Uploaded image for project: 'Couchbase Server'
  1. Couchbase Server
  2. MB-37083

OOTB cipher suites should work with http2 clients and should be in decreasing order of cipher strength

    XMLWordPrintable

Details

    • Untriaged
    • Unknown

    Description

      See comments from Brett Lawson and me on MB-36900. At a minimum we should reorder our high security cipher suites as follows:

      [
      		 
        "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
      		 
        "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
      		 
        "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
      		 
        "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
      		 
        "TLS_RSA_WITH_AES_256_CBC_SHA",
      		 
        "TLS_RSA_WITH_AES_128_CBC_SHA"
      		 
      ]

      But we may want to do more based on Brett's investigations.

      Attachments

        Issue Links

          blocks

          Bug - A problem which impairs or prevents the functions of the product. CBG-602 SG is failed to connect to CBS with x509 cert auth

          • Major - Major loss of function.
          • Closed
          is duplicated by

          Bug - A problem which impairs or prevents the functions of the product. MB-36900 broken pipe while doing query service with ssl enabled

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed
          No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            Ascending order - Click to sort in descending order
            brett19 Brett Lawson added a comment -

            Just copying from the other ticket for visibility here:
            It might be a good idea to take advantage of a well-known cipher-list that is known to be highly compatible in the face of an increasing number of SSL implementations:
            https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29

            brett19 Brett Lawson added a comment - Just copying from the other ticket for visibility here: It might be a good idea to take advantage of a well-known cipher-list that is known to be highly compatible in the face of an increasing number of SSL implementations: https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29
            brett19 Brett Lawson added a comment -

            Hey Dave Finlay,

            Don't forget that the first cipher (TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA) in your list above is actually a blacklisted cipher, so any OpenSSL installation which supports that cipher is going to fail to correctly build HTTP2 connections.

            Cheers, Brett

            brett19 Brett Lawson added a comment - Hey Dave Finlay , Don't forget that the first cipher (TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA) in your list above is actually a blacklisted cipher, so any OpenSSL installation which supports that cipher is going to fail to correctly build HTTP2 connections. Cheers, Brett
            dfinlay Dave Finlay added a comment -

            Yes, Brett, we are aware. Thanks.

            dfinlay Dave Finlay added a comment - Yes, Brett, we are aware. Thanks.
            build-team Couchbase Build Team added a comment -

            Build couchbase-server-6.5.0-4912 contains ns_server commit 57e7c00 with commit message:
            MB-37083: Reorder high ciphers for cbauth

            build-team Couchbase Build Team added a comment - Build couchbase-server-6.5.0-4912 contains ns_server commit 57e7c00 with commit message: MB-37083 : Reorder high ciphers for cbauth
            build-team Couchbase Build Team added a comment -

            Build couchbase-server-7.0.0-1096 contains ns_server commit 57e7c00 with commit message:
            MB-37083: Reorder high ciphers for cbauth

            build-team Couchbase Build Team added a comment - Build couchbase-server-7.0.0-1096 contains ns_server commit 57e7c00 with commit message: MB-37083 : Reorder high ciphers for cbauth

            People

              timofey.barmin Timofey Barmin
              dfinlay Dave Finlay
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Gerrit Reviews

                  There are no open Gerrit changes

                  PagerDuty