Conversation
DOC-12599
RichardSmedley
requested review from
dnault
and removed request for
programmatix
| To check which ciphers are available on a self-managed Couchbase Server installation, run: | ||
| [source.console] | ||
| ---- | ||
| /opt/couchbase/bin/couchbase-cli setting-security -c localhost -u Administrator -p password –get |
There was a problem hiding this comment.
–get should be --get (somewhere along the line, the two dashes got mangled into an en dash)
| ---- | ||
|
|
||
| To check which ciphers are available on a self-managed Couchbase Server installation, run: | ||
| [source.console] |
There was a problem hiding this comment.
Should that dot be a comma? Like [source,console]
|
|
||
| === Choosing your Cipher Suite | ||
|
|
||
| If you are on a version of TLS that allows a cipher suite weaker than your latest security policies allow, |
There was a problem hiding this comment.
Suggestion:
If your organization's security policy requires using specific TLS cipher suites,
|
|
||
| If you are on a version of TLS that allows a cipher suite weaker than your latest security policies allow, | ||
| you can specify which ciphers to use with | ||
| link:++https://docs.couchbase.com/sdk-api/couchbase-core-io/com/couchbase/client/core/env/SecurityConfig.Builder.html#ciphers(java.util.List++[`SecurityConfig.Builder (ciphers(List`]. |
There was a problem hiding this comment.
Maybe style the label like this?
[the `security.ciphers` client setting]
| "TLS_ECDH_RSA_WITH_RC4_128_SHA", | ||
| "TLS_RSA_WITH_RC4_128_SHA", | ||
| "TLS_RSA_WITH_RC4_128_MD5"))) ) ); | ||
| ---- |
There was a problem hiding this comment.
Most folks who need to specify cipher suite will also want to force TLS 1.3. One way to do that is to require a cipher suite introduced in TLS 1.3.
Maybe format this a bit differently, and limit to TLS 1.3 cipher suites that the JVM and all Couchbase services support?
Cluster cluster = Cluster.connect(
connectionString,
ClusterOptions.clusterOptions(username, password)
.environment(env -> env
.securityConfig(sec -> sec
.ciphers(List.of(
// TLS 1.3 cipher suites supported by
// Java and Couchbase Server.
"TLS_AES_128_GCM_SHA256",
"TLS_AES_256_GCM_SHA384"
)))));
}
}```
|
Closing in favour of #470 against the current dotminor's docs. |
2 participants
DOC-12599