Since .NET 5, the Linux variant defaults to using the Linux OS defaults for cipher suites. For distributions configured for higher security, such as Alpine, this default includes TLS 1.2 only and excludes many older cipher suites.
Currently, we override and enable TLS 1.0/1.1 on SslStream. However, we don't do any configuration with cipher suites. The only way to make SSL work on secure Linux distros is to configure the OS system-wide. This is both difficult and reduces security on outgoing connections to services other than Couchbase.
We should both:
- Allow configuration of the cipher suite, where required.
- Consider setting defaults for cipher suites that will work with Couchbase Server. However, this may vary by Couchbase Server version, and striking a balance between security for newer Server versions versus simpler compatibility with older versions may be tricky.
- This is doable in .NET Core 3.1 and later only, so we may want to limit the presense of the options in ClusterOptions to certain frameworks
- For SslStream on Key/Value connections, we can pass a SslClientAuthenticationOptions object to AuthenticateAsClientAsync
- For HttpClient, we can set SslOptions to a SslClientAuthenticationOptions object on the SocketsHttpHandler