Uploaded image for project: 'Couchbase Server'
  1. Couchbase Server
  2. MB-37083

OOTB cipher suites should work with http2 clients and should be in decreasing order of cipher strength

    XMLWordPrintable

Details

    • Untriaged
    • Unknown

    Description

      See comments from Brett Lawson and me on MB-36900. At a minimum we should reorder our high security cipher suites as follows:

      [
        "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
        "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
        "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
        "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
        "TLS_RSA_WITH_AES_256_CBC_SHA",
        "TLS_RSA_WITH_AES_128_CBC_SHA"
      ]
      

      But we may want to do more based on Brett's investigations.

      Attachments

        Issue Links

          No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            dfinlay Dave Finlay created issue -

            Just copying from the other ticket for visibility here:
            It might be a good idea to take advantage of a well-known cipher-list that is known to be highly compatible in the face of an increasing number of SSL implementations:
            https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29

            brett19 Brett Lawson added a comment - Just copying from the other ticket for visibility here: It might be a good idea to take advantage of a well-known cipher-list that is known to be highly compatible in the face of an increasing number of SSL implementations: https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29
            timofey.barmin Timofey Barmin made changes -
            Field Original Value New Value
            Status Open [ 1 ] In Progress [ 3 ]
            dfinlay Dave Finlay made changes -
            Link This issue blocks MB-36676 [ MB-36676 ]
            dfinlay Dave Finlay made changes -
            Labels approved-for-mad-hatter
            dfinlay Dave Finlay made changes -
            Link This issue is duplicated by MB-36900 [ MB-36900 ]

            Hey Dave Finlay,

            Don't forget that the first cipher (TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA) in your list above is actually a blacklisted cipher, so any OpenSSL installation which supports that cipher is going to fail to correctly build HTTP2 connections.

            Cheers, Brett

            brett19 Brett Lawson added a comment - Hey Dave Finlay , Don't forget that the first cipher (TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA) in your list above is actually a blacklisted cipher, so any OpenSSL installation which supports that cipher is going to fail to correctly build HTTP2 connections. Cheers, Brett
            dfinlay Dave Finlay added a comment -

            Yes, Brett, we are aware. Thanks.

            dfinlay Dave Finlay added a comment - Yes, Brett, we are aware. Thanks.
            dfinlay Dave Finlay made changes -
            Resolution Fixed [ 1 ]
            Status In Progress [ 3 ] Resolved [ 5 ]

            Build couchbase-server-6.5.0-4912 contains ns_server commit 57e7c00 with commit message:
            MB-37083: Reorder high ciphers for cbauth

            build-team Couchbase Build Team added a comment - Build couchbase-server-6.5.0-4912 contains ns_server commit 57e7c00 with commit message: MB-37083 : Reorder high ciphers for cbauth

            Build couchbase-server-7.0.0-1096 contains ns_server commit 57e7c00 with commit message:
            MB-37083: Reorder high ciphers for cbauth

            build-team Couchbase Build Team added a comment - Build couchbase-server-7.0.0-1096 contains ns_server commit 57e7c00 with commit message: MB-37083 : Reorder high ciphers for cbauth
            ben.brooks Ben Brooks made changes -
            Link This issue blocks CBG-602 [ CBG-602 ]
            ritam.sharma Ritam Sharma made changes -
            VERIFICATION STEPS here is the list of ciphers: - GCM is higher than CBC
            Closing of buil - Enterprise Edition 6.5.0 build 4926 ‧ IPv4
             "clusterManager": {
                "supportedCipherSuites": [
                  "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
                  "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
                  "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
                  "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
                  "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",
                  "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",
                  "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",
                  "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",
                  "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
                  "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",
                  "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
                  "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
                  "TLS_RSA_WITH_AES_256_GCM_SHA384",
                  "TLS_RSA_WITH_AES_256_CBC_SHA256",
                  "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
                  "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
                  "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
                  "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
                  "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
                  "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
                  "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
                  "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",
                  "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
                  "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
                  "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
                  "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
                  "TLS_RSA_WITH_AES_128_GCM_SHA256",
                  "TLS_RSA_WITH_AES_128_CBC_SHA256",
                  "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
                  "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
                  "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
                  "TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
                  "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
                  "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
                  "TLS_RSA_WITH_AES_256_CBC_SHA",
                  "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
                  "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
                  "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
                  "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
                  "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
                  "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
                  "TLS_RSA_WITH_AES_128_CBC_SHA",
                  "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
                  "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
                  "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
                  "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
                  "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
                  "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
                  "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
                  "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384",
                  "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384",
                  "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256",
                  "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256",
                  "TLS_RSA_PSK_WITH_AES_256_CBC_SHA",
                  "TLS_RSA_PSK_WITH_AES_128_CBC_SHA",
                  "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA",
                  "TLS_RSA_PSK_WITH_RC4_128_SHA",
                  "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA",
                  "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA",
                  "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA",
                  "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA",
                  "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA",
                  "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA",
                  "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
                  "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
                  "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
                  "TLS_ECDH_RSA_WITH_RC4_128_SHA",
                  "TLS_RSA_WITH_RC4_128_SHA",
                  "TLS_RSA_WITH_RC4_128_MD5",
                  "TLS_DHE_RSA_WITH_DES_CBC_SHA",
                  "TLS_RSA_WITH_DES_CBC_SHA"
            Status Resolved [ 5 ] Closed [ 6 ]

            People

              timofey.barmin Timofey Barmin
              dfinlay Dave Finlay
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Gerrit Reviews

                  There are no open Gerrit changes

                  PagerDuty