Description
Problem
Currently there is a cluster wide endpoint for setting the TLS options tlsMinVersion, cipherSuites and honorCipherOrder:
localhost:8091/settings/security tlsMinVersion=tlsv1.2
|
In CC most services have bumped up to support tlsv1.3 unfortunately the view-engine and ns_server cannot support tlsv1.3 because of Erlang.
There is a different endpoint that allows each "service" to override the cluster wide setting of these settings:
/settings/security/{service}/tlsMinVersion
|
With the option of tlsv1.1, tlsv1.2 or tlsv1.3, noting that clusterManager service does not support tlsv1.3
The "services" are:
- Analytics
- Cluster Manager
- Data
- Eventing
- FTS
- GSI
- Query
Generally speaking a user is require by their company security policy to set the highest possible level available. Unfortunately the global setting cannot accept 1.3 as not all services support that and it could mislead the user. i.e from a couchbase-cli:
couchbase-cli security-settings -tls-min-version tlsv1.3
|
The user might believe the cluster is fully on tlsv1.3.
It would be nice if the CLI had a way to set the TLS minimum version for each service.
Suggestion
One idea is to extent couchbase-cli to be able to set the tls min version per service for example:
couchbase-cli security-settings -tls-min-version-data tlsv1.3 -tls-min-version-cluster-manager tlsv1.2
|
Attachments
Issue Links
- depends on
-
MB-42099 Update ciphers and supported minTLSVersion for services
- Closed