslogStreamSender (from S03.06) handles RFC 6587 / 5425
    octet-counting framing.
  • New platform component: Platform/Posix/Interface/SolidSyslogPosixTlsStream.h
    • Platform/Posix/Source/SolidSyslogPosixTlsStream.c — implements the
      SolidSyslogStream vtable using OpenSSL.
  • Example: Example/Common/ExampleTlsConfig.{h,c} + EXAMPLE_SWITCH_TLS in
    ExampleSwitchConfig + --transport tls + interactive switch tls.
  • BDD: new syslog-ng-tls container, self-signed test CA in Bdd/syslog-ng-tls/,
    new feature file.

API sketch

struct SolidSyslogPosixTlsStreamConfig
{
    const char* caBundlePath;   /* path to PEM-encoded CA bundle */
    /* TLS 1.2+ with OpenSSL secure defaults for the skeleton. Explicit
       validation, hostname/SAN, cipher hardening, mTLS and rotation arrive
       in later stories. */
};

struct SolidSyslogStream* SolidSyslogPosixTlsStream_Create(const struct SolidSyslogPosixTlsStreamConfig* config);
void                      SolidSyslogPosixTlsStream_Destroy(void);

enum
{
    SOLIDSYSLOG_TLS_DEFAULT_PORT = 6514  /* RFC 5425 */
};

Walking-skeleton scope

Minimum to prove the abstraction end-to-end:

  • CA verification against the test CA
  • Hostname check on connect (OpenSSL default; explicit SAN knobs in S03.08)
  • TLS 1.2 floor (OpenSSL default)
  • No client certs (mTLS in S03.09)
  • No custom cipher list (OpenSSL defaults; hardening in S03.08)
  • No cert rotation (S03.10)

BDD infrastructure

  • Bdd/syslog-ng-tls/syslog-ng.conf — syslog-ng with TLS source on 6514.
  • Bdd/syslog-ng-tls/ca.pem, server.pem, server.key — version-controlled
    self-signed test materials, clearly marked test-only.
  • New Compose service syslog-ng-tls alongside existing syslog-ng.
  • Feature Bdd/features/tls_transport.feature:
@tls @buffered
Feature: TLS message delivery
  Scenario: Message delivered over TLS
    Given syslog-ng-tls is running
    When the threaded example sends a syslog message with transport tls
    Then syslog-ng-tls receives a message with priority "134"

Unit-test approach — design discussion expected

SolidSyslogPosixTlsStream sits on top of OpenSSL. Unit testing without a real TLS
endpoint means either intercepting OpenSSL at the BIO layer (new fake) or at the
POSIX socket layer (extending SocketFake). Which approach delivers the right
coverage without fakes that duplicate half of OpenSSL is an open design question —
discuss at red-step time.

Dependencies

  • S03.06 (rename) merged.
  • OpenSSL dev headers + libssl in the POSIX container image — confirm before start;
    a container bump may be needed.

Acceptance

  • All presets green (debug, clang-debug, sanitize, tidy, cppcheck, format).
  • Coverage 100% on new SolidSyslogPosixTlsStream code.
  • tls_transport.feature scenario green; no regressions elsewhere.
  • Windows CI unchanged (TLS scenario tagged @tls, excluded on Windows same as
    @buffered).

Out of scope (in the epic, not this story)

  • SAN / CN validation + cipher hardening → S03.08
  • Mutual TLS → S03.09
  • Cert rotation → S03.10
  • docs/iec62443.md SL4 promotion → S03.11

Metadata

Metadata

Assignees

No one assigned

    Labels

    storyStory issue

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions