Details
-
Improvement
-
Resolution: Fixed
-
Major
-
None
-
None
-
None
-
1
Description
Request
- Could we add the ability to specify the SSL protocol version when using SSL to connect to Couchbase Server?
- Alternatively is there a way we could allow TLS 1.2 to work correctly for the Java SDK when running using Java 7 and below?
Explanation
The SSLContext is specified here in the JVM core source code. The use of getInstance("TLS") means that it will use the default TLS version of the version of Java being used. V1 is the default for Java 7 even though it can support 1.2.
Some users will want to limit their Couchbase Server minimum TLS version to 1.2 for security reasons following the guidance in https://docs.couchbase.com/server/5.5/security/security-comm-encryption.html#working-with-supported-protocols.
This means that when attempting to initiate a connection with a cluster enforcing 1.2 you get the error 'Received fatal alert: protocol_version'.
I have reproduced the issue and there seems to be no clear way to override this, or to specify the TLS version you wish to use. To be clear this is only the case in Java 7 where TLS 1.2 is not the default.
My reproduction code is below:
import com.couchbase.client.java.*; |
import com.couchbase.client.java.env.CouchbaseEnvironment; |
import com.couchbase.client.java.env.DefaultCouchbaseEnvironment; |
|
public class Core { |
|
public static void main(String[] args) throws Exception{ |
|
CouchbaseEnvironment environment = DefaultCouchbaseEnvironment
|
.builder()
|
.sslEnabled(true) |
.sslKeystoreFile("/Users/jacquesrascagneres/Documents/CouchbaseDev/Test Apps/JavaTest/store") |
.sslKeystorePassword("password") |
.build();
|
|
Cluster cluster = CouchbaseCluster.create(environment, "10.111.181.101"); |
cluster.authenticate("Administrator", "password"); |
Bucket bucket = cluster.openBucket("travel-sample"); |
|
System.out.println(bucket.get("airline_10")); |
}
|
}
|
|
Attachments
For Gerrit Dashboard: JVMCBC-576 | ||||||
---|---|---|---|---|---|---|
# | Subject | Branch | Project | Status | CR | V |
100177,4 | JVMCBC-576: Allow to configure SSL protocol via property. | master | couchbase-jvm-core | Status: MERGED | +2 | +1 |