Uploaded image for project: 'Couchbase Gateway'
  1. Couchbase Gateway
  2. CBG-260

Add configurable minimum TLS version

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: 2.6.0
    • Component/s: SyncGateway
    • Security Level: Public
    • Labels:
      None
    • Sprint:
      CBG Sprint 16, CBG Sprint 17
    • Story Points:
      5

      Description

      Would be good to implement the ability to enforce a minimum TLS version in order to comply with security requirements. Currently we enforce TLS 1.0 or greater here. It would be nice to somehow make this a configurable option as both SG and CBLite support higher versions.

        Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

          Hide
          ben.brooks Ben Brooks added a comment - - edited

          Consider defaulting to min ver: TLS 1.2 (and allow configurable downgrade to 1.0 or 1.1 as min version if absolutely required).

           

          Might want to consider dropping TLS 1.0 support entirely, but might be a bit early for it...

          Show
          ben.brooks Ben Brooks added a comment - - edited Consider defaulting to min ver: TLS 1.2 (and allow configurable downgrade to 1.0 or 1.1 as min version if absolutely required).   Might want to consider dropping TLS 1.0 support entirely, but might be a bit early for it... Couchbase server currently does TLS 1.0-1.2, but recommends TLS 1.2 version: https://docs.couchbase.com/server/5.5/security/security-comm-encryption.html Browsers dropping support for 1.0 and 1.1 in 2020 - May be too early to do this in SG yet https://arstechnica.com/gadgets/2018/10/browser-vendors-unite-to-end-support-for-20-year-old-tls-1-0/ Check CB platform support matrix to see which versions of OSes we need to target if we are wanting to drop TLS 1.0 References: https://caniuse.com/#search=tls%201.1 https://caniuse.com/#search=tls%201.2 https://help.salesforce.com/articleView?id=000220586&language=en_US&type=1
          Hide
          adamf Adam Fraser added a comment -

          I don't think we should change the default at this point in time - it makes sense to be consistent with the Couchbase Server handling (default to 1.0, allow configuration of minimum)

          Show
          adamf Adam Fraser added a comment - I don't think we should change the default at this point in time - it makes sense to be consistent with the Couchbase Server handling (default to 1.0, allow configuration of minimum)
          Hide
          build-team Couchbase Build Team added a comment -

          Build sync_gateway-2.6.0-2 contains sync_gateway commit 17819c9 with commit message:
          CBG-260: Add a way to configure the minimum TLS version (#4011)

          Show
          build-team Couchbase Build Team added a comment - Build sync_gateway-2.6.0-2 contains sync_gateway commit 17819c9 with commit message: CBG-260 : Add a way to configure the minimum TLS version (#4011)
          Hide
          build-team Couchbase Build Team added a comment -

          Build sync_gateway-2.6.0-2 contains sync_gateway commit 17819c9 with commit message:
          CBG-260: Add a way to configure the minimum TLS version (#4011)

          Show
          build-team Couchbase Build Team added a comment - Build sync_gateway-2.6.0-2 contains sync_gateway commit 17819c9 with commit message: CBG-260 : Add a way to configure the minimum TLS version (#4011)

            People

            • Assignee:
              jacques.rascagneres Jacques Rascagneres
              Reporter:
              jacques.rascagneres Jacques Rascagneres
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:

                Gerrit Reviews

                There are no open Gerrit changes

                  PagerDuty

                  Error rendering 'com.pagerduty.jira-server-plugin:PagerDuty'. Please contact your Jira administrators.