<!-- 
RSS generated by JIRA (9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66) at Thu Feb 08 08:02:06 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>MongoDB Jira</title>
    <link>https://jira.mongodb.org</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>9.7.1</version>
        <build-number>970001</build-number>
        <build-date>13-04-2023</build-date>
    </build-info>


<item>
            <title>[DOCS-11116] Clarify the format for cipher suite names in Ops Manager</title>
                <link>https://jira.mongodb.org/browse/DOCS-11116</link>
                <project id="10380" key="DOCS">Documentation</project>
                    <description>&lt;p&gt;In Ops Manager v3.6 we provided users with ability to disable specific TLS/SSL cipher suites.&lt;/p&gt;

&lt;p&gt;We have a corresponding section added to the documentation &lt;a href=&quot;https://docs.opsmanager.mongodb.com/current/reference/configuration/#mms.disableCiphers&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;here&lt;/a&gt;.&lt;/p&gt;

&lt;p&gt;The problem is that it is not really obvious that &lt;a href=&quot;https://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#ciphersuites&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;the format in which the ciphers have to be specified must be the one used in Java&lt;/a&gt;, which follows cipher suite names notation &lt;a href=&quot;https://tools.ietf.org/html/rfc5246#appendix-C&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;as defined in the RFC&lt;/a&gt;.&lt;/p&gt;

&lt;p&gt;To elaborate further, a user might want to use the OpenSSL toolkit for checking the available ciphers. However &lt;a href=&quot;https://testssl.sh/openssl-rfc.mapping.html&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;cipher suite names used in OpenSSL do &lt;em&gt;not&lt;/em&gt; match the RFC&lt;/a&gt;:&lt;/p&gt;
&lt;p/&gt;
&lt;div id=&quot;syntaxplugin&quot; class=&quot;syntaxplugin&quot; style=&quot;border: 1px dashed #bbb; border-radius: 5px !important; overflow: auto; max-height: 30em;&quot;&gt;
&lt;table cellspacing=&quot;0&quot; cellpadding=&quot;0&quot; border=&quot;0&quot; width=&quot;100%&quot; style=&quot;font-size: 1em; line-height: 1.4em !important; font-weight: normal; font-style: normal; color: black;&quot;&gt;
		&lt;tbody &gt;
				&lt;tr id=&quot;syntaxplugin_code_and_gutter&quot;&gt;
						&lt;td  style=&quot; line-height: 1.4em !important; padding: 0em; vertical-align: top;&quot;&gt;
					&lt;pre style=&quot;font-size: 1em; margin: 0 10px;  margin-top: 10px;   width: auto; padding: 0;&quot;&gt;&lt;span style=&quot;color: black; font-family: &apos;Consolas&apos;, &apos;Bitstream Vera Sans Mono&apos;, &apos;Courier New&apos;, Courier, monospace !important;&quot;&gt;// This is the same cipher suite&lt;/span&gt;&lt;/pre&gt;
			&lt;/td&gt;
		&lt;/tr&gt;
				&lt;tr id=&quot;syntaxplugin_code_and_gutter&quot;&gt;
						&lt;td  style=&quot; line-height: 1.4em !important; padding: 0em; vertical-align: top;&quot;&gt;
					&lt;pre style=&quot;font-size: 1em; margin: 0 10px;   width: auto; padding: 0;&quot;&gt;&lt;span style=&quot;color: black; font-family: &apos;Consolas&apos;, &apos;Bitstream Vera Sans Mono&apos;, &apos;Courier New&apos;, Courier, monospace !important;&quot;&gt;// Java / RFC&lt;/span&gt;&lt;/pre&gt;
			&lt;/td&gt;
		&lt;/tr&gt;
				&lt;tr id=&quot;syntaxplugin_code_and_gutter&quot;&gt;
						&lt;td  style=&quot; line-height: 1.4em !important; padding: 0em; vertical-align: top;&quot;&gt;
					&lt;pre style=&quot;font-size: 1em; margin: 0 10px;   width: auto; padding: 0;&quot;&gt;&lt;span style=&quot;color: black; font-family: &apos;Consolas&apos;, &apos;Bitstream Vera Sans Mono&apos;, &apos;Courier New&apos;, Courier, monospace !important;&quot;&gt;TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA&lt;/span&gt;&lt;/pre&gt;
			&lt;/td&gt;
		&lt;/tr&gt;
				&lt;tr id=&quot;syntaxplugin_code_and_gutter&quot;&gt;
						&lt;td  style=&quot; line-height: 1.4em !important; padding: 0em; vertical-align: top;&quot;&gt;
					&lt;pre style=&quot;font-size: 1em; margin: 0 10px;   width: auto; padding: 0;&quot;&gt;&lt;span style=&quot;color: black; font-family: &apos;Consolas&apos;, &apos;Bitstream Vera Sans Mono&apos;, &apos;Courier New&apos;, Courier, monospace !important;&quot;&gt;// OpenSSL&lt;/span&gt;&lt;/pre&gt;
			&lt;/td&gt;
		&lt;/tr&gt;
				&lt;tr id=&quot;syntaxplugin_code_and_gutter&quot;&gt;
						&lt;td  style=&quot; line-height: 1.4em !important; padding: 0em; vertical-align: top;&quot;&gt;
					&lt;pre style=&quot;font-size: 1em; margin: 0 10px;   margin-bottom: 10px;  width: auto; padding: 0;&quot;&gt;&lt;span style=&quot;color: black; font-family: &apos;Consolas&apos;, &apos;Bitstream Vera Sans Mono&apos;, &apos;Courier New&apos;, Courier, monospace !important;&quot;&gt;ECDHE-RSA-DES-CBC3-SHA&lt;/span&gt;&lt;/pre&gt;
			&lt;/td&gt;
		&lt;/tr&gt;
			&lt;/tbody&gt;
&lt;/table&gt;
&lt;/div&gt;
&lt;p/&gt;

