In /opt/dynatrace-managed/server/conf/config.properties file, the line "ssl-protocols=TLSv1.2" is set, but TLSv1 and TSLv1.1 are not disabled. Do we have similar option to disable them as we did in AppMon dtfrontendserver.ini and dtserver.ini by passing "-Dcom.dynatrace.diagnostics.ssl.protocols.unsafe=TLSv1,TLSv1.1" ?
In case of Dynatrace Managed, the 443/tcp port (in recent versions, I think it is from v136) is handled by bundled NGINX. Settings in server's config.properties are not applied for nginx.
Actually, it's just a matter of adding:
To the config file /opt/dynatrace-managed/nginx/conf/nginx.conf and restart the nginx. Add the line after the existing ssl settings.
If you have a multinode cluster, you will have to do that on every node.
It comes to another problem that auto-update keeps overwriting nginx configuration, so TLSv1.0 and v1.1 Vulnerability keeps coming back. Every time I have to manually fix it. Can Dynatrace Vendor permanently fix this issue in the new updates/releases?
No. Not sure if our Dynatrace sales engineer submitted a case for this, and I had to update the config file right after every update. Now I just submitted a "RFE - Please remediate SSL Vulnerability on Dynatrace managed to have TLSv1.2 enabled only" in the Dynatrace product ideas. Please go there to vote, so we can get it fixed soon. Thanks for the reminder.
You can find an answer to this question in our documentation:
in the section "SSL certificates parameters"