[CBG-260] Add configurable minimum TLS version - Couchbase database

Details

Type: Improvement
Status: Resolved
Priority: Major
Resolution: Unresolved
Affects Version/s: None
Fix Version/s: 2.6.0
Component/s: SyncGateway
Security Level: Public
Labels:
None

Sprint:
CBG Sprint 16, CBG Sprint 17
Story Points:
5

Description

Would be good to implement the ability to enforce a minimum TLS version in order to comply with security requirements. Currently we enforce TLS 1.0 or greater here. It would be nice to somehow make this a configurable option as both SG and CBLite support higher versions.

Attachments

Gerrit Reviews

- Issue Only
- Show All Reviews
- Show Open Reviews

No reviews matched the request. Check your Options in the drop-down menu of this sections header.

Activity

Ascending order - Click to sort in descending order

Ben Brooks added a comment - 07/Mar/19 6:28 AM - edited

Consider defaulting to min ver: TLS 1.2 (and allow configurable downgrade to 1.0 or 1.1 as min version if absolutely required).

Might want to consider dropping TLS 1.0 support entirely, but might be a bit early for it...

Couchbase server currently does TLS 1.0-1.2, but recommends TLS 1.2 version: https://docs.couchbase.com/server/5.5/security/security-comm-encryption.html
Browsers dropping support for 1.0 and 1.1 in 2020 - May be too early to do this in SG yet
https://arstechnica.com/gadgets/2018/10/browser-vendors-unite-to-end-support-for-20-year-old-tls-1-0/
Check CB platform support matrix to see which versions of OSes we need to target if we are wanting to drop TLS 1.0
References:

Ben Brooks added a comment - 07/Mar/19 6:28 AM - edited Consider defaulting to min ver: TLS 1.2 (and allow configurable downgrade to 1.0 or 1.1 as min version if absolutely required). Might want to consider dropping TLS 1.0 support entirely, but might be a bit early for it... Couchbase server currently does TLS 1.0-1.2, but recommends TLS 1.2 version: https://docs.couchbase.com/server/5.5/security/security-comm-encryption.html Browsers dropping support for 1.0 and 1.1 in 2020 - May be too early to do this in SG yet https://arstechnica.com/gadgets/2018/10/browser-vendors-unite-to-end-support-for-20-year-old-tls-1-0/ Check CB platform support matrix to see which versions of OSes we need to target if we are wanting to drop TLS 1.0 References: https://caniuse.com/#search=tls%201.1 https://caniuse.com/#search=tls%201.2 https://help.salesforce.com/articleView?id=000220586&language=en_US&type=1

Adam Fraser added a comment - 13/Mar/19 8:30 PM

I don't think we should change the default at this point in time - it makes sense to be consistent with the Couchbase Server handling (default to 1.0, allow configuration of minimum)

Adam Fraser added a comment - 13/Mar/19 8:30 PM I don't think we should change the default at this point in time - it makes sense to be consistent with the Couchbase Server handling (default to 1.0, allow configuration of minimum)

Couchbase Build Team added a comment - 05/Apr/19 5:08 AM

Build sync_gateway-2.6.0-2 contains sync_gateway commit 17819c9 with commit message:
CBG-260: Add a way to configure the minimum TLS version (#4011)

Couchbase Build Team added a comment - 05/Apr/19 5:08 AM Build sync_gateway-2.6.0-2 contains sync_gateway commit 17819c9 with commit message: CBG-260 : Add a way to configure the minimum TLS version (#4011)

Couchbase Build Team added a comment - 05/Apr/19 5:08 AM

Build sync_gateway-2.6.0-2 contains sync_gateway commit 17819c9 with commit message:
CBG-260: Add a way to configure the minimum TLS version (#4011)

Couchbase Build Team added a comment - 05/Apr/19 5:08 AM Build sync_gateway-2.6.0-2 contains sync_gateway commit 17819c9 with commit message: CBG-260 : Add a way to configure the minimum TLS version (#4011)

Couchbase Gateway

Add configurable minimum TLS version

Details

Description

Attachments

Gerrit Reviews

Activity

People

Dates

Gerrit Reviews

PagerDuty