out_http: TLS1.3 support (#4859)

**Which issue(s) this PR fixes**: 
Fixes #4332 

**What this PR does / why we need it**: 
Changes the way we configure Net::HTTP client.

**Docs Changes**:
fluent/fluentd-docs-gitbook#579

**Release Note**: 
The same as the title.

---------

Signed-off-by: Athishpranav2003 <athishanna@gmail.com>

Author: Athishpranav2003

lib/fluent/plugin/out_http.rb

@@ -270,7 +270,7 @@ def setup_http_option
                               OpenSSL::SSL::VERIFY_PEER
                             end
         opt[:ciphers] = @tls_ciphers
-        opt[:ssl_version] = @tls_version
+        opt = Fluent::TLS.set_version_to_options(opt, @tls_version, nil, nil)
       end
 
       opt

lib/fluent/tls.rb

@@ -76,6 +76,30 @@ def set_version_to_context(ctx, version, min_version, max_version)
       ctx
     end
     module_function :set_version_to_context
+
+    def set_version_to_options(opt, version, min_version, max_version)
+      if MIN_MAX_AVAILABLE
+        case
+        when min_version.nil? && max_version.nil?
+          min_version = METHODS_MAP[version] || version
+          max_version = METHODS_MAP[version] || version
+        when min_version.nil? && max_version
+          raise Fluent::ConfigError, "When you set max_version, must set min_version together"
+        when min_version && max_version.nil?
+          raise Fluent::ConfigError, "When you set min_version, must set max_version together"
+        else
+          min_version = METHODS_MAP[min_version] || min_version
+          max_version = METHODS_MAP[max_version] || max_version
+        end
+        opt[:min_version] = min_version
+        opt[:max_version] = max_version
+      else
+        opt[:ssl_version] = METHODS_MAP[version] || version
+      end
+
+      opt
+    end
+    module_function :set_version_to_options
   end
 end
 

test/plugin/test_out_http.rb

@@ -501,6 +501,7 @@ def server_config
       # WEBrick supports self-generated self-signed certificate
       config[:SSLEnable] = true
       config[:SSLCertName] = [["CN", WEBrick::Utils::getservername]]
+      config[:SSLMaxVersion] = OpenSSL::SSL::TLS1_3_VERSION
       config
     end
 
@@ -512,6 +513,7 @@ def test_write_with_https
       d = create_driver(%[
         endpoint https://127.0.0.1:#{server_port}/test
         tls_verify_mode none
+        tls_version TLSv1_3
         ssl_timeout 2s
       ])
       d.run(default_tag: 'test.http') do

test/test_tls.rb

@@ -10,6 +10,10 @@ class UniqueIdTest < Test::Unit::TestCase
     'New TLS v1.2' => :'TLS1_2',
     'Old TLS v1.2' => :'TLSv1_2'
   }
+  TEST_TLS1_3_CASES = {
+    'New TLS v1.3' => :'TLS1_3',
+    'Old TLS v1.3' => :'TLSv1_3'
+  } if defined?(OpenSSL::SSL::TLS1_3_VERSION)
   TEST_TLS_CASES = TEST_TLS1_1_CASES.merge(TEST_TLS1_2_CASES)
 
   sub_test_case 'constants' do
@@ -62,4 +66,26 @@ class UniqueIdTest < Test::Unit::TestCase
       }
     end
   end
+
+  sub_test_case 'set_version_to_options' do
+    setup do
+      @opt = {}
+    end
+
+    test 'set min_version/max_version when supported' do
+      omit "min_version=/max_version= is not supported" unless Fluent::TLS::MIN_MAX_AVAILABLE
+
+      ver = Fluent::TLS::DEFAULT_VERSION
+      assert_raise(Fluent::ConfigError) {
+        Fluent::TLS.set_version_to_options(@opt, ver, ver, nil)
+      }
+      assert_raise(Fluent::ConfigError) {
+        Fluent::TLS.set_version_to_options(@opt, ver, nil, ver)
+      }
+
+      ver = :'TLSv1_3' if defined?(OpenSSL::SSL::TLS1_3_VERSION)
+      assert_equal Fluent::TLS.const_get(:METHODS_MAP)[ver], Fluent::TLS.set_version_to_options(@opt, ver, nil, nil)[:min_version]
+      assert_equal Fluent::TLS.const_get(:METHODS_MAP)[ver], Fluent::TLS.set_version_to_options(@opt, ver, nil, nil)[:max_version]
+    end
+  end
 end