topic Re: On Dynatrace Managed cluster to disable TLSv1 and TLSv1.1 on port 443 in Dynatrace Managed Q&A

Disable TLSv1 and TLSv1.1 on port 443 in Managed cluster

CharlesWu — Fri, 16 Jun 2023 11:39:30 GMT

Dynatrace managed is enabled on TLSv1 and v1.1 on the user communication port 443. We are required to disable both. How can we do that? I tested the port 8443 for OneAgent communication, and only TLSv1.2 is enabled.

Re: On Dynatrace Managed cluster to disable TLSv1 and TLSv1.1 on port 443

CharlesWu — Tue, 15 May 2018 01:47:04 GMT

In /opt/dynatrace-managed/server/conf/config.properties file, the line "ssl-protocols=TLSv1.2" is set, but TLSv1 and TSLv1.1 are not disabled. Do we have similar option to disable them as we did in AppMon dtfrontendserver.ini and dtserver.ini by passing "-Dcom.dynatrace.diagnostics.ssl.protocols.unsafe=TLSv1,TLSv1.1" ?

Re: On Dynatrace Managed cluster to disable TLSv1 and TLSv1.1 on port 443

Julius_Loman — Tue, 15 May 2018 08:50:26 GMT

In case of Dynatrace Managed, the 443/tcp port (in recent versions, I think it is from v136) is handled by bundled NGINX. Settings in server's config.properties are not applied for nginx.

Actually, it's just a matter of adding:

ssl_protocols TLSv1.2;

To the config file /opt/dynatrace-managed/nginx/conf/nginx.conf and restart the nginx. Add the line after the existing ssl settings.

If you have a multinode cluster, you will have to do that on every node.

Re: On Dynatrace Managed cluster to disable TLSv1 and TLSv1.1 on port 443

CharlesWu — Tue, 15 May 2018 11:28:46 GMT

It works. The test from openssl returns "Secure Renegotiation IS NOT supported" on TLSv1 and 1.1. Nice. Thanks so much Julius!

Re: On Dynatrace Managed cluster to disable TLSv1 and TLSv1.1 on port 443

parthasaradhi_a — Wed, 30 May 2018 20:10:15 GMT

Which section we need to add this parameter in config.properties ?

Re: On Dynatrace Managed cluster to disable TLSv1 and TLSv1.1 on port 443

Julius_Loman — Thu, 31 May 2018 07:03:56 GMT

It's not in config.properties, but in nginx.conf.

Re: On Dynatrace Managed cluster to disable TLSv1 and TLSv1.1 on port 443

CharlesWu — Wed, 18 Jul 2018 13:23:18 GMT

It comes to another problem that auto-update keeps overwriting nginx configuration, so TLSv1.0 and v1.1 Vulnerability keeps coming back. Every time I have to manually fix it. Can Dynatrace Vendor permanently fix this issue in the new updates/releases?

Re: On Dynatrace Managed cluster to disable TLSv1 and TLSv1.1 on port 443

Julius_Loman — Thu, 19 Jul 2018 06:14:31 GMT

Did you open a support ticket for that? This forum answer can get unnoticed.

Re: On Dynatrace Managed cluster to disable TLSv1 and TLSv1.1 on port 443

tarun_agastya2 — Sun, 04 Nov 2018 16:07:44 GMT

Hi Charles,

Did you get any fix from dynatrace support.We are also having same issue every time new updates/releases happening we are loosing TLSv1.2 Vulnerabilities and TLSv1.0 & 1.1 coming back.

Can you please let us know if you receive any fix.

Appreciate your help.

Tarun

Re: On Dynatrace Managed cluster to disable TLSv1 and TLSv1.1 on port 443

CharlesWu — Wed, 07 Nov 2018 21:46:49 GMT

No. Not sure if our Dynatrace sales engineer submitted a case for this, and I had to update the config file right after every update. Now I just submitted a "RFE - Please remediate SSL Vulnerability on Dynatrace managed to have TLSv1.2 enabled only" in the Dynatrace product ideas. Please go there to vote, so we can get it fixed soon. Thanks for the reminder.

Re: Disable TLSv1 and TLSv1.1 on port 443 in Managed cluster

miroslaw_swiatk — Wed, 19 Mar 2025 09:59:42 GMT

You can find an answer to this question in our documentation:

Customize installation for Dynatrace Managed

in the section "SSL certificates parameters"