Enable advanced TLS configuration parameters

[sakthiraam]

Hi @pracucci & @bboreham Good Day!

We need the full capabilities of TLS config parameters to be available via weaveworks/common package to be configured that are available via exporter-toolkit/web.

We see as part of. #245 it was removed. We are using Cortex and we as per our organization standard we want to use a set of strong ciphers for all the HTTPS listening endpoints. If we have the above config parameters we can fix it by using the cipher_suites option and prefer_server_cipher_suites.

We see the same problem for Loki, Tempo and Mimir is applicable. Let us know if you need any additional information.

Note: We already enabled the client authentication by setting "RequireAndVerifyClientCert".

[bboreham]

we have TLS related vulnerability [...].

Do you have a reference to this vulnerability?
If it is not public information don’t post it; see here or here.

[sakthiraam]

Apologize, I have updated my issue now. Will send an email to the mentioned group. Please do help to remove the comment reference from your response as well.

[bboreham]

After some time, the information that you sent reached me.
As far as I can see, you asked for the ability to specify a list of cipher suites to use.
Go already takes a view, and excludes some as insecure, but you want to exclude some more.

(I don't think this info is sensitive; there are many many lists of recommended ciphers online)

I have posted #256 as a possible resolution.

[sakthiraam]

Thanks a Lot @bboreham. Looking forward for the pull request to be merged to master.