[MB-37083] OOTB cipher suites should work with http2 clients and should be in decreasing order of cipher strength - Couchbase database

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Critical
Resolution: Fixed
Affects Version/s: 6.5.0
Fix Version/s: 6.5.0
Component/s: ns_server
Labels:
- approved-for-mad-hatter

Triage:
Untriaged
Is this a Regression?:
Unknown

Description

See comments from Brett Lawson and me on ~~MB-36900~~. At a minimum we should reorder our high security cipher suites as follows:

  "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",

  "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",

  "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",

  "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",

  "TLS_RSA_WITH_AES_256_CBC_SHA",

  "TLS_RSA_WITH_AES_128_CBC_SHA"

But we may want to do more based on Brett's investigations.

Attachments

Issue Links

blocks

CBG-602 SG is failed to connect to CBS with x509 cert auth

Closed

is duplicated by

MB-36900 broken pipe while doing query service with ssl enabled

Closed

Gerrit Reviews

- Issue Only
- Show All Reviews
- Show Open Reviews
- Show All Issues
- Show Open Issues

No reviews matched the request. Check your Options in the drop-down menu of this sections header.

Activity

Ascending order - Click to sort in descending order

Dave Finlay created issue - 27/Nov/19 11:27 PM

Brett Lawson added a comment - 27/Nov/19 11:48 PM

Just copying from the other ticket for visibility here:
It might be a good idea to take advantage of a well-known cipher-list that is known to be highly compatible in the face of an increasing number of SSL implementations:
https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29

Brett Lawson added a comment - 27/Nov/19 11:48 PM Just copying from the other ticket for visibility here: It might be a good idea to take advantage of a well-known cipher-list that is known to be highly compatible in the face of an increasing number of SSL implementations: https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29

Timofey Barmin made changes - 28/Nov/19 11:27 AM

Field	Original Value	New Value
Status	Open [ 1 ]	In Progress [ 3 ]

Dave Finlay made changes - 02/Dec/19 11:35 AM

Link

This issue blocks MB-36676 [ MB-36676 ]

Dave Finlay made changes - 02/Dec/19 11:36 AM

Labels

approved-for-mad-hatter

Dave Finlay made changes - 02/Dec/19 11:38 AM

Link

This issue is duplicated by ~~MB-36900~~ [ ~~MB-36900~~ ]

Brett Lawson added a comment - 02/Dec/19 11:40 AM

Hey Dave Finlay,

Don't forget that the first cipher (TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA) in your list above is actually a blacklisted cipher, so any OpenSSL installation which supports that cipher is going to fail to correctly build HTTP2 connections.

Cheers, Brett

Brett Lawson added a comment - 02/Dec/19 11:40 AM Hey Dave Finlay , Don't forget that the first cipher (TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA) in your list above is actually a blacklisted cipher, so any OpenSSL installation which supports that cipher is going to fail to correctly build HTTP2 connections. Cheers, Brett

Dave Finlay added a comment - 02/Dec/19 11:42 AM

Yes, Brett, we are aware. Thanks.

Dave Finlay added a comment - 02/Dec/19 11:42 AM Yes, Brett, we are aware. Thanks.

Dave Finlay made changes - 02/Dec/19 3:23 PM

Resolution		Fixed [ 1 ]
Status	In Progress [ 3 ]	Resolved [ 5 ]

Couchbase Build Team added a comment - 02/Dec/19 3:42 PM

Build couchbase-server-6.5.0-4912 contains ns_server commit 57e7c00 with commit message:
~~MB-37083~~: Reorder high ciphers for cbauth

Couchbase Build Team added a comment - 02/Dec/19 3:42 PM Build couchbase-server-6.5.0-4912 contains ns_server commit 57e7c00 with commit message: MB-37083 : Reorder high ciphers for cbauth

Couchbase Build Team added a comment - 02/Dec/19 10:03 PM

Build couchbase-server-7.0.0-1096 contains ns_server commit 57e7c00 with commit message:
~~MB-37083~~: Reorder high ciphers for cbauth

Couchbase Build Team added a comment - 02/Dec/19 10:03 PM Build couchbase-server-7.0.0-1096 contains ns_server commit 57e7c00 with commit message: MB-37083 : Reorder high ciphers for cbauth

Ben Brooks made changes - 03/Dec/19 2:34 AM

Link

This issue blocks ~~CBG-602~~ [ ~~CBG-602~~ ]

Ritam Sharma made changes - 10/Dec/19 1:10 AM

VERIFICATION STEPS		here is the list of ciphers: - GCM is higher than CBC Closing of buil - Enterprise Edition 6.5.0 build 4926 ‧ IPv4 "clusterManager": { "supportedCipherSuites": [ "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384", "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384", "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256", "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256", "TLS_RSA_WITH_AES_256_GCM_SHA384", "TLS_RSA_WITH_AES_256_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256", "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256", "TLS_RSA_WITH_AES_128_GCM_SHA256", "TLS_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", "TLS_DHE_RSA_WITH_AES_256_CBC_SHA", "TLS_DHE_DSS_WITH_AES_256_CBC_SHA", "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA", "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA", "TLS_RSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", "TLS_DHE_DSS_WITH_AES_128_CBC_SHA", "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA", "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA", "TLS_RSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA", "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA", "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA", "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA", "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA", "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA", "TLS_RSA_WITH_3DES_EDE_CBC_SHA", "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384", "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384", "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256", "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256", "TLS_RSA_PSK_WITH_AES_256_CBC_SHA", "TLS_RSA_PSK_WITH_AES_128_CBC_SHA", "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA", "TLS_RSA_PSK_WITH_RC4_128_SHA", "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA", "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA", "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA", "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA", "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA", "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA", "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA", "TLS_ECDHE_RSA_WITH_RC4_128_SHA", "TLS_ECDH_ECDSA_WITH_RC4_128_SHA", "TLS_ECDH_RSA_WITH_RC4_128_SHA", "TLS_RSA_WITH_RC4_128_SHA", "TLS_RSA_WITH_RC4_128_MD5", "TLS_DHE_RSA_WITH_DES_CBC_SHA", "TLS_RSA_WITH_DES_CBC_SHA"
Status	Resolved [ 5 ]	Closed [ 6 ]

People

Assignee:: Timofey Barmin

Reporter:: Dave Finlay

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 27/Nov/19 11:27 PM

Updated:: 10/Dec/19 1:10 AM

Resolved:: 02/Dec/19 3:23 PM

Gerrit Reviews

There are no open Gerrit changes

Show There are 2 closed Gerrit changes

Hide There are 2 closed Gerrit changes

MB-37083: Reorder high ciphers for cbauth: Gerrit Review:

Merge remote-tracking branch 'couchbase/mad-hatter': Gerrit Review:

PagerDuty

Couchbase Server

Details

Description

Attachments

Issue Links

Gerrit Reviews

Activity

People

Dates

Gerrit Reviews

PagerDuty