prometheus 2.48.1 - web-config.yml - cipher_suites "unknown cipher"
295 views
Skip to first unread message
Alexander Wilke
Jan 9, 2024, 5:04:21 AM1/9/24
to Prometheus Users
Hello,
I am running prometheus 2.48.1 and I have problems to find the correct syntax for the "cipher_suites" in web.config.yml file:
https://cs.opensource.google/go/go/+/refs/tags/go1.21.5:src/crypto/tls/cipher_suites.go;l=656
I am running prometheus 2.48.1 and I have problems to find the correct syntax for the "cipher_suites" in web.config.yml file:
https://cs.opensource.google/go/go/+/refs/tags/go1.21.5:src/crypto/tls/cipher_suites.go;l=656
https://pkg.go.dev/crypto/tls#CipherSuitesi
web-config.yml
web-config.yml
cipher_suites:
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
/opt/prometheus# ./promtool check web-config web-config.yml
web-config.yml FAILED: unknown cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
web-config.yml FAILED: unknown cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
If I remove the ciper_suites block the configuration file works.
Brian Candler
Jan 9, 2024, 4:57:52 PM1/9/24
to Prometheus Users
Only the first cipher you listed is rejected.
The code in exporter_toolkit just iterates over tls.CipherSuites():
which you can replicate like this:
It turns out that TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA exists, but TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 does not.
The one you want is instead listed in InsecureCipherSuites:
Why is the cipher with SHA(1) secure, but SHA256 insecure??! I have no idea. Maybe worth asking on golang-nuts.
Alexander Wilke
Jan 9, 2024, 6:01:08 PM1/9/24
to Prometheus Users
Hello Brian,
thank you for investigation.
I tried several ciphers some days ago. Every time I cut more and more ciphers from the cnfiguration but it did not work - probably because it were ciphers which are insecure. However for the first tyr I wanted to allow all and check if all exporters work and then narrow it down.
As I can see you already opened a post here:
I will proceed with these ciphers which should be secure:
cipher_suites:
- TLS_RSA_WITH_RC4_128_SHA uint16 = 0x0005
- TLS_RSA_WITH_3DES_EDE_CBC_SHA uint16 = 0x000a
- TLS_RSA_WITH_AES_128_CBC_SHA uint16 = 0x002f
- TLS_RSA_WITH_AES_256_CBC_SHA uint16 = 0x0035
- TLS_RSA_WITH_RC4_128_SHA uint16 = 0x0005
- TLS_RSA_WITH_3DES_EDE_CBC_SHA uint16 = 0x000a
- TLS_RSA_WITH_AES_128_CBC_SHA uint16 = 0x002f
- TLS_RSA_WITH_AES_256_CBC_SHA uint16 = 0x0035
However - if the default library allows insecure ciphers then any deault configuration lower than TLS 1.3 is "insecure" and this should be fixed
Thanks again! I appreciate it!
Brian Candler
Jan 10, 2024, 3:14:45 AM1/10/24
to Prometheus Users
// CipherSuites is a list of enabled TLS 1.0–1.2 cipher suites. The order of
// the list is ignored. Note that TLS 1.3 ciphersuites are not configurable.
//
// If CipherSuites is nil, a safe default list is used. The default cipher
// suites might change over time.
Reply all
Reply to author
Forward
0 new messages