https://pkg.go.dev/crypto/tls#Config
// CipherSuites is a list of enabled TLS 1.0–1.2 cipher suites. The order of // the list is ignored. Note that TLS 1.3 ciphersuites are not configurable. // // *If CipherSuites is nil, a safe default list is used.* The default cipher // suites might change over time. On Tuesday 9 January 2024 at 23:01:08 UTC Alexander Wilke wrote: > Hello Brian, > thank you for investigation. > > I tried several ciphers some days ago. Every time I cut more and more > ciphers from the cnfiguration but it did not work - probably because it > were ciphers which are insecure. However for the first tyr I wanted to > allow all and check if all exporters work and then narrow it down. > > As I can see you already opened a post here: > https://groups.google.com/g/golang-nuts/c/niIG6PaTXZg > > I will proceed with these ciphers which should be secure: > cipher_suites: > - TLS_RSA_WITH_RC4_128_SHA uint16 = 0x0005 > - TLS_RSA_WITH_3DES_EDE_CBC_SHA uint16 = 0x000a > - TLS_RSA_WITH_AES_128_CBC_SHA uint16 = 0x002f > - TLS_RSA_WITH_AES_256_CBC_SHA uint16 = 0x0035 > > However - if the default library allows insecure ciphers then any deault > configuration lower than TLS 1.3 is "insecure" and this should be fixed > > Thanks again! I appreciate it! > > Brian Candler schrieb am Dienstag, 9. Januar 2024 um 22:57:52 UTC+1: > >> Only the first cipher you listed is rejected. >> >> The code in exporter_toolkit just iterates over tls.CipherSuites(): >> >> https://github.com/prometheus/exporter-toolkit/blob/v0.11.0/web/tls_config.go#L401-L407 >> >> which you can replicate like this: >> https://go.dev/play/p/yFl-V5MrGHh >> >> It turns out that TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA exists, but >> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 does not. >> >> The one you want is instead listed in InsecureCipherSuites: >> https://go.dev/play/p/ey1z_wG4Ezw >> >> Why is the cipher with SHA(1) secure, but SHA256 insecure??! I have no >> idea. Maybe worth asking on golang-nuts. >> >> On Tuesday 9 January 2024 at 10:04:21 UTC Alexander Wilke wrote: >> >>> Hello, >>> I am running prometheus 2.48.1 and I have problems to find the correct >>> syntax for the "cipher_suites" in web.config.yml file: >>> >>> >>> https://cs.opensource.google/go/go/+/refs/tags/go1.21.5:src/crypto/tls/cipher_suites.go;l=656 >>> https://pkg.go.dev/crypto/tls#CipherSuitesi >>> >>> web-config.yml >>> >>> cipher_suites: >>> - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 >>> - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 >>> - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 >>> - TLS_AES_128_GCM_SHA256 >>> - TLS_AES_256_GCM_SHA384 >>> >>> /opt/prometheus# ./promtool check web-config web-config.yml >>> web-config.yml FAILED: unknown cipher: >>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 >>> >>> If I remove the ciper_suites block the configuration file works. >>> >> -- You received this message because you are subscribed to the Google Groups "Prometheus Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-users/d101927d-a6b3-4b2f-b48c-9656939ca6c3n%40googlegroups.com.
