Skip to content

E03: TLS Transport #5

Description

@DavidCozens

E03: TLS Transport

TLS transport for syslog per RFC 5425, exercising the library's Stream abstraction to
prove that user-provided TLS integrations satisfy the protocol without core changes.

RFC: https://datatracker.ietf.org/doc/html/rfc5425

Approach

TLS is not a new sender — it is a new Stream. SolidSyslogStreamSender
(formerly SolidSyslogTcpSender) already performs RFC 6587 octet-counting framing,
which is identical to the framing required by RFC 5425. Swapping plain TCP for TLS
is a Stream-level concern; the sender doesn't care.

Architecture boundary

  • Core (Interface/, Source/) — untouched by TLS. StreamSender frames and
    sends bytes; Stream vtable abstracts the byte pipe.
  • Platform (Platform/Posix/) — SolidSyslogPosixTlsStream, an OpenSSL-backed
    concrete Stream. Owns all TLS concerns: SSL_CTX setup, CA loading, hostname
    verification, cipher suite selection, mTLS, cert rotation. Its config struct is
    OpenSSL-flavoured and explicit, not a core abstraction.
  • Example (Example/) — ExampleTlsConfig mirrors ExampleTcpConfig
    (endpoint + cert paths). Threaded example gains EXAMPLE_SWITCH_TLS and
    --transport tls.

Scope

One reference integration: OpenSSL on POSIX, driven by IEC 62443 SL4 requirements.
Demonstrates the library abstraction. Alternate library integrations (mbedTLS,
BearSSL, wolfSSL) are deliberately out of scope — a future epic once core is proven.

Stories

Story Title Status
S03.01 Walking skeleton — TLS sender transmits a buffer over TLS Retired — superseded by S03.07 (new architecture: TLS as a Stream, not a Sender)
S03.02 Certificate and key configuration — injected via config Retired — folded into S03.08 / S03.09
S03.03 Octet-counting framing — RFC 5425 message framing Retired — already shipped via StreamSender (RFC 6587 framing is identical)
S03.04 (#33) UdpSender lazy initialisation and reconnection Done — #161 (applies to UDP and StreamSender)
S03.05 (#34) Address resolution strategy — ADR for getaddrinfo vs inet_pton Done — #137 (resolver extracted and made stateless)
S03.06 (#164) Refactor: rename SolidSyslogTcpSenderSolidSyslogStreamSender Done — #166
S03.07 (#165) Walking skeleton — SolidSyslogPosixTlsStream (OpenSSL) + TLS BDD Done — #170
S03.08 (#172) Certificate validation + cipher hardening (SL4: SR 3.1 / CR 3.9) Done — #183
S03.09 (#173) Mutual TLS — client cert + key (SL4: CR 2.12 non-repudiation) Done — #184
S03.10 (#174) Certificate rotation via version-fingerprint callback Retired — rotation covered by Open-rebuilds-CTX. Replacing cert/key files on disk is picked up on next reconnect, satisfying IEC 62443-4-2 CR 1.5 (authenticator refresh) and CR 1.8 (PKI update). Revisit only if a deployment surfaces a need for forced mid-connection rotation.
S03.11 (#175) Promote TLS in docs/iec62443.md from Planned to Available Done — #186
S03.12 (#169) Multi-instance StreamSender and Streams — support simultaneous reliable transports Todo
S03.13 (#171) Example TLS backend composition — CMake-selected per-backend factories Todo
S03.14 (#182) BDD exercises TLS 1.3 — syslog-ng configured to require it Todo

Out of scope (may trigger follow-on epics)

  • Additional TLS library integrations — future epic once abstraction is proven.
  • CRL / OCSP revocation — deferred with ADR in S03.08; OpenSSL defaults apply.
  • TLS handshake-failure audit callback — folds into E12 (E12: Error Handling #31) error-handling.
  • TLS 1.3 session resumption / 0-RTT.
  • PSK mode.
  • Cryptographic integrity / encryption of stored records — E17 (E17: Cryptographic integrity and confidentiality at rest #105).

Metadata

Metadata

Assignees

No one assigned

    Labels

    epicEpic issue

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions