Uploaded image for project: 'Couchbase Gateway'
  1. Couchbase Gateway
  2. CBG-1359

Increase default minimum TLS version TLS1.2

    XMLWordPrintable

Details

    • Improvement
    • Status: Closed
    • Major
    • Resolution: Fixed
    • None
    • 3.0
    • SyncGateway
    • Security Level: Public
    • None
    • CBG Sprint 70
    • 1

    Description

      Was done in Server as MB-41794, might be worth considering bumping ours too, which is currently still at TLS1.0 - we chose the TLS1.0 default instead of TLS1.2 to align with Server at the time.

       

      This config setting controls the publicly facing HTTP APIs when served with TLS (not related to any kind of connection to Server).

       

      Compatibility: with browsers/mobile platforms can be found here:
      https://support.globalsign.com/ssl/general-ssl/tls-protocol-compatibility

      • Android 5+ (2014) - CBL 2.6 was the last release to have deprecated support for Android 4/API 19, so that's our last potential "partial" compatibility.
      • iOS 5+ (2011) - CBL 2.0+ requires iOS 9

      Regardless of this compatibility, the min TLS version can still be lowered back down to TLS 1.0 via tls_minimum_version=tlsv1 if customers have a requirement to use unsupported devices.

       

      Implementation: bump this const to tls.VersionTLS12!

      config.go:46
          const DefaultMinimumTLSVersionConst = tls.VersionTLS10

       

      Attachments

        Issue Links

          No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            ben.brooks Ben Brooks created issue -
            ben.brooks Ben Brooks made changes -
            Field Original Value New Value
            Description Was done in Server as MB-41794, might be worth considering bumping ours too, which is currently still at TLS1.0

            This config setting controls the publicly facing HTTP APIs when served with TLS (not related to any kind of connection to Server).

             

            *Compatibility:* with browsers/mobile platforms can be found here:
             [https://support.globalsign.com/ssl/general-ssl/tls-protocol-compatibility]
             * *Android 5+ (2014) -* CBL 2.6 was the last release to have deprecated support for Android 4/API 19, so that's our last potential "partial" compatibility.
             * *iOS 5+ (2011) -* CBL 2.0+ requires iOS 9

            Regardless of this compatibility, the min TLS version can still be lowered back down to TLS 1.0 via {{tls_minimum_version=tlsv1}} if customers have a requirement to use unsupported devices.

             

            *Implementation:* bump this const to tls.VersionTLS12!
            {code:java}config.go:46
                const DefaultMinimumTLSVersionConst = tls.VersionTLS10{code}
             
            Was done in Server as MB-41794, might be worth considering bumping ours too, which is currently still at TLS1.0 - we chose the TLS1.0 default instead of TLS1.2 to align with Server at the time.

             

            This config setting controls the publicly facing HTTP APIs when served with TLS (not related to any kind of connection to Server).

             

            *Compatibility:* with browsers/mobile platforms can be found here:
             [https://support.globalsign.com/ssl/general-ssl/tls-protocol-compatibility]
             * *Android 5+ (2014) -* CBL 2.6 was the last release to have deprecated support for Android 4/API 19, so that's our last potential "partial" compatibility.
             * *iOS 5+ (2011) -* CBL 2.0+ requires iOS 9

            Regardless of this compatibility, the min TLS version can still be lowered back down to TLS 1.0 via {{tls_minimum_version=tlsv1}} if customers have a requirement to use unsupported devices.

             

            *Implementation:* bump this const to tls.VersionTLS12!
            {code:java}config.go:46
                const DefaultMinimumTLSVersionConst = tls.VersionTLS10{code}
             
            ben.brooks Ben Brooks made changes -
            Description Was done in Server as MB-41794, might be worth considering bumping ours too, which is currently still at TLS1.0 - we chose the TLS1.0 default instead of TLS1.2 to align with Server at the time.

             

            This config setting controls the publicly facing HTTP APIs when served with TLS (not related to any kind of connection to Server).

             

            *Compatibility:* with browsers/mobile platforms can be found here:
             [https://support.globalsign.com/ssl/general-ssl/tls-protocol-compatibility]
             * *Android 5+ (2014) -* CBL 2.6 was the last release to have deprecated support for Android 4/API 19, so that's our last potential "partial" compatibility.
             * *iOS 5+ (2011) -* CBL 2.0+ requires iOS 9

            Regardless of this compatibility, the min TLS version can still be lowered back down to TLS 1.0 via {{tls_minimum_version=tlsv1}} if customers have a requirement to use unsupported devices.

