out_http: TLS1.3 support

[Athishpranav2003]

Which issue(s) this PR fixes:
Fixes #4332

What this PR does / why we need it:
Changes the way we configure Net::HTTP client.

Docs Changes:
fluent/fluentd-docs-gitbook#579

Release Note:
The same as the title.

[github-actions]

This PR has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this PR will be closed in 7 days

[daipom]

@Athishpranav2003 This PR is in draft status. Please let me know if there are any TODO.

[Athishpranav2003]

Hey @daipom

I guess the pr is left to be tested but I didn't get time to test. Maybe I can check it next week but if someone else can do it as well it will be really helpful. Setting up the openssl thing I didn't try it

[daipom]

OK! Thanks!

[github-actions]

This PR has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this PR will be closed in 7 days

[Athishpranav2003]

Hey guys

i am back, was busy with college. Will look at this pr this week

[Athishpranav2003]

Testing output

2025-05-17 17:23:47 +0530 [info]: fluent/log.rb:362:: using configuration file: <ROOT>
  <source>
    @type sample
    @label @mainstream
    sample {"hello":"world","foo":"bar"}
    tag "sample"
  </source>
  <label @mainstream>
    <match **>
      @type http
      endpoint "https://0.0.0.0:8000"
      tls_verify_mode none
      tls_version TLSv1_3
      json_array true
      <format>
        @type "json"
      </format>
      <buffer>
        flush_interval 2s
      </buffer>
    </match>
  </label>
</ROOT>
2025-05-17 17:23:47 +0530 [info]: fluent/log.rb:362:: starting fluentd-1.18.0 pid=41729 ruby="3.4.2"
2025-05-17 17:23:47 +0530 [info]: fluent/log.rb:362:: spawn command to main:  cmdline=["/usr/bin/ruby", "-Eascii-8bit:ascii-8bit", "/usr/local/sbin/fluentd", "-c", "fluentd.conf", "-v", "--under-supervisor"]
2025-05-17 17:23:48 +0530 [info]: #0 fluent/log.rb:362:: fluentd worker is now running worker=0
2025-05-17 17:23:48 +0530 [debug]: #0 fluent/log.rb:341:: flush_thread actually running
2025-05-17 17:23:48 +0530 [debug]: #0 fluent/log.rb:341:: enqueue_thread actually running
2025-05-17 17:23:52 +0530 [debug]: #0 fluent/log.rb:341:: Post data to https://0.0.0.0:8000 with chunk(635538d474b42c0c20451f2461610d3e)

@daipom

[daipom]

Thanks! We will see this soon!

[Watson1978]

If you rebase your commits with master, It will pass tests on Ruby 3.2 / 3.3 Windows.

[Watson1978]

👍🏻

[daipom]

@Athishpranav2003 Thanks so much for this improvement!

The following would be necessary for us.

• Add some tests to https://github.com/fluent/fluentd/blob/master/test/test_tls.rb
• Update document: https://docs.fluentd.org/output/http#tls_version (https://github.com/fluent/fluentd-docs-gitbook)

@Athishpranav2003
Could you do these if you have time? Especially the addition of tests.
This PR can be merged with TODO to update the document.

[Athishpranav2003]

This PR can be merged with TODO to update the document.

Sure

will do it around this weekend or next week

[Athishpranav2003]

@daipom will default tls version stay as tls1.2?

[daipom]

@Athishpranav2003

will do it around this weekend or next week

Thanks!!

will default tls version stay as tls1.2?

Yes!
It should be Fluentd::TLS::DEFAULT_VERSION:

fluentd/lib/fluent/tls.rb

Line 22 in eeb384e

DEFAULT_VERSION = :'TLSv1_2'

If we change this, it should be done in a separate PR.
Let's keep the default value as is for now.

[Athishpranav2003]

and @daipom what kinda tests to add to test_tls.rb?

[daipom]

and @daipom what kinda tests to add to test_tls.rb?

We want some tests for Fluent::TLS.set_version_to_options there.
Every feature of Fluent::TLS should be tested in some way here.

We already have tests for Fluent::TLS.set_version_to_context here.
Looks like they are very simple tests.
They don't look like enough, but it would be fine to check something like these existing tests.