&lt;p&gt;Unfortunately, if the cipher that needs to be disabled is specified in the OpenSSL format (e.g. &lt;tt&gt;ECDHE-RSA-DES-CBC3-SHA&lt;/tt&gt;, not &lt;tt&gt;TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA&lt;/tt&gt;), Ops Manager will silently accept it, but the cipher suite will &lt;b&gt;not&lt;/b&gt; get disabled.&lt;/p&gt;

&lt;p&gt;We should clarify that the cipher suite names must be specified in the Java / RFC format as otherwise some users may end up in a situation when they &lt;em&gt;think&lt;/em&gt; they have disabled some ciphers, but that&apos;s not actually the case.&lt;/p&gt;</description>
                <environment>&lt;a href=&quot;https://docs.opsmanager.mongodb.com/current/reference/configuration/#mms.disableCiphers&quot;&gt;https://docs.opsmanager.mongodb.com/current/reference/configuration/#mms.disableCiphers&lt;/a&gt;</environment>
        <key id="470925">DOCS-11116</key>
            <summary>Clarify the format for cipher suite names in Ops Manager</summary>
                <type id="4" iconUrl="https://jira.mongodb.org/secure/viewavatar?size=xsmall&amp;avatarId=14710&amp;avatarType=issuetype">Improvement</type>
                                            <priority id="4" iconUrl="https://jira.mongodb.org/images/icons/priorities/minor.svg">Minor - P4</priority>
                        <status id="6" iconUrl="https://jira.mongodb.org/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="success"/>
                                    <resolution id="9">Done</resolution>
                                        <assignee username="caleb.thompson@mongodb.com">Caleb Thompson</assignee>
                                    <reporter username="dmitry.ryabtsev@mongodb.com">Dmitry Ryabtsev</reporter>
                        <labels>
                            <label>security</label>
                            <label>ssl</label>
                    </labels>
                <created>Tue, 12 Dec 2017 00:52:46 +0000</created>
                <updated>Tue, 11 Sep 2018 21:55:14 +0000</updated>
                            <resolved>Sun, 11 Mar 2018 20:41:58 +0000</resolved>
                                                                    <component>Ops Manager</component>
                        <due></due>
                            <votes>1</votes>
                                    <watches>10</watches>
                                                                                                                <comments>
                            <comment id="1823818" author="xgen-internal-githook" created="Mon, 5 Mar 2018 22:32:18 +0000"  >&lt;p&gt;Author:&lt;/p&gt;
{&apos;email&apos;: &apos;caleb.thompson@mongodb.com&apos;, &apos;name&apos;: &apos;MongoCaleb&apos;, &apos;username&apos;: &apos;MongoCaleb&apos;}
&lt;p&gt;Message: &lt;a href=&quot;https://jira.mongodb.org/browse/DOCS-11116&quot; title=&quot;Clarify the format for cipher suite names in Ops Manager&quot; class=&quot;issue-link&quot; data-issue-key=&quot;DOCS-11116&quot;&gt;&lt;del&gt;DOCS-11116&lt;/del&gt;&lt;/a&gt; fix&lt;br/&gt;
Branch: v3.6&lt;br/&gt;
&lt;a href=&quot;https://github.com/10gen/mms-docs/commit/16226459d39dc523366017737e2864e8a63a122a&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/10gen/mms-docs/commit/16226459d39dc523366017737e2864e8a63a122a&lt;/a&gt;&lt;/p&gt;</comment>
                            <comment id="1823814" author="xgen-internal-githook" created="Mon, 5 Mar 2018 22:31:35 +0000"  >&lt;p&gt;Author:&lt;/p&gt;
{&apos;email&apos;: &apos;caleb.thompson@mongodb.com&apos;, &apos;name&apos;: &apos;MongoCaleb&apos;, &apos;username&apos;: &apos;MongoCaleb&apos;}
&lt;p&gt;Message: &lt;a href=&quot;https://jira.mongodb.org/browse/DOCS-11116&quot; title=&quot;Clarify the format for cipher suite names in Ops Manager&quot; class=&quot;issue-link&quot; data-issue-key=&quot;DOCS-11116&quot;&gt;&lt;del&gt;DOCS-11116&lt;/del&gt;&lt;/a&gt; fix&lt;br/&gt;
Branch: master&lt;br/&gt;
&lt;a href=&quot;https://github.com/10gen/mms-docs/commit/cd2f5e849a6dc88a1edb4b64a4e08d31e5ee02ca&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/10gen/mms-docs/commit/cd2f5e849a6dc88a1edb4b64a4e08d31e5ee02ca&lt;/a&gt;&lt;/p&gt;</comment>
                            <comment id="1820119" author="caleb.thompson" created="Thu, 1 Mar 2018 18:19:27 +0000"  >&lt;p&gt;&lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=james.broadhead&quot; class=&quot;user-hover&quot; rel=&quot;james.broadhead&quot;&gt;james.broadhead&lt;/a&gt; Awesome, thanks. I&apos;ll get something staged for you to review soon. &lt;/p&gt;</comment>
                            <comment id="1820098" author="james.broadhead" created="Thu, 1 Mar 2018 17:58:50 +0000"  >&lt;p&gt;&lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=caleb.thompson&quot; class=&quot;user-hover&quot; rel=&quot;caleb.thompson&quot;&gt;caleb.thompson&lt;/a&gt; thanks for picking this up. &lt;/p&gt;

