Secure socket communication protocols and ciphers should be configurable

[cwjohnston]

Expected Behavior

As an operator I can configure Sensu network daemons for secure communication, including configuring the permitted security protocols and ciphers.

Current Behavior

Operators can enable secure socket communication, but cannot explicitly enable or disable particular protocols and ciphers.

Possible Solution

Make TLS/SSL protocols and ciphers configurable.

Context

The security policies of many organizations require that protocol and cipher combinations with known vulnerabilities or suspected weaknesses be disabled.

It is recommended that testssl.sh tool tool be used for testing secure socket communication. This tool runs a battery of tests against a given URL, checking for various known vulnerabilities and undesirable protocol/cipher combinations.

Your Environment

• Sensu version used (sensuctl, sensu-backend, and/or sensu-agent): 5.6.0
• Installation method (packages, binaries, docker etc.):
• Operating System and version (e.g. Ubuntu 14.04):

[sureshsubramaniam]

If there is a possibility to have inclusion list of Ciphers in the configuration, it would be awesome

[annaplotkin]

This is a high priority security issue reported by Citi during their audit of Sensu Go.

[palourde]

For reference, something relatively similar (configurable list) was implemented in Uchiwa: https://github.com/sensu/uchiwa/pull/745/files

[sureshsubramaniam]

some references to weak ciphers in etcd
etcd-io/etcd#8320

[echlebek]

I've filed the following issues to cover non-etcd communication:

#2952
#2953
#2954
#2955

I believe that since etcd cipher suite selection is the primary issue at hand, we can consider the scope of this issue to cover etcd communication only.