From fcd842feb0509b8e2982051bc3912681ec8b9731 Mon Sep 17 00:00:00 2001 From: Julien Pivotto Date: Sat, 25 Apr 2020 15:51:32 +0200 Subject: [PATCH 1/2] TLS: only support TLS 1.2 TLS 1.0 and 1.1 are deprecated by major vendors (e.g. browsers). Signed-off-by: Julien Pivotto --- https/tls_config.go | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/https/tls_config.go b/https/tls_config.go index 7d381b8480..4b2986272e 100644 --- a/https/tls_config.go +++ b/https/tls_config.go @@ -50,7 +50,9 @@ func getTLSConfig(configPath string) (*tls.Config, error) { // ConfigToTLSConfig generates the golang tls.Config from the TLSStruct config. func ConfigToTLSConfig(c *TLSStruct) (*tls.Config, error) { - cfg := &tls.Config{} + cfg := &tls.Config{ + MinVersion: tls.VersionTLS12, + } if len(c.TLSCertPath) == 0 { return nil, errors.New("missing TLSCertPath") } From 72fce0679bfe5b0d39ba13f2773931f72bbf5615 Mon Sep 17 00:00:00 2001 From: Julien Pivotto Date: Mon, 27 Apr 2020 19:19:09 +0200 Subject: [PATCH 2/2] Add tls versions Signed-off-by: Julien Pivotto --- https/README.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/https/README.md b/https/README.md index 946f2cf6be..e8e4504c91 100644 --- a/https/README.md +++ b/https/README.md @@ -1,7 +1,10 @@ # HTTPS Package for Prometheus -The `https` directory contains a Go package and a sample configuration file for running `node_exporter` with HTTPS instead of HTTP. -When running a server with TLS use the flag `--web.config` +The `https` directory contains a Go package and a sample configuration file for +running `node_exporter` with HTTPS instead of HTTP. We currently support TLS 1.3 +and TLS 1.2. + +To run a server with TLS, use the flag `--web.config`. e.g. `./node_exporter --web.config="web-config.yml"` If the config is kept within the https directory.