&lt;p&gt;We improved the logging after this ticket was filed. Now, customers will get something like this:&lt;/p&gt;
&lt;p/&gt;
&lt;div id=&quot;syntaxplugin&quot; class=&quot;syntaxplugin&quot; style=&quot;border: 1px dashed #bbb; border-radius: 5px !important; overflow: auto; max-height: 30em;&quot;&gt;
&lt;table cellspacing=&quot;0&quot; cellpadding=&quot;0&quot; border=&quot;0&quot; width=&quot;100%&quot; style=&quot;font-size: 1em; line-height: 1.4em !important; font-weight: normal; font-style: normal; color: black;&quot;&gt;
		&lt;tbody &gt;
				&lt;tr id=&quot;syntaxplugin_code_and_gutter&quot;&gt;
						&lt;td  style=&quot; line-height: 1.4em !important; padding: 0em; vertical-align: top;&quot;&gt;
					&lt;pre style=&quot;font-size: 1em; margin: 0 10px;  margin-top: 10px;   width: auto; padding: 0;&quot;&gt;&lt;span style=&quot;color: black; font-family: &apos;Consolas&apos;, &apos;Bitstream Vera Sans Mono&apos;, &apos;Courier New&apos;, Courier, monospace !important;&quot;&gt;mms0.log:2018-03-01T17:53:14.835+0000 [main] INFO  com.xgen.svc.core.ServerMain [ServerMain.java.createSSLConnector:634] - Disabled Ciphers: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, foo&lt;/span&gt;&lt;/pre&gt;
			&lt;/td&gt;
		&lt;/tr&gt;
				&lt;tr id=&quot;syntaxplugin_code_and_gutter&quot;&gt;
						&lt;td  style=&quot; line-height: 1.4em !important; padding: 0em; vertical-align: top;&quot;&gt;
					&lt;pre style=&quot;font-size: 1em; margin: 0 10px;   width: auto; padding: 0;&quot;&gt;&lt;span style=&quot;color: black; font-family: &apos;Consolas&apos;, &apos;Bitstream Vera Sans Mono&apos;, &apos;Courier New&apos;, Courier, monospace !important;&quot;&gt;mms0.log:2018-03-01T17:53:14.848+0000 [main] INFO  com.xgen.svc.core.ServerMain [ServerMain.java.createSSLConnector:639] - The following ciphers are enabled for Ops Manager: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]&lt;/span&gt;&lt;/pre&gt;
			&lt;/td&gt;
		&lt;/tr&gt;
				&lt;tr id=&quot;syntaxplugin_code_and_gutter&quot;&gt;
						&lt;td  style=&quot; line-height: 1.4em !important; padding: 0em; vertical-align: top;&quot;&gt;
					&lt;pre style=&quot;font-size: 1em; margin: 0 10px;   margin-bottom: 10px;  width: auto; padding: 0;&quot;&gt;&lt;span style=&quot;color: black; font-family: &apos;Consolas&apos;, &apos;Bitstream Vera Sans Mono&apos;, &apos;Courier New&apos;, Courier, monospace !important;&quot;&gt;mms0.log:2018-03-01T17:53:14.848+0000 [main] INFO  com.xgen.svc.core.ServerMain [ServerMain.java.createSSLConnector:641] - Your config lists the following as ciphers which should be disabled. However, they are not recognised by the JDK. Please check the format of the entries and list of enabled ciphers. [foo]&lt;/span&gt;&lt;/pre&gt;
			&lt;/td&gt;
		&lt;/tr&gt;
			&lt;/tbody&gt;
&lt;/table&gt;
&lt;/div&gt;
&lt;p/&gt; 


&lt;p&gt;Aside from that, the current docs mention the &apos;Admin&apos; interface &amp;#8211; this is not correct; the change applies to the whole OM interface &lt;/p&gt;</comment>
                            <comment id="1820055" author="caleb.thompson" created="Thu, 1 Mar 2018 17:30:13 +0000"  >&lt;p&gt;&lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=luke.prochazka&quot; class=&quot;user-hover&quot; rel=&quot;luke.prochazka&quot;&gt;luke.prochazka&lt;/a&gt;, &lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=james.broadhead&quot; class=&quot;user-hover&quot; rel=&quot;james.broadhead&quot;&gt;james.broadhead&lt;/a&gt;-- I&apos;m picking this up for Tony. Based on your most recent comments, it seems to me like the solution is to add a note to the (&lt;a href=&quot;https://docs.opsmanager.mongodb.com/current/reference/configuration/#mms.disableCiphers&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://docs.opsmanager.mongodb.com/current/reference/configuration/#mms.disableCiphers&lt;/a&gt;) section stating:&lt;/p&gt;

&lt;p&gt;&lt;tt&gt;OpenSLL cipher suite names in do not match the cipher suite names defined in RFC 5246. Cipher suite names used in Ops Manager must follow the RFC or Java conventions. If Ops Manager does not recognize a cipher name, it will ignore the cipher name silently.&lt;/tt&gt; &lt;/p&gt;

&lt;p&gt;(and also probably link &quot;RFC 5246&quot; to &lt;a href=&quot;https://tools.ietf.org/html/rfc5246#appendix-C&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://tools.ietf.org/html/rfc5246#appendix-C&lt;/a&gt;).&lt;/p&gt;

&lt;p&gt;Does this work for you?&lt;/p&gt;</comment>
                            <comment id="1765474" author="luke.prochazka" created="Thu, 4 Jan 2018 21:06:40 +0000"  >&lt;p&gt;&lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=james.broadhead&quot; class=&quot;user-hover&quot; rel=&quot;james.broadhead&quot;&gt;james.broadhead&lt;/a&gt;,&lt;/p&gt;

&lt;p&gt;In my experience, the published cipher list was incomplete.  For example, the following ciphers do not appear on that list, yet that are valid and accepted by the JRE, and are required to resolve for Sweet32:&lt;/p&gt;
&lt;p/&gt;
&lt;div id=&quot;syntaxplugin&quot; class=&quot;syntaxplugin&quot; style=&quot;border: 1px dashed #bbb; border-radius: 5px !important; overflow: auto; max-height: 30em;&quot;&gt;
&lt;table cellspacing=&quot;0&quot; cellpadding=&quot;0&quot; border=&quot;0&quot; width=&quot;100%&quot; style=&quot;font-size: 1em; line-height: 1.4em !important; font-weight: normal; font-style: normal; color: black;&quot;&gt;
		&lt;tbody &gt;
				&lt;tr id=&quot;syntaxplugin_code_and_gutter&quot;&gt;
						&lt;td  style=&quot; line-height: 1.4em !important; padding: 0em; vertical-align: top;&quot;&gt;
					&lt;pre style=&quot;font-size: 1em; margin: 0 10px;  margin-top: 10px;   width: auto; padding: 0;&quot;&gt;&lt;span style=&quot;color: black; font-family: &apos;Consolas&apos;, &apos;Bitstream Vera Sans Mono&apos;, &apos;Courier New&apos;, Courier, monospace !important;&quot;&gt;SSL_RSA_WITH_3DES_CBC_SHA&lt;/span&gt;&lt;/pre&gt;
			&lt;/td&gt;
		&lt;/tr&gt;
				&lt;tr id=&quot;syntaxplugin_code_and_gutter&quot;&gt;
						&lt;td  style=&quot; line-height: 1.4em !important; padding: 0em; vertical-align: top;&quot;&gt;
					&lt;pre style=&quot;font-size: 1em; margin: 0 10px;   width: auto; padding: 0;&quot;&gt;&lt;span style=&quot;color: black; font-family: &apos;Consolas&apos;, &apos;Bitstream Vera Sans Mono&apos;, &apos;Courier New&apos;, Courier, monospace !important;&quot;&gt;SSL_RSA_WITH_DES_EDE_CBC_SHA&lt;/span&gt;&lt;/pre&gt;
			&lt;/td&gt;
		&lt;/tr&gt;
				&lt;tr id=&quot;syntaxplugin_code_and_gutter&quot;&gt;
						&lt;td  style=&quot; line-height: 1.4em !important; padding: 0em; vertical-align: top;&quot;&gt;
					&lt;pre style=&quot;font-size: 1em; margin: 0 10px;   width: auto; padding: 0;&quot;&gt;&lt;span style=&quot;color: black; font-family: &apos;Consolas&apos;, &apos;Bitstream Vera Sans Mono&apos;, &apos;Courier New&apos;, Courier, monospace !important;&quot;&gt;SSL_DSS_WITH_DES_CBC_SHA&lt;/span&gt;&lt;/pre&gt;
			&lt;/td&gt;
		&lt;/tr&gt;
				&lt;tr id=&quot;syntaxplugin_code_and_gutter&quot;&gt;
						&lt;td  style=&quot; line-height: 1.4em !important; padding: 0em; vertical-align: top;&quot;&gt;
					&lt;pre style=&quot;font-size: 1em; margin: 0 10px;   width: auto; padding: 0;&quot;&gt;&lt;span style=&quot;color: black; font-family: &apos;Consolas&apos;, &apos;Bitstream Vera Sans Mono&apos;, &apos;Courier New&apos;, Courier, monospace !important;&quot;&gt;SSL_DSS_WITH_3DES_CBC_SHA&lt;/span&gt;&lt;/pre&gt;
			&lt;/td&gt;
		&lt;/tr&gt;
				&lt;tr id=&quot;syntaxplugin_code_and_gutter&quot;&gt;
						&lt;td  style=&quot; line-height: 1.4em !important; padding: 0em; vertical-align: top;&quot;&gt;
					&lt;pre style=&quot;font-size: 1em; margin: 0 10px;   width: auto; padding: 0;&quot;&gt;&lt;span style=&quot;color: black; font-family: &apos;Consolas&apos;, &apos;Bitstream Vera Sans Mono&apos;, &apos;Courier New&apos;, Courier, monospace !important;&quot;&gt;SSL_DH_DSS_WITH_DES_EDE_CBC_SHA&lt;/span&gt;&lt;/pre&gt;
			&lt;/td&gt;
		&lt;/tr&gt;
				&lt;tr id=&quot;syntaxplugin_code_and_gutter&quot;&gt;
						&lt;td  style=&quot; line-height: 1.4em !important; padding: 0em; vertical-align: top;&quot;&gt;
					&lt;pre style=&quot;font-size: 1em; margin: 0 10px;   width: auto; padding: 0;&quot;&gt;&lt;span style=&quot;color: black; font-family: &apos;Consolas&apos;, &apos;Bitstream Vera Sans Mono&apos;, &apos;Courier New&apos;, Courier, monospace !important;&quot;&gt;SSL_DH_RSA_WITH_DES_EDE_CBC_SHA&lt;/span&gt;&lt;/pre&gt;
			&lt;/td&gt;
		&lt;/tr&gt;
				&lt;tr id=&quot;syntaxplugin_code_and_gutter&quot;&gt;
						&lt;td  style=&quot; line-height: 1.4em !important; padding: 0em; vertical-align: top;&quot;&gt;
					&lt;pre style=&quot;font-size: 1em; margin: 0 10px;   width: auto; padding: 0;&quot;&gt;&lt;span style=&quot;color: black; font-family: &apos;Consolas&apos;, &apos;Bitstream Vera Sans Mono&apos;, &apos;Courier New&apos;, Courier, monospace !important;&quot;&gt;SSL_DHE_DSS_WITH_DES_EDE_CBC_SHA&lt;/span&gt;&lt;/pre&gt;
			&lt;/td&gt;
		&lt;/tr&gt;
				&lt;tr id=&quot;syntaxplugin_code_and_gutter&quot;&gt;
						&lt;td  style=&quot; line-height: 1.4em !important; padding: 0em; vertical-align: top;&quot;&gt;
					&lt;pre style=&quot;font-size: 1em; margin: 0 10px;   width: auto; padding: 0;&quot;&gt;&lt;span style=&quot;color: black; font-family: &apos;Consolas&apos;, &apos;Bitstream Vera Sans Mono&apos;, &apos;Courier New&apos;, Courier, monospace !important;&quot;&gt;SSL_DHE_RSA_WITH_DES_EDE_CBC_SHA&lt;/span&gt;&lt;/pre&gt;
			&lt;/td&gt;
		&lt;/tr&gt;
				&lt;tr id=&quot;syntaxplugin_code_and_gutter&quot;&gt;
						&lt;td  style=&quot; line-height: 1.4em !important; padding: 0em; vertical-align: top;&quot;&gt;
					&lt;pre style=&quot;font-size: 1em; margin: 0 10px;   width: auto; padding: 0;&quot;&gt;&lt;span style=&quot;color: black; font-family: &apos;Consolas&apos;, &apos;Bitstream Vera Sans Mono&apos;, &apos;Courier New&apos;, Courier, monospace !important;&quot;&gt;SSL_CK_DES_64_CBC_WITH_SHA&lt;/span&gt;&lt;/pre&gt;
			&lt;/td&gt;
		&lt;/tr&gt;
				&lt;tr id=&quot;syntaxplugin_code_and_gutter&quot;&gt;
						&lt;td  style=&quot; line-height: 1.4em !important; padding: 0em; vertical-align: top;&quot;&gt;
					&lt;pre style=&quot;font-size: 1em; margin: 0 10px;   margin-bottom: 10px;  width: auto; padding: 0;&quot;&gt;&lt;span style=&quot;color: black; font-family: &apos;Consolas&apos;, &apos;Bitstream Vera Sans Mono&apos;, &apos;Courier New&apos;, Courier, monospace !important;&quot;&gt;SSL_CK_DES_192_EDE3_CBC_WITH_SHA&lt;/span&gt;&lt;/pre&gt;
			&lt;/td&gt;
		&lt;/tr&gt;
			&lt;/tbody&gt;
&lt;/table&gt;
&lt;/div&gt;
&lt;p/&gt;
&lt;p&gt;This is intrinsically the hazard of needing to spell out each cipher combination in the suite, as opposed to explicitly disabling a given cipher.&lt;/p&gt;</comment>
                            <comment id="1765473" author="james.broadhead" created="Thu, 4 Jan 2018 21:06:37 +0000"  >&lt;p&gt;^ I added a comment to the code review. Let&apos;s discuss the logging over there &amp;amp; keep this ticket about the documentation &lt;/p&gt;</comment>
                            <comment id="1765265" author="davi.ottenheimer" created="Thu, 4 Jan 2018 18:30:43 +0000"  >&lt;p&gt;i&apos;m a bit concerned with &quot;The following ciphers were not disabled as they were not recognized...&quot; message at face value. from a security perspective that sounds scary. unrecognized ciphers are not ones that should be left enabled.&lt;/p&gt;

&lt;p&gt;could we phrase instead as &quot;warning: the following ciphers are enabled and unrecognized&quot;?&lt;/p&gt;</comment>
                            <comment id="1764856" author="james.broadhead" created="Thu, 4 Jan 2018 12:51:17 +0000"  >&lt;p&gt;Thanks everybody for the input. &lt;/p&gt;

&lt;p&gt;In CLOUDP-26786, we&apos;re going to have Ops Manager log &quot;The following ciphers are enabled... &quot; and &quot;The following ciphers were not disabled as they were not recognized...&quot;. &lt;br/&gt;
With luck, this will let users tweak their lists more easily. &lt;/p&gt;

&lt;p&gt;If we continue to see confusion around this setting once that change has shipped, we&apos;ll contemplate adding some simpler UI.  (caveat: hiding detail can often be something users don&apos;t actually want when it comes to security settings)&lt;/p&gt;

&lt;p&gt;&lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=tony.sansone&quot; class=&quot;user-hover&quot; rel=&quot;tony.sansone&quot;&gt;tony.sansone&lt;/a&gt; for this ticket: it seems that a minimal change to our docs would be to link out to the JSSE cipher suite names page &lt;a href=&quot;https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#ciphersuites&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#ciphersuites&lt;/a&gt; &lt;/p&gt;</comment>
                            <comment id="1762533" author="davi.ottenheimer" created="Tue, 2 Jan 2018 06:20:44 +0000"  >&lt;p&gt;good catch. interesting that java still references deprecated SSL protocol when it means TLS. &lt;/p&gt;

&lt;p&gt;would it help if we discussed why the RFC used TLS, or other naming standards like this, when we list the &lt;a href=&quot;https://docs.google.com/document/d/1vA2w92MI8WT6aillyuXLxNUkbInGH4gDUws29fqX2fc/edit#heading=h.b0f6mi26u1j&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;mongodb supported ciphers document&lt;/a&gt;?  &lt;/p&gt;</comment>
                            <comment id="1762449" author="dmitry.ryabtsev" created="Tue, 2 Jan 2018 01:14:09 +0000"  >&lt;p&gt;Hi everyone,&lt;/p&gt;

&lt;p&gt;Our further research has revealed that some of the cipher suite names that were defined in Java before TLS got standardised will not match the cipher suite names defined in the RFC. Consider this example:&lt;/p&gt;
&lt;div class=&apos;table-wrap&apos;&gt;
&lt;table class=&apos;confluenceTable&apos;&gt;&lt;tbody&gt;
&lt;tr&gt;
&lt;th class=&apos;confluenceTh&apos;&gt;Code&lt;/th&gt;
&lt;th class=&apos;confluenceTh&apos;&gt; RFC &lt;/th&gt;
&lt;th class=&apos;confluenceTh&apos;&gt;OpenSSL&lt;/th&gt;
&lt;th class=&apos;confluenceTh&apos;&gt;Java&lt;/th&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;0x16&lt;/td&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA&lt;/td&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;EDH-RSA-DES-CBC3-SHA&lt;/td&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;&lt;/table&gt;
&lt;/div&gt;


&lt;p&gt;Here OM will understand SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA &lt;b&gt;only&lt;/b&gt;.&lt;/p&gt;

&lt;p&gt;Unfortunately this adds another level of complexity as users would need to cross check the cipher suite names they put into the OM UI against both - the RFC and the cipher suite names defined in Java. The proposed documentation change needs to be updated to reflect this.&lt;/p&gt;</comment>
                            <comment id="1754339" author="rodrigo.valin" created="Mon, 18 Dec 2017 13:49:30 +0000"  >&lt;p&gt;We should move forward by adding explicit documentation about the format of the ciphers Ops Manager will understand:&lt;/p&gt;

&lt;blockquote&gt;&lt;p&gt;Cipher suite names should follow RFC or Java conventions, as defined &lt;a href=&quot;https://tools.ietf.org/html/rfc5246#appendix-C&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;here&lt;/a&gt;. If a cipher name is not understood by Ops Manager, it will be silently ignored.&lt;/p&gt;&lt;/blockquote&gt;</comment>
                            <comment id="1750628" author="rodrigo.valin" created="Wed, 13 Dec 2017 11:31:01 +0000"  >&lt;p&gt;The cipher gets disabled when starting the server, so any message will have to be logged (we don&apos;t have a UI for this), and that&apos;s going to be probably missed by the admin.&lt;/p&gt;

&lt;p&gt;We should add this consideration to the documentation and expect the admins to use the right cipher names. Java being unable to understand one particular cipher is related to its ability to recognize a particular cipher, and this configuration can change from one version to the next. Let me try to explain this a little:&lt;/p&gt;

&lt;blockquote&gt;&lt;p&gt;Let&apos;s say Java version A includes the cipher-A, which is insecure and admins are disabling it using `disableCiphers`. We can assume that at some point cipher-A will be removed, it will not be accepted by Java anymore, because of how they deprecate obsolete/insecure protocols. At this point the admin will update Ops Manager to a new version, which includes Java version B (which disabled cipher-A), and now they configuration (disabling cipher-A) will become an error or warning, because this cipher is not recognized by the JRE.&lt;/p&gt;&lt;/blockquote&gt;

&lt;p&gt;We should be explicit about the format Ops Manager expects from the ciphers in order to disable them, but not to report unrecognized ones.&lt;/p&gt;</comment>
                            <comment id="1750367" author="james.broadhead" created="Tue, 12 Dec 2017 22:59:47 +0000"  >&lt;p&gt;&lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=tony.sansone&quot; class=&quot;user-hover&quot; rel=&quot;tony.sansone&quot;&gt;tony.sansone&lt;/a&gt; thanks for sending over the link &amp;#8211; it&apos;d be a good docs change. &lt;/p&gt;

