Uploaded image for project: 'Couchbase Server'
  1. Couchbase Server
  2. MB-13026

Move XDCR SSL to TLS 1.2 / AES instead of RC4

    XMLWordPrintable

Details

    • Bug
    • Resolution: Duplicate
    • Major
    • 4.0.0
    • 3.0.1
    • ns_server
    • Security Level: Public

    Description

      XDCR SSL uses RC4 by default, according the code comments this was chosen to mitigate BEAST (Browser Exploit Against SSL/TLS) http://en.wikipedia.org/wiki/Transport_Layer_Security#BEAST_attack

      RC4 is no longer considered secure, http://blog.cloudflare.com/killing-rc4-the-long-goodbye/
      With TLS 1.2, which Erlang R16 supports, BEAST is no longer a threat so AES should now be used.

      Looks like XDCR uses TLS but RC4 cipher is still supported.

      Solution -
      RC4 should be removed from the allowable cipher list.

      Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          People

            Aliaksey Artamonau Aliaksey Artamonau (Inactive)
            ianmccloy Ian McCloy (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            9 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                There are no open Gerrit changes

                PagerDuty