Details
Description
Cipher-suites(TLSv1.2) used by the "query" service was not found in the order in which the "supportedCipherSuites" appear in the list established for the service. (As per the docs https://docs.couchbase.com/server/current/learn/security/on-the-wire-security.html#establishing-cipher-suite-lists: "Cipher-suites are used by a service in the order in which the cipher-suites appear in the list established for the service")
Steps to reproduce:
1. Create a cluster of 1 node with services data and query(172.23.105.215)
2. Run the testssl.sh tool(https://github.com/drwetter/testssl.sh) and note the "TLSv1.2 (server order)"
Command: ./testssl.sh 172.23.105.215:18093
3. Compare the order of cipher-suites with the pre-configured list of cipher-suites
Command: /opt/couchbase/bin/couchbase-cli setting-security -c 172.23.105.215:18093 -u Administrator -p password --get
Observation:
On comparing the order of cipher-suites(using the tool testssl.sh) with the order of pre-configured list of cipher-suites, it could be noted that the query service doesn't seem to follow the mentioned order.
./testssl.sh 172.23.105.215:18093
TLSv1.2 (server order)
xc02f ECDHE-RSA-AES128-GCM-SHA256 ECDH 521 AESGCM 128 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH 521 AESGCM 256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
xc014 ECDHE-RSA-AES256-SHA ECDH 521 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
x2f AES128-SHA RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA
x35 AES256-SHA RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA
/opt/couchbase/bin/couchbase-cli setting-security -c 172.23.105.215:18093 -u Administrator -p password --get
"query":{"supportedCipherSuites": ["TLS_RSA_WITH_RC4_128_SHA", "TLS_RSA_WITH_3DES_EDE_CBC_SHA", "{*}TLS_RSA_WITH_AES_128_CBC_SHA{*}", "{*}TLS_RSA_WITH_AES_256_CBC_SHA{*}", "TLS_RSA_WITH_AES_128_CBC_SHA256", "TLS_RSA_WITH_AES_128_GCM_SHA256", "TLS_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_RSA_WITH_RC4_128_SHA", "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", "{*}TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA{*}", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "{*}TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256{*}", "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "{*}TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384{*}", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", "TLS_AES_128_GCM_SHA256", "TLS_AES_256_GCM_SHA384", "TLS_CHACHA20_POLY1305_SHA256"]}