Thu May 26 15:49:40 PDT 2016 Summary: * Update TLS to 1.2 without Couchbase Server restart * Port 18092 still offer TLS 1.0 / 1.1 / 1.2 Getting Couchbase Server configuraiton and capture configuration value related to SSL / TLS 22- {{couchdb,max_parallel_indexers},4}, 23- {{couchdb,max_parallel_replica_indexers},2}, 24- {{node,'ns_1@127.0.0.1',rest},[{port,8091},{port_meta,global}]}, 25: {{node,'ns_1@127.0.0.1',ssl_rest_port},18091}, 26- {{node,'ns_1@127.0.0.1',capi_port},8092}, 27: {{node,'ns_1@127.0.0.1',ssl_capi_port},18092}, 28- {{node,'ns_1@127.0.0.1',query_port},8093}, 29: {{node,'ns_1@127.0.0.1',ssl_query_port},18093}, 30- {{node,'ns_1@127.0.0.1',projector_port},9999}, 31- {{node,'ns_1@127.0.0.1',xdcr_rest_port},9998}, 32- {{node,'ns_1@127.0.0.1',indexer_admin_port},9100}, -- 35- {{node,'ns_1@127.0.0.1',indexer_stinit_port},9103}, 36- {{node,'ns_1@127.0.0.1',indexer_stcatchup_port},9104}, 37- {{node,'ns_1@127.0.0.1',indexer_stmaint_port},9105}, 38: {{node,'ns_1@127.0.0.1',ssl_proxy_downstream_port},11214}, 39: {{node,'ns_1@127.0.0.1',ssl_proxy_upstream_port},11215}, 40- {rest_creds,[{creds,[]}]}, 41- {remote_clusters,[]}, 42- {{node,'ns_1@127.0.0.1',isasl}, -- 53- {{node,'ns_1@127.0.0.1',memcached_defaults}, 54- [{maxconn,30000}, 55- {dedicated_port_maxconn,5000}, 56: {ssl_cipher_list,"HIGH"}, 57- {verbosity,0}, 58- {breakpad_enabled,true}, 59- {breakpad_minidump_dir_path,"/opt/couchbase/var/lib/couchbase/crash"}, -- 61- {{node,'ns_1@127.0.0.1',memcached}, 62- [{port,11210}, 63- {dedicated_port,11209}, 64: {ssl_port,11207}, 65- {admin_user,"_admin"}, 66- {admin_pass,"045fc542da6a44e5eb6c1f092b72310a"}, 67- {bucket_engine,"/opt/couchbase/lib/memcached/bucket_engine.so"}, -- 88- {port,dedicated_port}, 89- {maxconn,dedicated_port_maxconn}]}, 90- {[{host,<<"*">>}, 91: {port,ssl_port}, 92- {maxconn,maxconn}, 93: {ssl, 94- {[{key, 95- <<"/opt/couchbase/var/lib/couchbase/config/memcached-key.pem">>}, 96- {cert, 97- <<"/opt/couchbase/var/lib/couchbase/config/memcached-cert.pem">>}]}}]}]}}, 98: {ssl_cipher_list,{"~s",[ssl_cipher_list]}}, 99: {ssl_minimum_protocol,{memcached_config_mgr,ssl_minimum_protocol,[]}}, 100- {breakpad, 101- {[{enabled,breakpad_enabled}, 102- {minidump_dir,{memcached_config_mgr,get_minidump_dir,[]}}]}}, -- 4370- {settings, 4371- [{'_vclock',[{<<"4717615d6deb068ea17d63904d34ef3e">>,{1,63631516195}}]}, 4372- {stats,[{send_stats,false}]}]}, 4373: {ssl_minimum_protocol, 4374- [{'_vclock',[{<<"4717615d6deb068ea17d63904d34ef3e">>,{1,63631516785}}]}| 4375: 'tlsv1.2']}, 4376- {uuid, 4377- [{'_vclock',[{<<"4717615d6deb068ea17d63904d34ef3e">>,{1,63631516033}}]}| 4378- <<"94f4fd70abfcc30e53a97d8a2a63acf6">>]}, -- 6489- [{'_vclock',[{<<"4717615d6deb068ea17d63904d34ef3e">>,{1,63631515967}}]}, 6490- {port,11210}, 6491- {dedicated_port,11209}, 6492: {ssl_port,11207}, 6493- {admin_user,"_admin"}, 6494- {admin_pass,"f060047d1ce53db59a39d980b4d01e82"}, 6495- {bucket_engine,"/opt/couchbase/lib/memcached/bucket_engine.so"}, -- 6517- {port,dedicated_port}, 6518- {maxconn,dedicated_port_maxconn}]}, 6519- {[{host,<<"*">>}, 6520: {port,ssl_port}, 6521- {maxconn,maxconn}, 6522: {ssl, 6523- {[{key, 6524- <<"/opt/couchbase/var/lib/couchbase/config/memcached-key.pem">>}, 6525- {cert, 6526- <<"/opt/couchbase/var/lib/couchbase/config/memcached-cert.pem">>}]}}]}]}}, 6527: {ssl_cipher_list,{"~s",[ssl_cipher_list]}}, 6528: {ssl_minimum_protocol,{memcached_config_mgr,ssl_minimum_protocol,[]}}, 6529- {breakpad, 6530- {[{enabled,breakpad_enabled}, 6531- {minidump_dir,{memcached_config_mgr,get_minidump_dir,[]}}]}}, -- 6548- [{'_vclock',[{<<"4717615d6deb068ea17d63904d34ef3e">>,{1,63631515967}}]}, 6549- {maxconn,30000}, 6550- {dedicated_port_maxconn,5000}, 6551: {ssl_cipher_list,"HIGH"}, 6552- {verbosity,0}, 6553- {breakpad_enabled,true}, 