[EXPORTER] Add OTLP HTTP SSL support

[marcalff]

Fixes #389 Enable http(s) ssl verification for curl based http_client implementation
Fixes #1402 [Trace SDK] OTLP Trace Exporter secure connection configuration options
Fixes #1756 TLS settings for OtlpHttpExporter

Changes in Exporters environment variables

Added all the helpers required to parse experimental TLS environment variables:

• GetOtlpDefaultTracesSslTlsMinVersion();
• GetOtlpDefaultMetricsSslTlsMinVersion();
• GetOtlpDefaultLogsSslTlsMinVersion();
• GetOtlpDefaultTracesSslTlsMaxVersion();
• GetOtlpDefaultMetricsSslTlsMaxVersion();
• GetOtlpDefaultLogsSslTlsMaxVersion();

// For TLS 1.0, 1.1, 1.2

• GetOtlpDefaultTracesSslTlsCipher();
• GetOtlpDefaultMetricsSslTlsCipher();
• GetOtlpDefaultLogsSslTlsCipher();

// For TLS 1.3

• GetOtlpDefaultTracesSslTlsCipherSuite();
• GetOtlpDefaultMetricsSslTlsCipherSuite();
• GetOtlpDefaultLogsSslTlsCipherSuite();

Changes in Exporters options

• In OtlpHttpExporterOptions, added the following members:

  • ssl_insecure_skip_verify
  • ssl_ca_cert_path
  • ssl_ca_cert_string
  • ssl_client_key_path
  • ssl_client_key_string
  • ssl_client_cert_path
  • ssl_client_cert_string

• Added a feature flag ENABLE_OTLP_HTTP_SSL, because this is an SDK ABI change.

  • There is an existing spec for SSL and mTLS, only the implementation is missing

• In OtlpHttpExporterOptions, added the following members:

  • ssl_min_tls
  • ssl_max_tls
  • ssl_cipher
  • ssl_cipher_suite

• Added a sub feature flag ENABLE_OTLP_HTTP_SSL_TLS, because this is an SDK ABI change.

  • There are no spec for TLS version environment variables, and there will be no spec, because there is a global freeze on new configuration variables.
  • Using per language (OTEL_CPP_) environment variables.

• Likewise for metrics in OtlpHttpMetricExporterOptions

• Likewise for logs in OtlpHttpLogRecordExporterOptions

Changes in Http client

• Fixed every call to CURL, to check for errors
• Improved error reporting for CURL, to include detailed error messages
• Implemented added CURL calls to support SSL and TLS

Functional tests

• Implemented a test client to cover various connections configurations
• Tested against no server
• Tested against an opentelemetry-collector in http mode (without SSL)
• Tested against an opentelemetry-collector in https mode (with SSL)
• Integrated tests in CI

Changes in documentation

• Added step by step instructions to generate certificate and keys, to use when testing with OLTP HTTP SSL.

For significant contributions please make sure you have completed the following items:

• CHANGELOG.md updated for non-trivial changes
• Unit tests have been added
• Documentation added
• Functional tests have been added
• Changes in public API reviewed

[codecov]

Codecov Report

Merging #1793 (8a47cf8) into main (9bcfcb9) will not change coverage.
The diff coverage is n/a.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #1793   +/-   ##
=======================================
  Coverage   87.19%   87.19%           
=======================================
  Files         166      166           
  Lines        4784     4784           
=======================================
  Hits         4171     4171           
  Misses        613      613           

[owent]

There are several compatibility problems when using options of libcurl.
CURLOPT_ISSUERCERT_BLOB is available from 7.71.0
CURLOPT_SSLKEY_BLOB is available from 7.71.0
CURLOPT_SSLCERT_BLOB is available from 7.71.0

And also, there are some SSL options for ALPN, Custom CA, password for certification files, TLS cipher/TLS 1.3 cipher and certification files just for proxy. Some of them also just work on a high version.

Can we adapt these options by LIBCURL_VERSION_NUM? So that we can still use HTTP Client on a old system with the curl in package manager?(For example: Cent OS 7/curl 7.29.0)

[lalitb]

Just a thought, for CURL version 7.70.0 or lesser, if CA certificate for validation is provided as string, we should enforce the SSL handshake to fails, probably by overriding the default system path to read the certificates from:

(pseducode)

#if LIBCURL_VERSION_NUM >=0x071f00  and ! defined OTEL_HTTPS_INSECURE_ENABLE
if (input_ssl_ca_cert_string.size()) {
       curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 1L);
       curl_easy_setopt(curl, CURLOPT_CAINFO, "<inaccessible_file>");
       curl_easy_setopy(curl, CURLOPT_CANPATH, "<inaccessible_path>");
}
#endif 

[marcalff]

Can we adapt these options by LIBCURL_VERSION_NUM? So that we can still use HTTP Client on a old system with the curl in package manager?(For example: Cent OS 7/curl 7.29.0)

Thanks @owent

Implemented LIBCURL_VERSION_NUM checks.

[owent]

LGTM and thanks.

[sirzooro]

LGTM too.

[lalitb]

Changes are done well. Have few comments, but nothing blocker. Thanks for the PR :)

[marcalff]

All comments to date are addressed.

Given the size of the patch, waiting for @ThomsonTan and/or @esigo to comment, and will only merge after an ok-to-merge flag.

[esigo]

LGTM
Thanks for the great work :)

[marcalff]

Thanks. Planning to merge after the SIG meeting