All,
We have a requirement to secure all our internal services and as part of that our audit team mandated us to use a predefined set of cipher suites to secure the service endpoints. The cipher suites that we are allowed to use are
TLS 1.2:
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS 1.3:
TLS_AES_128_GCM_SHA256
TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256
I tried using the “opensslCipherConfig” config parameter to specify the cipher suites but the scan is always failing with the following error
TLS 1.2 offered (OK)
TLS 1.3 offered (OK): final
Obsoleted CBC ciphers (AES, ARIA etc.) offered <-----
Is there any way to instruct the mongod process to use the mentioned ciphers only?
Thanks