You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
TLS transport for syslog per RFC 5425, exercising the library's Stream abstraction to
prove that user-provided TLS integrations satisfy the protocol without core changes.
TLS is not a new sender — it is a new Stream. SolidSyslogStreamSender
(formerly SolidSyslogTcpSender) already performs RFC 6587 octet-counting framing,
which is identical to the framing required by RFC 5425. Swapping plain TCP for TLS
is a Stream-level concern; the sender doesn't care.
Architecture boundary
Core (Interface/, Source/) — untouched by TLS. StreamSender frames and
sends bytes; Stream vtable abstracts the byte pipe.
Platform (Platform/Posix/) — SolidSyslogPosixTlsStream, an OpenSSL-backed
concrete Stream. Owns all TLS concerns: SSL_CTX setup, CA loading, hostname
verification, cipher suite selection, mTLS, cert rotation. Its config struct is
OpenSSL-flavoured and explicit, not a core abstraction.
Example (Example/) — ExampleTlsConfig mirrors ExampleTcpConfig
(endpoint + cert paths). Threaded example gains EXAMPLE_SWITCH_TLS and --transport tls.
Scope
One reference integration: OpenSSL on POSIX, driven by IEC 62443 SL4 requirements.
Demonstrates the library abstraction. Alternate library integrations (mbedTLS,
BearSSL, wolfSSL) are deliberately out of scope — a future epic once core is proven.
Stories
Story
Title
Status
S03.01
Walking skeleton — TLS sender transmits a buffer over TLS
Retired — superseded by S03.07 (new architecture: TLS as a Stream, not a Sender)
S03.02
Certificate and key configuration — injected via config
Retired — folded into S03.08 / S03.09
S03.03
Octet-counting framing — RFC 5425 message framing
Retired — already shipped via StreamSender (RFC 6587 framing is identical)
Certificate rotation via version-fingerprint callback
Retired — rotation covered by Open-rebuilds-CTX. Replacing cert/key files on disk is picked up on next reconnect, satisfying IEC 62443-4-2 CR 1.5 (authenticator refresh) and CR 1.8 (PKI update). Revisit only if a deployment surfaces a need for forced mid-connection rotation.
E03: TLS Transport
TLS transport for syslog per RFC 5425, exercising the library's Stream abstraction to
prove that user-provided TLS integrations satisfy the protocol without core changes.
RFC: https://datatracker.ietf.org/doc/html/rfc5425
Approach
TLS is not a new sender — it is a new Stream.
SolidSyslogStreamSender(formerly
SolidSyslogTcpSender) already performs RFC 6587 octet-counting framing,which is identical to the framing required by RFC 5425. Swapping plain TCP for TLS
is a Stream-level concern; the sender doesn't care.
Architecture boundary
Interface/,Source/) — untouched by TLS.StreamSenderframes andsends bytes;
Streamvtable abstracts the byte pipe.Platform/Posix/) —SolidSyslogPosixTlsStream, an OpenSSL-backedconcrete Stream. Owns all TLS concerns: SSL_CTX setup, CA loading, hostname
verification, cipher suite selection, mTLS, cert rotation. Its config struct is
OpenSSL-flavoured and explicit, not a core abstraction.
Example/) —ExampleTlsConfigmirrorsExampleTcpConfig(endpoint + cert paths). Threaded example gains
EXAMPLE_SWITCH_TLSand--transport tls.Scope
One reference integration: OpenSSL on POSIX, driven by IEC 62443 SL4 requirements.
Demonstrates the library abstraction. Alternate library integrations (mbedTLS,
BearSSL, wolfSSL) are deliberately out of scope — a future epic once core is proven.
Stories
StreamSender(RFC 6587 framing is identical)SolidSyslogTcpSender→SolidSyslogStreamSenderSolidSyslogPosixTlsStream(OpenSSL) + TLS BDDdocs/iec62443.mdfrom Planned to AvailableOut of scope (may trigger follow-on epics)