Hello Brian, thank you for investigation. I tried several ciphers some days ago. Every time I cut more and more ciphers from the cnfiguration but it did not work - probably because it were ciphers which are insecure. However for the first tyr I wanted to allow all and check if all exporters work and then narrow it down.
As I can see you already opened a post here: https://groups.google.com/g/golang-nuts/c/niIG6PaTXZg I will proceed with these ciphers which should be secure: cipher_suites: - TLS_RSA_WITH_RC4_128_SHA uint16 = 0x0005 - TLS_RSA_WITH_3DES_EDE_CBC_SHA uint16 = 0x000a - TLS_RSA_WITH_AES_128_CBC_SHA uint16 = 0x002f - TLS_RSA_WITH_AES_256_CBC_SHA uint16 = 0x0035 However - if the default library allows insecure ciphers then any deault configuration lower than TLS 1.3 is "insecure" and this should be fixed Thanks again! I appreciate it! Brian Candler schrieb am Dienstag, 9. Januar 2024 um 22:57:52 UTC+1: > Only the first cipher you listed is rejected. > > The code in exporter_toolkit just iterates over tls.CipherSuites(): > > https://github.com/prometheus/exporter-toolkit/blob/v0.11.0/web/tls_config.go#L401-L407 > > which you can replicate like this: > https://go.dev/play/p/yFl-V5MrGHh > > It turns out that TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA exists, but > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 does not. > > The one you want is instead listed in InsecureCipherSuites: > https://go.dev/play/p/ey1z_wG4Ezw > > Why is the cipher with SHA(1) secure, but SHA256 insecure??! I have no > idea. Maybe worth asking on golang-nuts. > > On Tuesday 9 January 2024 at 10:04:21 UTC Alexander Wilke wrote: > >> Hello, >> I am running prometheus 2.48.1 and I have problems to find the correct >> syntax for the "cipher_suites" in web.config.yml file: >> >> >> https://cs.opensource.google/go/go/+/refs/tags/go1.21.5:src/crypto/tls/cipher_suites.go;l=656 >> https://pkg.go.dev/crypto/tls#CipherSuitesi >> >> web-config.yml >> >> cipher_suites: >> - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 >> - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 >> - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 >> - TLS_AES_128_GCM_SHA256 >> - TLS_AES_256_GCM_SHA384 >> >> /opt/prometheus# ./promtool check web-config web-config.yml >> web-config.yml FAILED: unknown cipher: >> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 >> >> If I remove the ciper_suites block the configuration file works. >> > -- You received this message because you are subscribed to the Google Groups "Prometheus Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-users/dde2a446-44e3-4fd4-b9e3-bcdbd7a92a06n%40googlegroups.com.
