Uploaded image for project: 'Couchbase Server'
  1. Couchbase Server
  2. MB-37083

OOTB cipher suites should work with http2 clients and should be in decreasing order of cipher strength

    XMLWordPrintable

Details

    • Untriaged
    • Unknown

    Description

      See comments from Brett Lawson and me on MB-36900. At a minimum we should reorder our high security cipher suites as follows:

      [
      		 
        "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
      		 
        "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
      		 
        "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
      		 
        "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
      		 
        "TLS_RSA_WITH_AES_256_CBC_SHA",
      		 
        "TLS_RSA_WITH_AES_128_CBC_SHA"
      		 
      ]

      But we may want to do more based on Brett's investigations.

      Attachments

        Issue Links

          blocks

          Bug - A problem which impairs or prevents the functions of the product. CBG-602 SG is failed to connect to CBS with x509 cert auth

          • Major - Major loss of function.
          • Closed
          is duplicated by

          Bug - A problem which impairs or prevents the functions of the product. MB-36900 broken pipe while doing query service with ssl enabled

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed
          For Gerrit Dashboard: MB-37083
          # Subject Branch Project Status CR V
          118648,4 MB-37083: Reorder high ciphers for cbauth mad-hatter ns_server Status: MERGED +2 +1
          118750,1 Merge remote-tracking branch 'couchbase/mad-hatter' master ns_server Status: MERGED +2 +1

          Activity

            People

              timofey.barmin Timofey Barmin
              dfinlay Dave Finlay
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Gerrit Reviews

                  There are no open Gerrit changes

                  PagerDuty