TLS version setting is not documented #309
Comments
|
May I know where I could set the TLS version and how? As it stated that TLS version and cipher suites are not restricted in the release notes of 0.37.1. |
|
Hi @mattdurham , could you please help check this one? Thanks. |
|
Does it work, if you omit windows_certificate_filter.client |
|
@jkroepke no, the same error |
|
What about openssl s_client -connect localhost:12345 -tls1_2 |
|
hi @jkroepke , I tried it on the windows server, please check the response: I exported the cert from windows certstore and tried again: |
|
And what happens, if you are using MS Edge? Maybe RSA PSS certificates has some issue with go. |
|
Apologies was at kubecon, it is an undocumented set of values you can see them in the code here. https://github.com/grafana/agent/blob/c2c40f8a27abe71e35eedf440ab25ae44bf8a9ff/pkg/server/tls.go#L17 . Under http_tls_config you would have a min_version and max_version flag. Valid values are listed here https://github.com/grafana/agent/blob/c2c40f8a27abe71e35eedf440ab25ae44bf8a9ff/pkg/server/tls.go#L115 |
|
If I recall correct you need a specific openssl to work with windows properly. I found it easier to import the certificates into firefox/chrome trust them and then hit the endpoints. |
|
hi @mattdurham , thanks for the reply.
Yes, I was using this config.
The error posted when prometheus is trying to scrape it, not just from browser. |
I tried both Edge and Chrome, neither of them could be loaded, I am suspecting the code as well. |
Hi @mattdurham , no matter I set what TLS version is, error like "last octet invalid" will post out. |
|
You may need to limit your suites to the one the certificate is using. The windows certificate store doesnt let you investigate the certificate so its very possible the default cipher suites are not suitable. Are you exporting your keys with the full trust chain? I documented how to setup from a developer perspective but likely good documentation to review. I generally find the windows certificate store and testing it is extremely particular about what it accepts. |
|
hi @mattdurham , Thanks for the doc, as the template is set up already by our security and which is widely used by other teams, I cannot modify it and here is the screenshot:
And here is the config file we are using now: The cert had been imported to the Edge browser, but it is showing error as below: Any further thought would be much appreciated. |
|
I wonder if its related to golang/go#45990 |
Yes, I checked this one as well but found it is almost one year ago, so :P |
|
@mattdurham would like to test or try anything else if there is any, thanks |
|
Its so hard to test, since its certificates and you cant really share that. Does it work if you dont use the certificate store but instead export them and reference them via files? |
|
Thanks @mattdurham , I tried it that way and which looks good: config file snippet with TLS specified: able to access the metrics/windows_exporter endpoint:
|
|
hi @mattdurham , may I know if there is any update on this issue? |
|
No I cant recreate. So mostly at a dead end on my side. If its possible to share the certificates or dummy generated ones maybe I could dig into it from that angle. |
|
@mattdurham sure, how could I send it to you? Though it is a test one, I would like to send it in a safe way, an email would be better. |
|
Community slack channel is likely the best way, mattd there |
|
Thanks @mattdurham , have sent the cert and key to ya via slack channel |
|
This issue has not had any activity in the past 30 days, so the |
|
Hi All, |
|
We have tried 0.39.2, issue still persisted. |
|
Thanks @mattdurham for the great help, the modified version (https://github.com/mattdurham/agent/releases/tag/cerstore2) fixed the cert store issue, but there is some limitation, here is the workable config: If we set tls version to 1.3, even it is a max one, the connection will be broken: Besides, though I set the cipher_suites in the config (), when I tried to connect it with another cipher, the connection is still set up: The windows server we are running on is 2019, it does support TLS1.2 only, but how about the cipher suites? I think Grafana Agent should only support the connection with the listed ones but deny the connection with others. Please help on this one. Thanks. |
|
Hi there 👋 On April 9, 2024, Grafana Labs announced Grafana Alloy, the spirital successor to Grafana Agent and the final form of Grafana Agent flow mode. As a result, Grafana Agent has been deprecated and will only be receiving bug and security fixes until its end-of-life around November 1, 2025. To make things easier for maintainers, we're in the process of migrating all issues tagged variant/flow to the Grafana Alloy repository to have a single home for tracking issues. This issue is likely something we'll want to address in both Grafana Alloy and Grafana Agent, so just because it's being moved doesn't mean we won't address the issue in Grafana Agent :) |
|
@rfratto @mattdurham the TLS cipher issue is still pending for resolution, may I have any update on this? The deadline from our security team is around July 14th. |
|
I never could satisfactorily recreate the issue, or resolve it in a manner that felt safe and acceptable. It is unlikely to be resolved without additional information or outside effort. |
|
@mattdurham thanks for the update Matt, please feel free to let me know what kind of info you'd like to collect, another session would be fine. |
What's wrong?
This is per a closed issue: grafana/agent#4698
We installed GA 0.37.2 on Windows Server without changing any configuration, error posted in the log files like below:
When I tried to curl the /metrics, it replied with error:
When I used openssl to connect the server:
Steps to reproduce
System information
Windows Server 2019
Software version
Grafana Agent 0.37.2
Configuration
Logs
No response
The text was updated successfully, but these errors were encountered: