Uploaded image for project: 'Couchbase Server'
  1. Couchbase Server
  2. MB-52050

Query service not following the cipher-suite order

    XMLWordPrintable

Details

    • Bug
    • Resolution: Not a Bug
    • Major
    • Morpheus
    • 7.1.0
    • cbauth
    • Untriaged
    • Centos 64-bit
    • 1
    • Unknown

    Description

      Cipher-suites(TLSv1.2) used by the "query" service was not found in the order in which the "supportedCipherSuites" appear in the list established for the service. (As per the docs https://docs.couchbase.com/server/current/learn/security/on-the-wire-security.html#establishing-cipher-suite-lists: "Cipher-suites are used by a service in the order in which the cipher-suites appear in the list established for the service")

      Steps to reproduce:
      1. Create a cluster of 1 node with services data and query(172.23.105.215)
      2. Run the testssl.sh tool(https://github.com/drwetter/testssl.sh) and note the "TLSv1.2 (server order)"
      Command: ./testssl.sh 172.23.105.215:18093
      3. Compare the order of cipher-suites with the pre-configured list of cipher-suites
      Command: /opt/couchbase/bin/couchbase-cli setting-security -c 172.23.105.215:18093 -u Administrator -p password --get

      Observation:
      On comparing the order of cipher-suites(using the tool testssl.sh) with the order of pre-configured list of cipher-suites, it could be noted that the query service doesn't seem to follow the mentioned order.

      ./testssl.sh 172.23.105.215:18093

      TLSv1.2 (server order)
      xc02f ECDHE-RSA-AES128-GCM-SHA256 ECDH 521 AESGCM 128 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
      xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH 521 AESGCM 256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
      xc014 ECDHE-RSA-AES256-SHA ECDH 521 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
      x2f AES128-SHA RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA
      x35 AES256-SHA RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA

      /opt/couchbase/bin/couchbase-cli setting-security -c 172.23.105.215:18093 -u Administrator -p password --get

      "query":{"supportedCipherSuites": ["TLS_RSA_WITH_RC4_128_SHA", "TLS_RSA_WITH_3DES_EDE_CBC_SHA", "{*}TLS_RSA_WITH_AES_128_CBC_SHA{*}", "{*}TLS_RSA_WITH_AES_256_CBC_SHA{*}", "TLS_RSA_WITH_AES_128_CBC_SHA256", "TLS_RSA_WITH_AES_128_GCM_SHA256", "TLS_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_RSA_WITH_RC4_128_SHA", "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", "{*}TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA{*}", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "{*}TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256{*}", "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "{*}TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384{*}", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", "TLS_AES_128_GCM_SHA256", "TLS_AES_256_GCM_SHA384", "TLS_CHACHA20_POLY1305_SHA256"]}

      Attachments

        Activity

          People

            hareen.kancharla Hareen Kancharla
            shaazin.sheikh Shaazin Sheikh
            Votes:
            0 Vote for this issue
            Watchers:
            8 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              PagerDuty