From 8a29b4f383be0bcf61a847d1173b04bca148c292 Mon Sep 17 00:00:00 2001
From: Matthias Loibl <mail@matthiasloibl.com>
Date: Tue, 22 Jan 2019 16:59:34 +0100
Subject: [PATCH] Update ciphers and infos for them

---
 .../kube-prometheus/kube-prometheus.libsonnet | 24 +++++++++++--------
 1 file changed, 14 insertions(+), 10 deletions(-)

diff --git a/jsonnet/kube-prometheus/kube-prometheus.libsonnet b/jsonnet/kube-prometheus/kube-prometheus.libsonnet
index 4b0d5a22..1e9f8565 100644
--- a/jsonnet/kube-prometheus/kube-prometheus.libsonnet
+++ b/jsonnet/kube-prometheus/kube-prometheus.libsonnet
@@ -43,24 +43,28 @@ local configMapList = k.core.v1.configMapList;
     namespace: 'default',
 
     tlsCipherSuites: [
+      'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256',    // required by h2: http://golang.org/cl/30721
+      'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256',  // required by h2: http://golang.org/cl/30721
+
       // 'TLS_RSA_WITH_RC4_128_SHA',            // insecure: https://access.redhat.com/security/cve/cve-2013-2566
       // 'TLS_RSA_WITH_3DES_EDE_CBC_SHA',       // insecure: https://access.redhat.com/articles/2548661
-      'TLS_RSA_WITH_AES_128_CBC_SHA',
-      'TLS_RSA_WITH_AES_256_CBC_SHA',
+      // 'TLS_RSA_WITH_AES_128_CBC_SHA',        // disabled by h2
+      // 'TLS_RSA_WITH_AES_256_CBC_SHA',        // disabled by h2
       'TLS_RSA_WITH_AES_128_CBC_SHA256',
-      'TLS_RSA_WITH_AES_128_GCM_SHA256',
-      'TLS_RSA_WITH_AES_256_GCM_SHA384',
+      // 'TLS_RSA_WITH_AES_128_GCM_SHA256',     // disabled by h2
+      // 'TLS_RSA_WITH_AES_256_GCM_SHA384',     // disabled by h2
       // 'TLS_ECDHE_ECDSA_WITH_RC4_128_SHA',    // insecure: https://access.redhat.com/security/cve/cve-2013-2566
-      'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA',
-      'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA',
+      // 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA',// disabled by h2
+      // 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA',// disabled by h2
       // 'TLS_ECDHE_RSA_WITH_RC4_128_SHA',      // insecure: https://access.redhat.com/security/cve/cve-2013-2566
       // 'TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA', // insecure: https://access.redhat.com/articles/2548661
-      'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA',
-      'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA',
+      // 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA',  // disabled by h2
+      // 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA',  // disabled by h2
       'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256',
       'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256',
-      // 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256',   // Doesn't work with h2
-      // 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256', // Doesn't work with h2
+
+      // disabled by h2 means: https://github.com/golang/net/blob/e514e69ffb8bc3c76a71ae40de0118d794855992/http2/ciphers.go
+
       // 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384',   // TODO: Might not work with h2
       // 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', // TODO: Might not work with h2
       // 'TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305',    // TODO: Might not work with h2
-- 
GitLab