New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add the ability to specify the maximum acceptable TLS version #414
Changes from 5 commits
53cf9b9
c89cc23
d485d17
e1fa703
fc15924
d1620fd
9d070c0
a9a674f
5977368
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,3 +1,3 @@ | ||
## Prometheus Community Code of Conduct | ||
# Prometheus Community Code of Conduct | ||
|
||
Prometheus follows the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/master/code-of-conduct.md). | ||
Prometheus follows the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/main/code-of-conduct.md). |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -21,6 +21,7 @@ import ( | |
"crypto/x509" | ||
"encoding/json" | ||
"fmt" | ||
"io/ioutil" | ||
"net" | ||
"net/http" | ||
"net/url" | ||
|
@@ -779,6 +780,7 @@ func NewTLSConfig(cfg *TLSConfig) (*tls.Config, error) { | |
tlsConfig := &tls.Config{ | ||
InsecureSkipVerify: cfg.InsecureSkipVerify, | ||
MinVersion: uint16(cfg.MinVersion), | ||
MaxVersion: uint16(cfg.MaxVersion), | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This is fine. What I'm thinking is that we (maybe) should validate the following:
I haven't followed all the use locations of the code, but if we don't check for this in NewTLSConfig, I think we might end up with some weird errors later. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Is there any guarantees that the underlying lib will follow the order ? I would let the underlying tls lib decide what to do. |
||
} | ||
|
||
// If a CA cert is provided then let's read it in so we can validate the | ||
|
@@ -826,6 +828,8 @@ type TLSConfig struct { | |
InsecureSkipVerify bool `yaml:"insecure_skip_verify" json:"insecure_skip_verify"` | ||
// Minimum TLS version. | ||
MinVersion TLSVersion `yaml:"min_version,omitempty" json:"min_version,omitempty"` | ||
// Maximum TLS version. | ||
MaxVersion TLSVersion `yaml:"max_version,omitempty" json:"max_version,omitempty"` | ||
} | ||
|
||
// SetDirectory joins any relative file paths with dir. | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -21,6 +21,7 @@ import ( | |
"errors" | ||
"fmt" | ||
"io" | ||
"io/ioutil" | ||
"net" | ||
"net/http" | ||
"net/http/httptest" | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
{"max_version": "TLS12"} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
max_version: TLS12 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this was recently fixed, this branch needs to be synced with main
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I resynced and removed the ioutil import in 9d070c0