search

thanos-io / thanos

Highly available Prometheus setup with long term storage capabilities. A CNCF Incubating project.
https://thanos.io
Apache License 2.0
12.95k stars 2.08k forks source link

Make TLS versions and ciphers configurable #7624

Open siavashs opened 1 month ago

siavashs commented 1 month ago

Is your proposal related to a problem?

Thanos forces TLS 1.3 since #5170, this can result in backward compatibility issues with other software like HTTP proxies, load balancers, etc. which might still (be configured to) use TLS 1.2 in different environments.

Describe the solution you'd like

TLS 1.2 can still be used securely if configured to use a secure cipher. TLS 1.3 at least has one know insecure cipher (GOST R 34.12-2015 Magma) at the time of writing. https://en.wikipedia.org/wiki/Transport_Layer_Security#Cipher

TLS versions and the Ciphers must be configurable as it is the combination that can ensure both better security and backwards compatibility.

Describe alternatives you've considered

Patching or forking Thanos version deployed in our infrastructure.

Additional context

pureiboi commented 3 weeks ago

I feel the backward compatible is important, some of us are not ready to jump straight into TLS 1.3

created PR to support this