Skip to content

cipher suite choice #429

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: temp/3.7
Choose a base branch
from
Open

cipher suite choice #429

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
8308550
cipher suite choice
RichardSmedley Nov 27, 2024
b971ab4
Merge branch 'temp/3.7' into RichardSmedley-patch-5
RichardSmedley Feb 3, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 28 additions & 1 deletion modules/howtos/pages/managing-connections.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -238,6 +238,34 @@ E.....@.@.............+....Z.'yZ..#........
====


=== Choosing your Cipher Suite

If you are on a version of TLS that allows a cipher suite weaker than your latest security policies allow,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion:

If your organization's security policy requires using specific TLS cipher suites,

you can specify which ciphers to use with
link:++https://docs.couchbase.com/sdk-api/couchbase-core-io/com/couchbase/client/core/env/SecurityConfig.Builder.html#ciphers(java.util.List++[`SecurityConfig.Builder (ciphers(List`].
Copy link
Contributor

@dnault dnault Feb 5, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe style the label like this?

[the `security.ciphers` client setting]


For example:

[source,java]
----
Cluster cluster = Cluster.connect( connectionString, ClusterOptions.clusterOptions(username, password) .environment(env -> env .securityConfig(it -> it.ciphers(List.of( "MY_CIPHER", "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
"TLS_DHE_RSA_WITH_DES_CBC_SHA",
"TLS_RSA_WITH_DES_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
"TLS_ECDHE_RSA_WITH_RC4_128_SHA",
"TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
"TLS_ECDH_RSA_WITH_RC4_128_SHA",
"TLS_RSA_WITH_RC4_128_SHA",
"TLS_RSA_WITH_RC4_128_MD5"))) ) );
----
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Most folks who need to specify cipher suite will also want to force TLS 1.3. One way to do that is to require a cipher suite introduced in TLS 1.3.

Maybe format this a bit differently, and limit to TLS 1.3 cipher suites that the JVM and all Couchbase services support?

Cluster cluster = Cluster.connect(
  connectionString,
  ClusterOptions.clusterOptions(username, password)
    .environment(env -> env
      .securityConfig(sec -> sec
        .ciphers(List.of(
          // TLS 1.3 cipher suites supported by
          // Java and Couchbase Server.
          "TLS_AES_128_GCM_SHA256",
          "TLS_AES_256_GCM_SHA384"
        )))));
  }
}```


To check which ciphers are available on a self-managed Couchbase Server installation, run:
[source.console]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should that dot be a comma? Like [source,console]

----
/opt/couchbase/bin/couchbase-cli setting-security -c localhost -u Administrator -p password –get
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

–get should be --get (somewhere along the line, the two dashes got mangled into an en dash)

----


== Quarkus Java Extension

Our xref:quarkus-extension:ROOT:overview.adoc[Couchbase Quarkus Java Extension docs] cover installing and connecting with the Quarkus extension in detail,
Expand All @@ -252,7 +280,6 @@ quarkus.couchbase.password=password
----



== Cloud Native Gateway

Couchbase's next generation connection protocol, introduced in Java SDK 3.5 and xref:operator::concept-cloud-native-gateway.adoc[Couchbase Autonomous Operator 2.6.1], can be enabled simply by changing the connection string to `couchbase2://` but there are a few differences to be aware of, described <<#limitations,below>>.
Expand Down