Only the first cipher you listed is rejected. The code in exporter_toolkit just iterates over tls.CipherSuites(): https://github.com/prometheus/exporter-toolkit/blob/v0.11.0/web/tls_config.go#L401-L407
which you can replicate like this: https://go.dev/play/p/yFl-V5MrGHh It turns out that TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA exists, but TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 does not. The one you want is instead listed in InsecureCipherSuites: https://go.dev/play/p/ey1z_wG4Ezw Why is the cipher with SHA(1) secure, but SHA256 insecure??! I have no idea. Maybe worth asking on golang-nuts. On Tuesday 9 January 2024 at 10:04:21 UTC Alexander Wilke wrote: > Hello, > I am running prometheus 2.48.1 and I have problems to find the correct > syntax for the "cipher_suites" in web.config.yml file: > > > https://cs.opensource.google/go/go/+/refs/tags/go1.21.5:src/crypto/tls/cipher_suites.go;l=656 > https://pkg.go.dev/crypto/tls#CipherSuitesi > > web-config.yml > > cipher_suites: > - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 > - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 > - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 > - TLS_AES_128_GCM_SHA256 > - TLS_AES_256_GCM_SHA384 > > /opt/prometheus# ./promtool check web-config web-config.yml > web-config.yml FAILED: unknown cipher: > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 > > If I remove the ciper_suites block the configuration file works. > -- You received this message because you are subscribed to the Google Groups "Prometheus Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-users/ed092228-9a55-4d9b-b7e1-70e7026c46f9n%40googlegroups.com.