&lt;p&gt;&lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=rodrigo.valin&quot; class=&quot;user-hover&quot; rel=&quot;rodrigo.valin&quot;&gt;rodrigo.valin&lt;/a&gt; I vaguely remember us discussing printing out a warning if the user passed an unknown cipher - is there some reason it&apos;s not possible? If it&apos;s reasonable, could you file a CLOUDP to print a warning error message saying something like &lt;br/&gt;
&quot;Did not understand disabled cipher: &lt;span class=&quot;error&quot;&gt;&amp;#91;cipher name&amp;#93;&lt;/span&gt;. Please use Java format, described here: &lt;span class=&quot;error&quot;&gt;&amp;#91;docs link&amp;#93;&lt;/span&gt;&quot; &lt;/p&gt;
</comment>
                            <comment id="1749562" author="shannon.bradshaw@10gen.com" created="Tue, 12 Dec 2017 13:47:07 +0000"  >&lt;p&gt;&lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=jordan.sumerlus&quot; class=&quot;user-hover&quot; rel=&quot;jordan.sumerlus&quot;&gt;jordan.sumerlus&lt;/a&gt;, is this a known Ops Manager bug? Is providing an error message in situations such as that which Dmitry describes on the roadmap?&lt;/p&gt;

&lt;p&gt;cc: &lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=tony.sansone&quot; class=&quot;user-hover&quot; rel=&quot;tony.sansone&quot;&gt;tony.sansone&lt;/a&gt;&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10012">
                    <name>Related</name>
                                            <outwardlinks description="related to">
                                                        </outwardlinks>
                                                                <inwardlinks description="is related to">
                                                        </inwardlinks>
                                    </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                <customfield id="customfield_10050" key="com.atlassian.jira.toolkit:comments">
                        <customfieldname># Replies</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>15.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_13552" key="com.go2group.jira.plugin.crm:crm_generic_field">
                        <customfieldname>Case</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue><![CDATA[[500A000000YQ0IKIA1]]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_10055" key="com.atlassian.jira.ext.charting:firstresponsedate">
                        <customfieldname>Date of 1st Reply</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Tue, 12 Dec 2017 13:47:07 +0000</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10052" key="com.atlassian.jira.toolkit:dayslastcommented">
                        <customfieldname>Days since reply</customfieldname>
                        <customfieldvalues>
                                        5 years, 49 weeks, 2 days ago
    
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_18254" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Dependencies</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue><![CDATA[]]></customfieldvalue>


                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_15850" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_14876" key="com.atlassian.jira.plugin.system.customfieldtypes:userpicker">
                        <customfieldname>Docs Reviewer</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>jeffrey.allen@mongodb.com</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                    <customfield id="customfield_10857" key="com.pyxis.greenhopper.jira:gh-epic-link">
                        <customfieldname>Epic Link</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>DOCSP-1743</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_14873" key="com.atlassian.jira.plugin.system.customfieldtypes:multiuserpicker">
                        <customfieldname>External Reviewer</customfieldname>
                        <customfieldvalues>
                                    <customfieldvalue><![CDATA[james.broadhead@mongodb.com]]></customfieldvalue>
    
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_10057" key="com.atlassian.jira.toolkit:lastusercommented">
                        <customfieldname>Last comment by Customer</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>true</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10056" key="com.atlassian.jira.toolkit:lastupdaterorcommenter">
                        <customfieldname>Last commenter</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>jess.mokrzecki@mongodb.com</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_11151" key="com.atlassian.jira.toolkit:LastCommentDate">
                        <customfieldname>Last public comment date</customfieldname>
                        <customfieldvalues>
                            5 years, 49 weeks, 2 days ago
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                            <customfield id="customfield_10051" key="com.atlassian.jira.toolkit:participants">
                        <customfieldname>Participants</customfieldname>
                        <customfieldvalues>
                                        <customfieldvalue>caleb.thompson@mongodb.com</customfieldvalue>
            <customfieldvalue>davi.ottenheimer</customfieldvalue>
            <customfieldvalue>dmitry.ryabtsev@mongodb.com</customfieldvalue>
            <customfieldvalue>xgen-internal-githook</customfieldvalue>
            <customfieldvalue>james.broadhead@mongodb.com</customfieldvalue>
            <customfieldvalue>luke.prochazka@mongodb.com</customfieldvalue>
            <customfieldvalue>rodrigo.valin@mongodb.com</customfieldvalue>
            <customfieldvalue>shannon.bradshaw</customfieldvalue>
    
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                        <customfield id="customfield_14254" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Product Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1|htm12v:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_12550" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2|htnqdz:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10558" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>9223372036854775807</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                    <customfield id="customfield_10557" key="com.pyxis.greenhopper.jira:gh-sprint">
                        <customfieldname>Sprint</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue id="1324">KANBAN BUCKET</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                        <customfield id="customfield_10555" key="com.atlassian.jira.plugin.system.customfieldtypes:float">
                        <customfieldname>Story Points</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0.2</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_10053" key="com.atlassian.jira.ext.charting:timeinstatus">
                        <customfieldname>Time In Status</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_14350" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>serverRank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1|htln73:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                </customfields>
    </item>
</channel>
</rss>