6554- {breakpad_minidump_dir_path,"/opt/couchbase/var/lib/couchbase/crash"}, -- 6575- {{node,'ns_1@127.0.0.1',services}, 6576- [{'_vclock',[{<<"4717615d6deb068ea17d63904d34ef3e">>,{1,63631516051}}]}, 6577- index,kv,n1ql]}, 6578: {{node,'ns_1@127.0.0.1',ssl_capi_port}, 6579- [{'_vclock',[{<<"4717615d6deb068ea17d63904d34ef3e">>,{1,63631515967}}]}| 6580- 18092]}, 6581: {{node,'ns_1@127.0.0.1',ssl_proxy_downstream_port}, 6582- [{'_vclock',[{<<"4717615d6deb068ea17d63904d34ef3e">>,{1,63631515967}}]}| 6583- 11214]}, 6584: {{node,'ns_1@127.0.0.1',ssl_proxy_upstream_port}, 6585- [{'_vclock',[{<<"4717615d6deb068ea17d63904d34ef3e">>,{1,63631515967}}]}| 6586- 11215]}, 6587: {{node,'ns_1@127.0.0.1',ssl_query_port}, 6588- [{'_vclock',[{<<"4717615d6deb068ea17d63904d34ef3e">>,{1,63631515967}}]}| 6589- 18093]}, 6590: {{node,'ns_1@127.0.0.1',ssl_rest_port}, 6591- [{'_vclock',[{<<"4717615d6deb068ea17d63904d34ef3e">>,{1,63631515967}}]}| 6592- 18091]}, 6593- {{node,'ns_1@127.0.0.1',stop_xdcr}, ----- Testing now (2016-05-26 15:50) ---> 127.0.0.1:18091 (localhost) <--- rDNS (127.0.0.1): -- (A record via /etc/hosts) Service detected: HTTP --> Testing protocols (via sockets except TLS 1.2 and SPDY/NPN)  SSLv2 not offered (OK)  SSLv3 not offered (OK)  TLS 1 not offered  TLS 1.1 not offered  TLS 1.2 offered (OK)  SPDY/NPN not offered Done now (2016-05-26 15:50) ---> 127.0.0.1:18091 (localhost) <--- ----- Testing now (2016-05-26 15:50) ---> 127.0.0.1:18092 (localhost) <--- rDNS (127.0.0.1): -- (A record via /etc/hosts) Service detected: HTTP --> Testing protocols (via sockets except TLS 1.2 and SPDY/NPN)  SSLv2 not offered (OK)  SSLv3 not offered (OK)  TLS 1 not offered  TLS 1.1 not offered  TLS 1.2 offered (OK)  SPDY/NPN not offered Done now (2016-05-26 15:50) ---> 127.0.0.1:18092 (localhost) <--- ----- Testing now (2016-05-26 15:51) ---> 127.0.0.1:18093 (localhost) <--- rDNS (127.0.0.1): -- (A record via /etc/hosts) Service detected: HTTP --> Testing protocols (via sockets except TLS 1.2 and SPDY/NPN)  SSLv2 not offered (OK)  SSLv3 not offered (OK)  TLS 1 not offered  TLS 1.1 not offered  TLS 1.2 offered (OK)  SPDY/NPN not offered Done now (2016-05-26 15:51) ---> 127.0.0.1:18093 (localhost) <--- ----- Testing now (2016-05-26 15:51) ---> 127.0.0.1:11207 (localhost) <--- rDNS (127.0.0.1): -- (A record via /etc/hosts) Service detected: Couldn't determine what's running on port 11207, assuming no HTTP service => skipping HTTP checks --> Testing protocols (via sockets except TLS 1.2 and SPDY/NPN)  SSLv2 not offered (OK)  SSLv3 not offered (OK)  TLS 1 offered  TLS 1.1 offered  TLS 1.2 offered (OK)  SPDY/NPN not offered Done now (2016-05-26 15:51) ---> 127.0.0.1:11207 (localhost) <--- ----- Testing now (2016-05-26 15:51) ---> 127.0.0.1:11214 (localhost) <--- rDNS (127.0.0.1): -- (A record via /etc/hosts) Service detected: Couldn't determine what's running on port 11214, assuming no HTTP service => skipping HTTP checks --> Testing protocols (via sockets except TLS 1.2 and SPDY/NPN)  SSLv2 not offered (OK)  SSLv3 not offered (OK)  TLS 1 not offered  TLS 1.1 not offered  TLS 1.2 offered (OK)  SPDY/NPN not offered Done now (2016-05-26 15:51) ---> 127.0.0.1:11214 (localhost) <--- ----- Testing now (2016-05-26 15:52) ---> 127.0.0.1:11215 (localhost) <--- rDNS (127.0.0.1): -- (A record via /etc/hosts)  127.0.0.1:11215 doesn't seem a TLS/SSL enabled server or it requires a certificate Service detected: Couldn't determine what's running on port 11215, assuming no HTTP service => skipping HTTP checks --> Testing protocols (via sockets except TLS 1.2 and SPDY/NPN)  SSLv2 not offered (OK)  SSLv3 not offered (OK)  TLS 1 not offered  TLS 1.1 not offered  TLS 1.2 not offered (NOT ok)  SPDY/NPN not offered Done now (2016-05-26 15:52) ---> 127.0.0.1:11215 (localhost) <--- End of Testing