Skip to content

Commit 3d727c5

Browse files
krajoramadashpole
andauthored
feat(om2): recommend TLS 1.3 while keeping TLS 1.2 as minimum (#2925)
* feat(om2): recommend TLS 1.3 while keeping TLS 1.2 as minimum TLS 1.3 (RFC 8446) is the current industry standard. Keep TLS 1.2 as the minimum for compatibility but add a SHOULD for TLS 1.3. Signed-off-by: György Krajcsovits <gyorgy.krajcsovits@grafana.com> Coded with Claude Sonnet 4.6. * Apply suggestions from code review Co-authored-by: David Ashpole <dashpole@google.com> Signed-off-by: George Krajcsovits <krajorama@users.noreply.github.com> --------- Signed-off-by: György Krajcsovits <gyorgy.krajcsovits@grafana.com> Signed-off-by: George Krajcsovits <krajorama@users.noreply.github.com> Co-authored-by: David Ashpole <dashpole@google.com>
1 parent c9cde74 commit 3d727c5

1 file changed

Lines changed: 2 additions & 2 deletions

File tree

docs/specs/om/open_metrics_spec_2_0.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -438,7 +438,7 @@ Partial or invalid expositions MUST be considered erroneous in their entirety.
438438
439439
### Protocol Negotiation
440440

441-
All ingestor implementations MUST be able to ingest data secured with TLS 1.2 or later. All exposers SHOULD be able to emit data secured with TLS 1.2 or later. Ingestor implementations SHOULD be able to ingest data from HTTP without TLS. All implementations SHOULD use TLS to transmit data.
441+
All ingestor implementations MUST be able to ingest data secured with TLS 1.2 or later, and SHOULD support TLS 1.3 or later. All exposers SHOULD be able to emit data secured with TLS 1.3 or later. Ingestor implementations SHOULD be able to ingest data from HTTP without TLS. All implementations SHOULD use TLS to transmit data.
442442

443443
Negotiation of what version of the OpenMetrics format to use is out-of-band. For example for pull-based exposition over HTTP standard HTTP content type negotiation is used, and MUST default to the oldest version of the standard (i.e. 1.0.0) if no newer version is requested.
444444

@@ -1442,7 +1442,7 @@ If all targets of a particular type are exposing the same set of time series, th
14421442

14431443
Implementors MAY choose to offer authentication, authorization, and accounting; if they so choose, this SHOULD be handled outside of OpenMetrics.
14441444

1445-
All exposer implementations SHOULD be able to secure their HTTP traffic with TLS 1.2 or later. If an exposer implementation does not support encryption, operators SHOULD use reverse proxies, firewalling, and/or ACLs where feasible.
1445+
All exposer implementations SHOULD be able to secure their HTTP traffic with TLS 1.3 or later. If an exposer implementation does not support encryption, operators SHOULD use reverse proxies, firewalling, and/or ACLs where feasible.
14461446

14471447
Metric exposition should be independent of production services exposed to end users; as such, having a /metrics endpoint on ports like TCP/80, TCP/443, TCP/8080, and TCP/8443 is generally discouraged for publicly exposed services using OpenMetrics.
14481448

0 commit comments

Comments
 (0)