Support for providing cipher suites and enabled TLS protocols

[mardlucca]

jmx_exporter/jmx_prometheus_common/src/main/java/io/prometheus/jmx/common/HTTPServerFactory.java

Line 837 in b5eb913

sslParameters.setNeedClientAuth(mutualTLS);

Could you please provide support for providing cipher suites and enabled TLS protocols? Something along the lines of:

httpServer:
  ssl:
    keyStore:
      filename: localhost.jks
      password: changeit
    certificate:
      alias: localhost
    enabledProtocols: "TLSv1.2,TLSv1.3"
    cipherSuites: "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384"

For protocols, apparently if you use "TLS" for your SSLContext, java will enable all supported cipher suites. Then you can restrict them using SSL parameters...
(Relevant code here: https://github.com/prometheus/jmx_exporter/blob/main/jmx_prometheus_common/src/main/java/io/prometheus/jmx/common/util/SSLContextFactory.java#L146)

Thank you,

Marcio

[dhoard]

@mardlucca while this is possible, setting values at the JVM level via java.security is more robust, easier to audit, etc.

[mardlucca]

@mardlucca while this is possible, setting values at the JVM level via java.security is more robust, easier to audit, etc.

Setting cipher suites at JVM using java.security and disabledAlgorithms has been giving me grief right now (when I remove a bunch of cipher suites using it, it gets to a point where everything is removed). I'm probably messing up, but it's been hard to remove algorithms and make the JVM only use the suites that I need.

Another thing is that the list of cipher suites for the JMX exporter may be different than the ones needed by the app (Kafka, in my case). Note that Kafka allows you to specify cipher suites and TLS protocols in its configuration, so you don't need to add restriction at the JVM level. This essentially arises from the fact that the Java API allows you to do it, the API is modelled around the notion of providing valid cipher suites, rather than removing prohibited ones, which I claim is a lot more convenient. In fact, Golang's and Python's APIs are also modelled around inclusion of cipher suites rather than exclusion of forbidden algorithms.

So I don't know, I still think this would be worth it.

[dankots]

I have prometheus stats being collected on its own port, exposed just for that purpose. I would like to restrict the ciphers greatly for this connection, since I control both ends. However, I can't restrict the ciphers and protocols of the rest of the app, as they are customer-accessed and should support a slightly larger list of commonly supported secure ciphers.

[dhoard]

@Hakky54 given the recent merge of your SSL code libary, is this something easily implemented? Do you have an example?

[Hakky54]

Yes, this is something which can be easily implemented. I can take a look at it and try to submit a pull request

[Hakky54]

I think this one can be closed as it has been implemented

[dhoard]

Closed with PR #1357. Thanks @Hakky54 !!!