Uploaded image for project: 'Couchbase Server'
  1. Couchbase Server
  2. MB-37083

OOTB cipher suites should work with http2 clients and should be in decreasing order of cipher strength

    XMLWordPrintable

Details

    • Untriaged
    • Unknown

    Description

      See comments from Brett Lawson and me on MB-36900. At a minimum we should reorder our high security cipher suites as follows:

      [
        "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
        "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
        "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
        "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
        "TLS_RSA_WITH_AES_256_CBC_SHA",
        "TLS_RSA_WITH_AES_128_CBC_SHA"
      ]
      

      But we may want to do more based on Brett's investigations.

      Attachments

        Issue Links

          No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            dfinlay Dave Finlay created issue -
            timofey.barmin Timofey Barmin made changes -
            Field Original Value New Value
            Status Open [ 1 ] In Progress [ 3 ]
            dfinlay Dave Finlay made changes -
            Link This issue blocks MB-36676 [ MB-36676 ]
            dfinlay Dave Finlay made changes -
            Labels approved-for-mad-hatter
            dfinlay Dave Finlay made changes -
            Link This issue is duplicated by MB-36900 [ MB-36900 ]
            dfinlay Dave Finlay made changes -
            Resolution Fixed [ 1 ]
            Status In Progress [ 3 ] Resolved [ 5 ]
            ben.brooks Ben Brooks made changes -
            Link This issue blocks CBG-602 [ CBG-602 ]
            ritam.sharma Ritam Sharma made changes -
            VERIFICATION STEPS here is the list of ciphers: - GCM is higher than CBC
            Closing of buil - Enterprise Edition 6.5.0 build 4926 ‧ IPv4
             "clusterManager": {
                "supportedCipherSuites": [
                  "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
                  "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
                  "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
                  "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
                  "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",
                  "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",
                  "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",
                  "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",
                  "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
                  "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",
                  "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
                  "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
                  "TLS_RSA_WITH_AES_256_GCM_SHA384",
                  "TLS_RSA_WITH_AES_256_CBC_SHA256",
                  "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
                  "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
                  "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
                  "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
                  "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
                  "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
                  "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
                  "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",
                  "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
                  "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
                  "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
                  "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
                  "TLS_RSA_WITH_AES_128_GCM_SHA256",
                  "TLS_RSA_WITH_AES_128_CBC_SHA256",
                  "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
                  "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
                  "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
                  "TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
                  "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
                  "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
                  "TLS_RSA_WITH_AES_256_CBC_SHA",
                  "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
                  "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
                  "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
                  "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
                  "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
                  "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
                  "TLS_RSA_WITH_AES_128_CBC_SHA",
                  "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
                  "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
                  "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
                  "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
                  "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
                  "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
                  "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
                  "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384",
                  "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384",
                  "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256",
                  "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256",
                  "TLS_RSA_PSK_WITH_AES_256_CBC_SHA",
                  "TLS_RSA_PSK_WITH_AES_128_CBC_SHA",
                  "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA",
                  "TLS_RSA_PSK_WITH_RC4_128_SHA",
                  "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA",
                  "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA",
                  "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA",
                  "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA",
                  "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA",
                  "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA",
                  "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
                  "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
                  "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
                  "TLS_ECDH_RSA_WITH_RC4_128_SHA",
                  "TLS_RSA_WITH_RC4_128_SHA",
                  "TLS_RSA_WITH_RC4_128_MD5",
                  "TLS_DHE_RSA_WITH_DES_CBC_SHA",
                  "TLS_RSA_WITH_DES_CBC_SHA"
            Status Resolved [ 5 ] Closed [ 6 ]

            People

              timofey.barmin Timofey Barmin
              dfinlay Dave Finlay
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Gerrit Reviews

                  There are no open Gerrit changes

                  PagerDuty