cipher suite choice #429
Open
cipher suite choice #429
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
DOC-12599
RichardSmedley
requested review from
dnault
and removed request for
programmatix
dnault
requested changes
Feb 6, 2025
| To check which ciphers are available on a self-managed Couchbase Server installation, run: | ||
| [source.console] | ||
| ---- | ||
| /opt/couchbase/bin/couchbase-cli setting-security -c localhost -u Administrator -p password –get |
There was a problem hiding this comment.
–get should be --get (somewhere along the line, the two dashes got mangled into an en dash)
| ---- | ||
|
|
||
| To check which ciphers are available on a self-managed Couchbase Server installation, run: | ||
| [source.console] |
There was a problem hiding this comment.
Should that dot be a comma? Like [source,console]
| @@ -238,6 +238,34 @@ E.....@.@.............+....Z.'yZ..#........ | |||
| ==== | |||
|
|
|||
|
|
|||
| === Choosing your Cipher Suite | |||
|
|
|||
| If you are on a version of TLS that allows a cipher suite weaker than your latest security policies allow, | |||
There was a problem hiding this comment.
Suggestion:
If your organization's security policy requires using specific TLS cipher suites,
|
|
||
| If you are on a version of TLS that allows a cipher suite weaker than your latest security policies allow, | ||
| you can specify which ciphers to use with | ||
| link:++https://docs.couchbase.com/sdk-api/couchbase-core-io/com/couchbase/client/core/env/SecurityConfig.Builder.html#ciphers(java.util.List++[`SecurityConfig.Builder (ciphers(List`]. |
There was a problem hiding this comment.
Maybe style the label like this?
[the `security.ciphers` client setting]
| "TLS_ECDH_RSA_WITH_RC4_128_SHA", | ||
| "TLS_RSA_WITH_RC4_128_SHA", | ||
| "TLS_RSA_WITH_RC4_128_MD5"))) ) ); | ||
| ---- |
There was a problem hiding this comment.
Most folks who need to specify cipher suite will also want to force TLS 1.3. One way to do that is to require a cipher suite introduced in TLS 1.3.
Maybe format this a bit differently, and limit to TLS 1.3 cipher suites that the JVM and all Couchbase services support?
Cluster cluster = Cluster.connect(
connectionString,
ClusterOptions.clusterOptions(username, password)
.environment(env -> env
.securityConfig(sec -> sec
.ciphers(List.of(
// TLS 1.3 cipher suites supported by
// Java and Couchbase Server.
"TLS_AES_128_GCM_SHA256",
"TLS_AES_256_GCM_SHA384"
)))));
}
}```
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
DOC-12599