blackbox_exporter icon indicating copy to clipboard operation
blackbox_exporter copied to clipboard

Published 20 hours ago verified publisher icon prometheus

unknown cipher: TLS_RSA_WITH_AES_128_CBC_SHA

Open wcollin opened this issue 1 year ago • 1 comments

Host operating system: centos9 arm64

blackbox_exporter version: v0.25.0

What is the prometheus.yml scrape config.

  • job_name: 'blackbox-exporter' scheme: 'https' tls_config: ca_file: /etc/prometheus/certs/ca.crt cert_file: /etc/prometheus/certs/server.crt key_file: /etc/prometheus/certs/server.key insecure_skip_verify: true static_configs:
    • targets: ['blackbox-exporter:9115']

web-config.yml

tls_server_config: cert_file: /etc/prometheus/certs/server.crt key_file: /etc/prometheus/certs/server.key cipher_suites: - TLS_RSA_WITH_AES_128_CBC_SHA - TLS_RSA_WITH_AES_256_CBC_SHA - TLS_RSA_WITH_AES_128_GCM_SHA256 - TLS_RSA_WITH_AES_256_GCM_SHA384 - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 - TLS_AES_128_GCM_SHA256 - TLS_AES_256_GCM_SHA384 - TLS_CHACHA20_POLY1305_SHA256

http_server_config: http2: false headers: Content-Security-Policy: "default-src 'self' 'unsafe-inline'; img-src 'self' data:;" X-Frame-Options: "sameorigin" X-Content-Type-Options: "nosniff" X-XSS-Protection: "1; mode=block" Strict-Transport-Security: "max-age=31536000; includeSubDomains; preload"

Error:

ts=2024-04-15T06:12:05.533Z caller=main.go:87 level=info msg="Starting blackbox_exporter" version="(version=0.25.0, branch=HEAD, revision=ef3ff4fef195333fb8ee0039fb487b2f5007908f)" ts=2024-04-15T06:12:05.533Z caller=main.go:88 level=info build_context="(go=go1.22.2, platform=linux/arm64, user=root@9b6755681f2e, date=20240409-12:52:48, tags=unknown)" ts=2024-04-15T06:12:05.534Z caller=main.go:100 level=info msg="Loaded config file" ts=2024-04-15T06:12:05.534Z caller=tls_config.go:313 level=info msg="Listening on" address=[::]:9115 ts=2024-04-15T06:12:05.534Z caller=main.go:274 level=error msg="Error starting HTTP server" err="unknown cipher: TLS_RSA_WITH_AES_128_CBC_SHA"

wcollin avatar Apr 15 '24 06:04 wcollin

That is no longer a supported cipher due to insecurity.

It appears you are just listing all ciphers, it would be easier if you simply removed all of them from your configuration.

SuperQ avatar Apr 15 '24 07:04 SuperQ

As stated above TLS_RSA_WITH_AES_128_CBC_SHA is not supported anymore. closing this issue due to inactivity.

electron0zero avatar Dec 31 '24 15:12 electron0zero

I just ran into this same issue as I'm attempting to migrate my Telegraf configs to Alloy. In Telegraf, old ciphers are disabled by default, but you can enable them explicitly for each input. https://github.com/influxdata/telegraf/blob/master/docs/TLS.md

I don't think technology choices should be dictated by a monitoring tool. We run many old appliances with old ciphers because the hardware is still functional and the cost to replace would be exorbitant. Of course we keep them on a secure network away from the internet. If the decision has already been made to use such old appliances, then adding prometheus monitoring does not make the system any less secure.

Could this be reconsidered please?

llamafilm avatar Mar 29 '25 01:03 llamafilm