TLS set ciphers in promethues web.yml file

Hi.
I’m trying to get HTTPS working on the prometheus API. I got HTTPS working and also authentication working.
But a vuln scan on the API shows that weak ciphers are enabled. This seems to be because the GO defaults are very weak, which I find annoying considering it’s 2022.
Anyhow, I’ve looked at the documentation for setting the cipher and can’t seem to get it right.

Does anyone know how to configure the line in the web.yml file to do this?

The documentation shows:

# List of supported cipher suites for TLS versions up to TLS 1.2. If empty,
  # Go default cipher suites are used. Available cipher suites are documented
  # in the go documentation:
  # https://golang.org/pkg/crypto/tls/#pkg-constants
  [ cipher_suites:
    [ - <string> ] ]

So i tried:
cipher_suites: [ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ]

I also tried:
[ cipher_suites: [ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ]  ]

but prometheus won't start.

Anyone?
I would think that using default weak ciphers would be really discouraged these days.

Nope, users will be very dissapointed when they won’t be able connect with their clients, which doesn’t support modern ciphers (Windows XP, Java 6, …). So Go defaults are open for everybody (+ safe, because explicitly vulnerable TLS version are disabled). You as an administrator should know your users/their clients and you should to configure your TLS based on that.

If you want to be very modern and “safe”, then use minimal TLS version 1.3 and you will not have any problem with TLS 1.2 cipher configuration. Simple solution, but some clients may not be able to reach your server.

# Minimum TLS version that is acceptable.
min_version: TLS13

Thanks. Did the trick. Spot on