From 1a78bbef90c571be080bdd15bddf816ccdc997a7 Mon Sep 17 00:00:00 2001
From: Athishpranav2003 <athishanna@gmail.com>
Date: Sun, 9 Mar 2025 03:36:23 +0530
Subject: [PATCH 1/3] changed https opts in out-http

Signed-off-by: Athishpranav2003 <athishanna@gmail.com>
---
 lib/fluent/plugin/out_http.rb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/lib/fluent/plugin/out_http.rb b/lib/fluent/plugin/out_http.rb
index 1ca3910456..2cac321cc5 100644
--- a/lib/fluent/plugin/out_http.rb
+++ b/lib/fluent/plugin/out_http.rb
@@ -270,7 +270,8 @@ def setup_http_option
                               OpenSSL::SSL::VERIFY_PEER
                             end
         opt[:ciphers] = @tls_ciphers
-        opt[:ssl_version] = @tls_version
+        opt[:min_version] = Fluent::TLS::DEFAULT_VERSION
+        opt[:max_version] = @tls_version
       end
 
       opt

From f83ff3a5fc78b50fb6599e22108cfacd40e14953 Mon Sep 17 00:00:00 2001
From: Athishpranav2003 <athishanna@gmail.com>
Date: Sun, 9 Mar 2025 14:58:53 +0530
Subject: [PATCH 2/3] fixed webrick

Signed-off-by: Athishpranav2003 <athishanna@gmail.com>
---
 lib/fluent/plugin/out_http.rb |  3 +--
 lib/fluent/tls.rb             | 24 ++++++++++++++++++++++++
 test/plugin/test_out_http.rb  |  2 ++
 3 files changed, 27 insertions(+), 2 deletions(-)

diff --git a/lib/fluent/plugin/out_http.rb b/lib/fluent/plugin/out_http.rb
index 2cac321cc5..78e1d4d920 100644
--- a/lib/fluent/plugin/out_http.rb
+++ b/lib/fluent/plugin/out_http.rb
@@ -270,8 +270,7 @@ def setup_http_option
                               OpenSSL::SSL::VERIFY_PEER
                             end
         opt[:ciphers] = @tls_ciphers
-        opt[:min_version] = Fluent::TLS::DEFAULT_VERSION
-        opt[:max_version] = @tls_version
+        opt = Fluent::TLS.set_version_to_options(opt, @tls_version, nil, nil)
       end
 
       opt
diff --git a/lib/fluent/tls.rb b/lib/fluent/tls.rb
index f69344fa2d..edafdec46b 100644
--- a/lib/fluent/tls.rb
+++ b/lib/fluent/tls.rb
@@ -76,6 +76,30 @@ def set_version_to_context(ctx, version, min_version, max_version)
       ctx
     end
     module_function :set_version_to_context
+
+    def set_version_to_options(opt, version, min_version, max_version)
+      if MIN_MAX_AVAILABLE
+        case
+        when min_version.nil? && max_version.nil?
+          min_version = METHODS_MAP[version] || version
+          max_version = METHODS_MAP[version] || version
+        when min_version.nil? && max_version
+          raise Fluent::ConfigError, "When you set max_version, must set min_version together"
+        when min_version && max_version.nil?
+          raise Fluent::ConfigError, "When you set min_version, must set max_version together"
+        else
+          min_version = METHODS_MAP[min_version] || min_version
+          max_version = METHODS_MAP[max_version] || max_version
+        end
+        opt[:min_version] = min_version
+        opt[:max_version] = max_version
+      else
+        opt[:ssl_version] = METHODS_MAP[version] || version
+      end
+
+      opt
+    end
+    module_function :set_version_to_options
   end
 end
 
diff --git a/test/plugin/test_out_http.rb b/test/plugin/test_out_http.rb
index 94db17d3aa..b63b7b1324 100644
--- a/test/plugin/test_out_http.rb
+++ b/test/plugin/test_out_http.rb
@@ -501,6 +501,7 @@ def server_config
       # WEBrick supports self-generated self-signed certificate
       config[:SSLEnable] = true
       config[:SSLCertName] = [["CN", WEBrick::Utils::getservername]]
+      config[:SSLMaxVersion] = OpenSSL::SSL::TLS1_3_VERSION
       config
     end
 
@@ -512,6 +513,7 @@ def test_write_with_https
       d = create_driver(%[
         endpoint https://127.0.0.1:#{server_port}/test
         tls_verify_mode none
+        tls_version TLSv1_3
         ssl_timeout 2s
       ])
       d.run(default_tag: 'test.http') do

From 5d5f0f329d1820949591b6ca8b209795ddcaf62a Mon Sep 17 00:00:00 2001
From: Athishpranav2003 <athishanna@gmail.com>
Date: Wed, 28 May 2025 11:16:38 +0530
Subject: [PATCH 3/3] New testcases for function set_version_to_options - TLS

Signed-off-by: Athishpranav2003 <athishanna@gmail.com>
---
 test/test_tls.rb | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/test/test_tls.rb b/test/test_tls.rb
index b51e9290f8..b151b2ce26 100644
--- a/test/test_tls.rb
+++ b/test/test_tls.rb
@@ -10,6 +10,10 @@ class UniqueIdTest < Test::Unit::TestCase
     'New TLS v1.2' => :'TLS1_2',
     'Old TLS v1.2' => :'TLSv1_2'
   }
+  TEST_TLS1_3_CASES = {
+    'New TLS v1.3' => :'TLS1_3',
+    'Old TLS v1.3' => :'TLSv1_3'
+  } if defined?(OpenSSL::SSL::TLS1_3_VERSION)
   TEST_TLS_CASES = TEST_TLS1_1_CASES.merge(TEST_TLS1_2_CASES)
 
   sub_test_case 'constants' do
@@ -62,4 +66,26 @@ class UniqueIdTest < Test::Unit::TestCase
       }
     end
   end
+
+  sub_test_case 'set_version_to_options' do
+    setup do
+      @opt = {}
+    end
+
+    test 'set min_version/max_version when supported' do
+      omit "min_version=/max_version= is not supported" unless Fluent::TLS::MIN_MAX_AVAILABLE
+
+      ver = Fluent::TLS::DEFAULT_VERSION
+      assert_raise(Fluent::ConfigError) {
+        Fluent::TLS.set_version_to_options(@opt, ver, ver, nil)
+      }
+      assert_raise(Fluent::ConfigError) {
+        Fluent::TLS.set_version_to_options(@opt, ver, nil, ver)
+      }
+
+      ver = :'TLSv1_3' if defined?(OpenSSL::SSL::TLS1_3_VERSION)
+      assert_equal Fluent::TLS.const_get(:METHODS_MAP)[ver], Fluent::TLS.set_version_to_options(@opt, ver, nil, nil)[:min_version]
+      assert_equal Fluent::TLS.const_get(:METHODS_MAP)[ver], Fluent::TLS.set_version_to_options(@opt, ver, nil, nil)[:max_version]
+    end
+  end
 end