Plans to update the Ciphers in the near future?

Grafana Configuration
,
1

My security team is requesting I disable all CBC ciphers. Are there plans to update the set of ciphers Grafana is currently using?

	tlsCfg := &tls.Config{
		MinVersion: tls.VersionTLS12,
		CipherSuites: []uint16{
			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
			tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
			tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
			tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
			tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
			tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
			tls.TLS_RSA_WITH_AES_128_CBC_SHA,
			tls.TLS_RSA_WITH_AES_256_CBC_SHA,
		},

I would rather not complicate the system with a reverse proxy if I can help it.

2

We are facing the same issue/request with our security team. Aka Security scanner.

3

Use reverse proxy in front of Grafana and configure required TLS configuration (that’s not only ciphers - also min/max TLS version, client/server cipher preference,… ) there.
I would say config on the Grafana side will be very complicated over time (e. g. TLS 1.3 doesn’t have configurable ciphers) and it depends on the used Golang version (e. g. TLS 1.3 opt in/opt out) so that will lead to more problems and confusions on the user side.