Uploaded image for project: 'Couchbase .NET client library'
  1. Couchbase .NET client library
  2. NCBC-3019

Allow SSL cipher configuration

    XMLWordPrintable

Details

    • Improvement
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 3.2.4
    • 3.2.5
    • library
    • None
    • 1

    Description

      Since .NET 5, the Linux variant defaults to using the Linux OS defaults for cipher suites. For distributions configured for higher security, such as Alpine, this default includes TLS 1.2 only and excludes many older cipher suites.

      Currently, we override and enable TLS 1.0/1.1 on SslStream. However, we don't do any configuration with cipher suites. The only way to make SSL work on secure Linux distros is to configure the OS system-wide. This is both difficult and reduces security on outgoing connections to services other than Couchbase.

      We should both:

      1. Allow configuration of the cipher suite, where required.
      2. Consider setting defaults for cipher suites that will work with Couchbase Server. However, this may vary by Couchbase Server version, and striking a balance between security for newer Server versions versus simpler compatibility with older versions may be tricky.
      • This is doable in .NET Core 3.1 and later only, so we may want to limit the presense of the options in ClusterOptions to certain frameworks
      • For SslStream on Key/Value connections, we can pass a SslClientAuthenticationOptions object to AuthenticateAsClientAsync
      • For HttpClient, we can set SslOptions to a SslClientAuthenticationOptions object on the SocketsHttpHandler

      https://forums.couchbase.com/t/bootstrap-error-on-net-5-and-net-6/32224

      Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          There are no comments yet on this issue.

          People

            jmorris Jeff Morris
            btburnett3 Brant Burnett
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                PagerDuty