common
common copied to clipboard
weaveworks
Enable advanced TLS configuration parameters
Hi @pracucci & @bboreham Good Day!
We need the full capabilities of TLS config parameters to be available via weaveworks/common package to be configured that are available via exporter-toolkit/web.
We see as part of. #245 it was removed. We are using Cortex and we as per our organization standard we want to use a set of strong ciphers for all the HTTPS listening endpoints. If we have the above config parameters we can fix it by using the cipher_suites option and prefer_server_cipher_suites.
We see the same problem for Loki, Tempo and Mimir is applicable. Let us know if you need any additional information.
Note: We already enabled the client authentication by setting "RequireAndVerifyClientCert".
we have TLS related vulnerability [...].
Do you have a reference to this vulnerability? If it is not public information don’t post it; see here or here.
Apologize, I have updated my issue now. Will send an email to the mentioned group. Please do help to remove the comment reference from your response as well.
After some time, the information that you sent reached me. As far as I can see, you asked for the ability to specify a list of cipher suites to use. Go already takes a view, and excludes some as insecure, but you want to exclude some more.
(I don't think this info is sensitive; there are many many lists of recommended ciphers online)
I have posted #256 as a possible resolution.
Thanks a Lot @bboreham. Looking forward for the pull request to be merged to master.