dhoard
commented
1 year ago @sakthiraam As you pointed out, The code (as written) tries to use the most secure TLS version supported by the JVM.
You should be able to change TLS/cipher suites by using system properties...
jdk.tls.client.protocols
jdk.certpath.disabledAlgorithms
jdk.tls.disabledAlgorithms
... or by editing your JVM java.security file.
I'm concerned that if we add this type of configuration to the exporter YAML we could end up in a scenario where a mismatch would cause problems that are hard to debug.
Example:
the JVM is set to only use TLSv1.3 and the exporter YAML is configured to use TLSv1.2
Hi, Good Day!
We are trying to specify strong cipher suites and TLS version via system property but it is not recognized by the JMX exporter. We used the below system properties
-Djavax.net.ssl.protocol=TLSv1.2 -Djavax.net.ssl.cipherSuites=
Is there any other property which we can set to make sure JMX exporter is using the specified version of TLS and Cipher Suites.
I can see all the PROTOCOLS are specified in the source code. Seeing if we have an option to override it https://github.com/prometheus/jmx_exporter/blob/89275ac5fed732b943c248867db578b6f12bb756/jmx_prometheus_common/src/main/java/io/prometheus/jmx/common/http/ssl/SSLContextFactory.java#L35
EDIT: Fixed link to code (dhoard)