             

            *Implementation:* bump this const to tls.VersionTLS12!
            {code:java}config.go:46
                const DefaultMinimumTLSVersionConst = tls.VersionTLS10{code}
             
            Was done in Server as MB-41794, might be worth considering bumping ours too, which is currently still at TLS1.0 - [we chose the TLS1.0 default instead of TLS1.2 to align with Server at the time|http://example.com].

             

            This config setting controls the publicly facing HTTP APIs when served with TLS (not related to any kind of connection to Server).

             

            *Compatibility:* with browsers/mobile platforms can be found here:
             [https://support.globalsign.com/ssl/general-ssl/tls-protocol-compatibility]
             * *Android 5+ (2014) -* CBL 2.6 was the last release to have deprecated support for Android 4/API 19, so that's our last potential "partial" compatibility.
             * *iOS 5+ (2011) -* CBL 2.0+ requires iOS 9

            Regardless of this compatibility, the min TLS version can still be lowered back down to TLS 1.0 via {{tls_minimum_version=tlsv1}} if customers have a requirement to use unsupported devices.

             

            *Implementation:* bump this const to tls.VersionTLS12!
            {code:java}config.go:46
                const DefaultMinimumTLSVersionConst = tls.VersionTLS10{code}
             
            ben.brooks Ben Brooks made changes -
            Description Was done in Server as MB-41794, might be worth considering bumping ours too, which is currently still at TLS1.0 - [we chose the TLS1.0 default instead of TLS1.2 to align with Server at the time|http://example.com].

             

            This config setting controls the publicly facing HTTP APIs when served with TLS (not related to any kind of connection to Server).

             

            *Compatibility:* with browsers/mobile platforms can be found here:
             [https://support.globalsign.com/ssl/general-ssl/tls-protocol-compatibility]
             * *Android 5+ (2014) -* CBL 2.6 was the last release to have deprecated support for Android 4/API 19, so that's our last potential "partial" compatibility.
             * *iOS 5+ (2011) -* CBL 2.0+ requires iOS 9

            Regardless of this compatibility, the min TLS version can still be lowered back down to TLS 1.0 via {{tls_minimum_version=tlsv1}} if customers have a requirement to use unsupported devices.

             

            *Implementation:* bump this const to tls.VersionTLS12!
            {code:java}config.go:46
                const DefaultMinimumTLSVersionConst = tls.VersionTLS10{code}
             
            Was done in Server as MB-41794, might be worth considering bumping ours too, which is currently still at TLS1.0 - [we chose the TLS1.0 default instead of TLS1.2 to align with Server at the time|https://issues.couchbase.com/browse/CBG-260?focusedCommentId=320220&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-320220].

             

            This config setting controls the publicly facing HTTP APIs when served with TLS (not related to any kind of connection to Server).

             

            *Compatibility:* with browsers/mobile platforms can be found here:
             [https://support.globalsign.com/ssl/general-ssl/tls-protocol-compatibility]
             * *Android 5+ (2014) -* CBL 2.6 was the last release to have deprecated support for Android 4/API 19, so that's our last potential "partial" compatibility.
             * *iOS 5+ (2011) -* CBL 2.0+ requires iOS 9

            Regardless of this compatibility, the min TLS version can still be lowered back down to TLS 1.0 via {{tls_minimum_version=tlsv1}} if customers have a requirement to use unsupported devices.

             

            *Implementation:* bump this const to tls.VersionTLS12!
            {code:java}config.go:46
                const DefaultMinimumTLSVersionConst = tls.VersionTLS10{code}
             
            adamf Adam Fraser made changes -
            Fix Version/s Lithium [ 16180 ]
            adamf Adam Fraser made changes -
            Assignee The One [ the one ] Jacques Rascagneres [ jacques.rascagneres ]
            adamf Adam Fraser made changes -
            Sprint CBG Sprint 70 [ 1508 ]
            adamf Adam Fraser made changes -
            Rank Ranked lower
            ben.brooks Ben Brooks made changes -
            Rank Ranked higher
            Automated transition triggered when Adam Fraser merged pull request #4978 in GitHub -
            Resolution Fixed [ 1 ]
            Status Open [ 1 ] Resolved [ 5 ]
            daniel.petersen Daniel Petersen made changes -
            Link This issue relates to CM-756 [ CM-756 ]
            ben.brooks Ben Brooks made changes -
            Status Resolved [ 5 ] Closed [ 6 ]

            People

              jacques.rascagneres Jacques Rascagneres
              ben.brooks Ben Brooks
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Gerrit Reviews

                  There are no open Gerrit changes

                  PagerDuty