Cipher Supprt and disabling TLS version

[sakthiraam]

Hi,
Good Day!

We are trying to specify strong cipher suites and TLS version via system property but it is not recognized by the JMX exporter. We used the below system properties

-Djavax.net.ssl.protocol=TLSv1.2
-Djavax.net.ssl.cipherSuites=

Is there any other property which we can set to make sure JMX exporter is using the specified version of TLS and Cipher Suites.

I can see all the PROTOCOLS are specified in the source code. Seeing if we have an option to override it

jmx_exporter/jmx_prometheus_common/src/main/java/io/prometheus/jmx/common/http/ssl/SSLContextFactory.java

Line 35 in 89275ac

private static final String[] PROTOCOLS = {"TLSv1.3", "TLSv1.2", "TLSv1.1", "TLSv1"};

EDIT: Fixed link to code (dhoard)

[dhoard]

@sakthiraam As you pointed out, The code (as written) tries to use the most secure TLS version supported by the JVM.

You should be able to change TLS/cipher suites by using system properties...

jdk.tls.client.protocols
jdk.certpath.disabledAlgorithms
jdk.tls.disabledAlgorithms

... or by editing your JVM java.security file.

I'm concerned that if we add this type of configuration to the exporter YAML we could end up in a scenario where a mismatch would cause problems that are hard to debug.

Example:

the JVM is set to only use TLSv1.3 and the exporter YAML is configured to use TLSv1.2