Details
Critical Description
Apologies if I am misinterpreting my results or misunderstanding some aspect
of the functionality, but when testing cbbackup with the --ssl option, I am
seeing plaintext content in DCP key mutation request packets transferred
from my backup source node to the target machine I am backing up to over
the non-SSL TCP/11210 port.
Steps to reproduce:
1. Install version 4.0.0-2046-rel on two systems but do not cluster them:
- brian2.local (10.4.2.133) (single node cluster)
- brian3.local (10.4.2.134) (Couchbase installed for cbbackup use only)
2. From brian3.local, start a tcpdump:
```
tcpdump -nnvvXSs 0 -w /tmp/cbbackup-ssl.pcap
```
3. From brian3.local, perform a cbbackup against brian2.local with --ssl:
```
cbbackup -u Administrator -p pasword --ssl http://brian2.local:18091 /opt/cb_backups/
```
4. Inspect the tcpdump output in cbbackup-ssl.pcap and note non-encrypted content:
Reassembled TCP (385 bytes):
|
0000 80 57 00 09 1f 01 03 95 00 00 01 69 00 00 03 95 .W.........i....
|
0010 13 dd 36 c4 b8 e5 00 00 00 00 00 00 00 00 00 15 ..6.............
|
0020 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 ................
|
0030 00 00 00 00 00 05 02 70 79 6d 63 33 30 33 36 36 .......pymc30366
|
0040 7b 22 6e 61 6d 65 22 3a 20 22 70 79 6d 63 33 30 {"name": "pymc30
|
0050 33 36 36 22 2c 20 22 61 67 65 22 3a 20 36 36 2c 366", "age": 66,
|
0060 20 22 69 6e 64 65 78 22 3a 20 33 30 33 36 36 2c "index": 30366,
|
0070 20 22 62 6f 64 79 22 3a 20 22 56 54 4b 47 4e 4b "body": "VTKGNK
|
0080 55 48 4d 50 58 4e 48 54 51 47 58 5a 56 58 49 53 UHMPXNHTQGXZVXIS
|
0090 58 52 4d 43 4c 50 58 5a 4d 57 47 55 4f 41 53 4b XRMCLPXZMWGUOASK
|
00a0 56 52 41 4d 57 47 49 57 45 4f 47 5a 55 4c 43 49 VRAMWGIWEOGZULCI
|
00b0 4e 59 43 4f 53 4f 56 4f 5a 50 50 4c 50 4b 4f 48 NYCOSOVOZPPLPKOH
|
00c0 45 45 50 52 4d 43 54 57 59 56 58 59 4f 4b 53 48 EEPRMCTWYVXYOKSH
|
00d0 56 57 58 50 59 50 4c 52 5a 58 55 43 50 4d 51 56 VWXPYPLRZXUCPMQV
|
00e0 47 54 44 46 55 49 56 43 44 53 42 4f 58 4e 52 41 GTDFUIVCDSBOXNRA
|
00f0 51 50 4f 4b 4a 5a 41 41 59 45 44 46 55 59 41 4c QPOKJZAAYEDFUYAL
|
0100 43 47 46 51 4a 45 4e 42 43 5a 46 4a 54 56 58 45 CGFQJENBCZFJTVXE
|
0110 52 5a 42 52 56 49 47 50 4c 45 4d 4b 4f 4e 49 4a RZBRVIGPLEMKONIJ
|
0120 56 47 4f 41 54 49 42 48 47 59 4a 48 4a 59 51 51 VGOATIBHGYJHJYQQ
|
0130 53 4b 4b 51 41 46 49 47 51 4a 57 4f 4b 4b 53 4b SKKQAFIGQJWOKKSK
|
0140 52 42 4c 47 45 4e 4d 4f 54 57 4d 49 4d 56 57 56 RBLGENMOTWMIMVWV
|
0150 45 5a 51 43 53 5a 4b 52 49 46 53 41 56 4e 43 44 EZQCSZKRIFSAVNCD
|
0160 51 57 48 5a 43 57 4b 43 48 4c 55 57 44 4e 51 4a QWHZCWKCHLUWDNQJ
|
0170 57 48 41 42 52 4f 59 59 58 42 22 7d 01 02 00 01 WHABROYYXB"}....
|
0180 00
|
The file cbbackup-ssl.pcap.gz from my testing is attached.
Attachments
Issue Links
- relates to
-
MB-25987 cbbackup using port 11209 instead of port 11207 for ssl backup
-
- Closed
-