-
Type: Improvement
-
Resolution: Done
-
Priority: Minor - P4
-
None
-
Affects Version/s: None
-
Component/s: Ops Manager
-
0.2
In Ops Manager v3.6 we provided users with ability to disable specific TLS/SSL cipher suites.
We have a corresponding section added to the documentation here.
The problem is that it is not really obvious that the format in which the ciphers have to be specified must be the one used in Java, which follows cipher suite names notation as defined in the RFC.
To elaborate further, a user might want to use the OpenSSL toolkit for checking the available ciphers. However cipher suite names used in OpenSSL do not match the RFC:
// This is the same cipher suite // Java / RFC TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA // OpenSSL ECDHE-RSA-DES-CBC3-SHA
Unfortunately, if the cipher that needs to be disabled is specified in the OpenSSL format (e.g. ECDHE-RSA-DES-CBC3-SHA, not TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA), Ops Manager will silently accept it, but the cipher suite will not get disabled.
We should clarify that the cipher suite names must be specified in the Java / RFC format as otherwise some users may end up in a situation when they think they have disabled some ciphers, but that's not actually the case.