Uploaded image for project: 'Couchbase Server'
  1. Couchbase Server
  2. MB-53536

Use TLS 1.3 for erlang dist connections and for replication connections



    • Triaged
    • 1
    • Unknown


      Currently ns_server supports TLS 1.2 and TLS 1.3 when connecting to another ns_server or to memcached but TLS 1.2 requires periodic renegotiations which leads to replication and dist connection drops.
      In order to avoid renegotiations we can simply switch to TLS 1.3 completely which should guarantee that there will be no renegotiation attempts at all (because there is not such thing in TLS 1.3).

      Note that since we need to stay backward compatible, mixed clusters should support working via tls 1.2.

      Ideally the list of TLS versions to use internally should be configurable. We already have min tls version setting for cb server but this seems to be a slightly different thing because customers might need to support TLS 1.2 for external connections (or even TLS 1.1). For that reason we need to have a separate setting for tls versions to be used internally. That setting should be enforced on the client side. That same setting can be propagated to golang services via cbauth, because the same renegotiation problem may also affect other long living connections established by services to memcached or to ns_server (this seems to be less critical task though).


        Issue Links

          No reviews matched the request. Check your Options in the drop-down menu of this sections header.



              bryan.mccoid Bryan McCoid
              timofey.barmin Timofey Barmin
              0 Vote for this issue
              7 Start watching this issue



                Gerrit Reviews

                  There are no open Gerrit changes