feat: Implement minimum TLS version for clients

[srebhan]

• Updated associated README.md.
• Wrote appropriate unit tests.
• Pull request title or commits are in conventional commit format

resolves #8699
resolves #8171
resolves #8124 (at least partially)

replaces #8959

All credits for this PR go to @jdstrand! This PR allows to set a minimum TLS version required by the client for all plugins that use common/tls to configure their TLS setup. This includes, but is probably not limited to, inputs.http, inputs.gnmi and inputs.jti_openconfig_telemetry. This allows to change Golang's default of TLS 1.2 in both directions, i.e. downgrade (which implies some security risk) as well as setting it to TLS 1.3.
Unit-tests are added by the PR to check if lower server versions are rejected successfully.

[srebhan]

Made v1.2 the new explicit default for server and client connections. Users that require lower version can revert the used version on a per-plugin basis using tls_min_version. Please check the Breaking changes documentation in the Changelog. This should apply for the release containing this change (i.e. v1.24.0 IIRC)...

[powersj]

Thanks for driving this.

My only concern is around a user knowing what to put in for the tls_min_version value. My naive assumption reading the changelog was they would put "1.0" or "1.2" Not the "TLS12" I later saw in the READMEs and sample configs.

Is this something to address? Either via better comment or using the other mechanism?

[srebhan]

Good point. I just reused the values available for tlsVersionMap keys that already exist. Should I enumerate all available values or do you have another idea on how to describe this better?

[srebhan]

Another option would be to add v1.0 etc to the keys linked above or print them on error...

[powersj]

I like the printing of the available options on error. It makes it very clear what versions we recognize.

Thanks!

[powersj]

+1 - thank you, before merging we do want a +1 from security

[srebhan]

Thanks @powersj. I agree, will wait for @jdstrand to do his magic once he has some time... ;-)

[jdstrand]

This looks great! I particularly like the tests that do a real connection based on telegraf's ClientConfig and ServerConfig structs (it made me wonder if we could start up an http_listener as the server and then use some other input plugin as the client, but that isn't a blocker for this PR).

In addition to the PR review, I manually tested tls_min_version with both inputs.http (client) and inputs.http_listener_v2 (server) and it worked as expected.

[telegraf-tiger]

Download PR build artifacts for linux_amd64.tar.gz, darwin_amd64.tar.gz, and windows_amd64.zip.
Downloads for additional architectures and packages are available below.

☺️ This pull request doesn't significantly change the Telegraf binary size (less than 1%)

📦 Click here to get additional PR build artifacts

Artifact URLs

DEB	RPM	TAR GZ	ZIP
amd64.deb	aarch64.rpm	darwin_amd64.tar.gz	windows_amd64.zip
arm64.deb	armel.rpm	darwin_arm64.tar.gz	windows_i386.zip
armel.deb	armv6hl.rpm	freebsd_amd64.tar.gz
armhf.deb	i386.rpm	freebsd_armv7.tar.gz
i386.deb	ppc64le.rpm	freebsd_i386.tar.gz
mips.deb	riscv64.rpm	linux_amd64.tar.gz
mipsel.deb	s390x.rpm	linux_arm64.tar.gz
ppc64el.deb	x86_64.rpm	linux_armel.tar.gz
riscv64.deb		linux_armhf.tar.gz
s390x.deb		linux_i386.tar.gz
		linux_mips.tar.gz
		linux_mipsel.tar.gz
		linux_ppc64le.tar.gz
		linux_riscv64.tar.gz
		linux_s390x.tar.gz
		static_linux_amd64.tar.gz

[srebhan]

@powersj and @jdstrand, may I ask for another approval?

[jdstrand]

Thanks for the updates! (though the linter still seems unhappy)

[srebhan]

@jdstrand that's because I manually put the "breaking change" documentation to the Changelog. Not sure how to do it with a happy linter. :-)

[mohsin106]

Hi,
I'm using the Telegraf version 1.23.4-alpine Docker image and still experiencing an issue connecting when setting the tls_max_version parameter.
Error:
2022-08-26T15:15:54Z E! [telegraf] Error running agent: Error loading config file /etc/telegraf/telegraf.conf: plugin inputs.jti_openconfig_telemetry: line 14: configuration specified the fields ["tls_max_version"], but they weren't used

This is my input JTI stanza:

[[inputs.jti_openconfig_telemetry]]
  servers = ["router1.mgt.net:50051"]
  sensors = ["interfaces /interfaces/interface","lldp /lldp","optics /junos/system/linecard/optics/"] 
  sample_frequency = "60000ms"
  username = "$user"
  password = "$password"
  client_id = "$containerName"
  enable_tls = true
  tls_ca = "/etc/telegraf/router_ca.pem"
  insecure_skip_verify = false
  tls_max_version = "TLS12"

Also, tried putting the tls_max_version under the agent settings:

[agent]
  round_interval = true
  metric_batch_size = 1000
  metric_buffer_limit = 15000
  flush_interval = "10s"
  debug = false
  quiet = false
  tls_max_version = "TLS12"
  hostname = "lab-ptx-deployment"
  omit_hostname = false

But get same error:

2022-08-26T15:25:14Z E! [telegraf] Error running agent: Error loading config file /etc/telegraf/telegraf.conf: line 1: configuration specified the fields ["tls_max_version"], but they weren't used

telegraf-alpine:1.13.3 continues to work, anything newer gives the above errors.

[srebhan]

@mohsin106 this PR adds a TLS minimum version, but you are trying to configure a maximum version. Please open a new issue when you need this additional feature!