HTTP: Add TLS version configurability for grafana server

[venkatbvc]

Backend: Add TLS version configurability for grafana server. Also backward compatibility is supported. A new parameter min_tls_version are added to the [server] section.

What is this feature?

Currently TLS version and ciphers are hardcoded for http_server. This PR adds configurability from the user point of view.

Why do we need this feature?

User doesn't flexibility to add ciphers and fix version of TLS that needs to be used.

Who is this feature for?

For all

Special notes for your reviewer:

Please check that:

• It works as expected from a user's perspective.
• If this is a pre-GA feature, it is behind a feature toggle.
• The docs are updated, and if this is a notable improvement, it's added to our What's New doc.

[CLAassistant]

All committers have signed the CLA.

[venkatbvc]

@torkelo How do i add the following labels:
nobackport
milestone can be next minor version
Changelog - i have updated document. required document, but am not sure whether it needs to be part of changelog.md

[venkatbvc]

Hi All,
Can anyone check and let me know what needs to be done for adding the required label for checks to pass

[chri2547]

Suggested change

	Minimum TLS version that needs to be used in TLS Handshake. Possible Values are TLS1.2 and TLS1.3.
	The TLS Handshake requires a minimum TLS version. The available options are TLS1.2 and TLS1.3.

[venkatbvc]

I have made changes.

[chri2547]

Docs approved.

[venkatbvc]

@torkelo @suntala @zserge @danielkenlee @sakjur Can you please review and provide your comments

[sakjur]

This is fairly low prio right now, it missed our Grafana 10.0 window and it'd at best make it into 10.1.

I don't know if I think we should do this at all, I'm all for configuring the minimum TLS version (after all, if all your users are using modern browsers, it makes sense to only permit TLS 1.3), but for exact ciphersuites, I'm skeptical. Partly because we're unable to configure the ciphersuites for TLS 1.3 because that's not supported by Go upstream (golang/go#29349) and partly because detailed configuration of TLS is sort of what reverse proxies such as nginx and Caddy excels at.

Quick review:
If we're to merge this I don't think we should be linking into the Go codebase for documenting the available options (that list is unlikely to change very much, so I think we could copy it into our docs), and you should use github.com/grafana/grafana/pkg/util.SplitString for splitting the list items.

[TomsioncatiGraf]

Configurability of cipher suites
👍 Increased user optionality, normally good
👎 Go is very good at picking cipher suites, so generally bad for security overall

I'd suggest not making cipher suites configurable and trusting Go upstream

[venkatbvc]

@sakjur @TomsioncatiGraf Thanks for your comments. I have started with only make tls version configurable. But when i checked at the ldap.toml these were made configurable. So i thought it may be a good idea to configure.
So if you think tls_ciphers better not to configure and leave what is configured in the code by default, i can change PR only to set min tls version. Let me know your view. so that i can push accordingly

[sakjur]

@venkatbvc If we can start with just the TLS version, that’d be something I’d approve 🙂

[venkatbvc]

@sakjur Thanks. I will publish changes only for tls version. tls_ciphers i can do later if required

[venkatbvc]

@sakjur pushed code only for configuring tls version. Please check

[sakjur]

@venkatbvc Thank you! I'll put this on my todo to review 🙂

[rpasche]

2 questions, as I stumbled on this PR while trying to configure ciphers to be used.

1. I'm questioning, if this isn't an error? What, if I wanted to configure the minTLSVersion == 1.3? (https://github.com/grafana/grafana/pull/67482/files#diff-059f97ccda689ebea0e2f9981cd736d77b1fa01a719d95abae333ad40fb0b9c4R744)
2. Although we could then set a minTLSVersion to be configurable, the list of ciphers (attached to each version) still looks unchangeable to me. Or am I missing something?

[venkatbvc]

@rpasche Initially, i have made tls version and ciphers configurable. Later, it was found that tlsCiphers setting have issues(Check this comment: #67482 (comment)) . So removed setting the TLS ciphers. only TLS version is configurable now.
If TLS version is set to 1.3, then crpto/tls will choose the default ciphers.
Following is the excerpt from crypto/tls:

// CipherSuites is a list of enabled TLS 1.0–1.2 cipher suites. The order of
// the list is ignored. Note that TLS 1.3 ciphersuites are not configurable.
//
// If CipherSuites is nil, a safe default list is used. The default cipher
// suites might change over time.
CipherSuites [][uint16]

[rpasche]

@rpasche Initially, i have made tls version and ciphers configurable. Later, it was found that tlsCiphers setting have issues(Check this comment: #67482 (comment)) . So removed setting the TLS ciphers. only TLS version is configurable now. If TLS version is set to 1.3, then crpto/tls will choose the default ciphers. Following is the excerpt from crypto/tls:

// CipherSuites is a list of enabled TLS 1.0–1.2 cipher suites. The order of // the list is ignored. Note that TLS 1.3 ciphersuites are not configurable. // // If CipherSuites is nil, a safe default list is used. The default cipher // suites might change over time. CipherSuites [][uint16]

@venkatbvc thank you for this explanation.

[sakjur]

Tested this locally and it works great, thanks for your contribution 🎉