Open siavashs opened 1 month ago
Thanos forces TLS 1.3 since #5170, this can result in backward compatibility issues with other software like HTTP proxies, load balancers, etc. which might still (be configured to) use TLS 1.2 in different environments.
TLS 1.2 can still be used securely if configured to use a secure cipher. TLS 1.3 at least has one know insecure cipher (GOST R 34.12-2015 Magma) at the time of writing. https://en.wikipedia.org/wiki/Transport_Layer_Security#Cipher
TLS versions and the Ciphers must be configurable as it is the combination that can ensure both better security and backwards compatibility.
Patching or forking Thanos version deployed in our infrastructure.
I feel the backward compatible is important, some of us are not ready to jump straight into TLS 1.3
created PR to support this
Is your proposal related to a problem?
Thanos forces TLS 1.3 since #5170, this can result in backward compatibility issues with other software like HTTP proxies, load balancers, etc. which might still (be configured to) use TLS 1.2 in different environments.
Describe the solution you'd like
TLS 1.2 can still be used securely if configured to use a secure cipher. TLS 1.3 at least has one know insecure cipher (GOST R 34.12-2015 Magma) at the time of writing. https://en.wikipedia.org/wiki/Transport_Layer_Security#Cipher
TLS versions and the Ciphers must be configurable as it is the combination that can ensure both better security and backwards compatibility.
Describe alternatives you've considered
Patching or forking Thanos version deployed in our infrastructure.
Additional context