Hello Brian, thank you for investigation. I tried several ciphers some days ago. Every time I cut more and more ciphers from the cnfiguration but it did not work - probably because it were ciphers which are insecure. However for the first tyr I wanted to allow all and check if all exporters work and then narrow it down.
As I can see you already opened a post here: https://groups.google.com/g/golang-nuts/c/niIG6PaTXZg I will proceed with these ciphers which should be secure: cipher_suites: - TLS_RSA_WITH_RC4_128_SHA uint16 = 0x0005 - TLS_RSA_WITH_3DES_EDE_CBC_SHA uint16 = 0x000a - TLS_RSA_WITH_AES_128_CBC_SHA uint16 = 0x002f - TLS_RSA_WITH_AES_256_CBC_SHA uint16 = 0x0035 However - if the default library allows insecure ciphers then any deault configuration lower than TLS 1.3 is "insecure" and this should be fixed Thanks again! I appreciate it! Brian Candler schrieb am Dienstag, 9. Januar 2024 um 22:57:52 UTC+1: > Only the first cipher you listed is rejected. > > The code in exporter_toolkit just iterates over tls.CipherSuites(): > > https://github.com/prometheus/exporter-toolkit/blob/v0.11.0/web/tls_config.go#L401-L407 > > which you can replicate like this: > https://go.dev/play/p/yFl-V5MrGHh > > It turns out that TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA exists, but > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 does not. > > The one you want is instead listed in InsecureCipherSuites: > https://go.dev/play/p/ey1z_wG4Ezw > > Why is the cipher with SHA(1) secure, but SHA256 insecure??! I have no > idea. Maybe worth asking on golang-nuts. > > On Tuesday 9 January 2024 at 10:04:21 UTC Alexander Wilke wrote: > >> Hello, >> I am running prometheus 2.48.1 and I have problems to find the correct >> syntax for the "cipher_suites" in web.config.yml file: >> >> >> https://cs.opensource.google/go/go/+/refs/tags/go1.21.5:src/crypto/tls/cipher_suites.go;l=656 >> https://pkg.go.dev/crypto/tls#CipherSuitesi >> >> web-config.yml >> >> cipher_suites: >> - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 >> - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 >> - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 >> - TLS_AES_128_GCM_SHA256 >> - TLS_AES_256_GCM_SHA384 >> >> /opt/prometheus# ./promtool check web-config web-config.yml >> web-config.yml FAILED: unknown cipher: >> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 >> >> If I remove the ciper_suites block the configuration file works. >> > -- You received this message because you are subscribed to the Google Groups "Prometheus Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to prometheus-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-users/dde2a446-44e3-4fd4-b9e3-bcdbd7a92a06n%40googlegroups.com.
