-
Type: Task
-
Resolution: Fixed
-
Priority: Major - P3
-
None
-
Affects Version/s: None
-
Component/s: Ops Manager
-
Labels:None
Description
https://jira.mongodb.org/browse/CLOUDP-74113
Disable DH-1024 Ciphers for Queryable Backup ProxyServer listener
was resolved in Ops Manager 4.2.22 and 4.4.6
https://jira.mongodb.org/browse/CLOUDP-70734
Ops Manager Queryable Snapshot Proxy Server Port does not enforce minimum TLS version using mms.minimumTLSVersion
was resolved in 4.2.21 and 4.4.5
but per this comment
"I backported the code however I couldn't disabled TLSv1 and ciphers by default since it will affect other customers. Please advice this client to put the following to conf-mms.properties::
brs.queryable.tls.disabledProtocols=SSLv2Hello,SSLv3,TLSv1,TLSv1.1,TLSv1.3 brs.queryable.tls.disabledCiphers=TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
These settings are currently undocumented and should possibly be added to the following Documentation for customers to disable TLSv1 and ciphers for queryable snapshot/restores:
Ops Manager Configuration Settings > Queryable Snapshot Configuration
Ops Manager Application Settings > Queryable Snapshot Configuration