search

cockroachdb / docs

CockroachDB user documentation
https://cockroachlabs.com/docs
Creative Commons Attribution 4.0 International
190 stars 460 forks source link

security: Remove some less-secure TLS 1.2 cipher suites #14022

Open cockroach-teamcity opened 2 years ago

cockroach-teamcity commented 2 years ago

Exalate commented:

Related PR: https://github.com/cockroachdb/cockroach/pull/82362 Commit: https://github.com/cockroachdb/cockroach/commit/fade15e28a7a571143214ff50366902991e07713

Release note (security update): Certain less-secure TLS 1.2 cipher suites are no longer supported. Very old clients (more than five years old) may fail to connect. CRDB now matches the IETF's "recommended" cipher list defined in RFC 8447.

Jira Issue: DOC-3734

exalate-issue-sync[bot] commented 1 year ago

Mike Lewis (mikeCRL) commented: See thread.

Per that thread, we need to update the docs (at least https://www.cockroachlabs.com/docs/stable/authentication.html ), and also add this to v22.2 backward-incompatible changes.

exalate-issue-sync[bot] commented 1 year ago

Matthew Gardner (data-matt) commented: Michael Trestman , reach out to me if you are unsure about this doc, I think I can help.

exalate-issue-sync[bot] commented 8 months ago

Michael Lewis (mikeCRL) commented: linville please see this new thread started by Matthew Gardner as well as https://cockroachlabs.atlassian.net/browse/DOC-8159 and the PR associated with it. That issue cited v22.2 in the description, but its PR only affected 23.1.

Copy of Matthew Gardner 's latest slack message:

{quote}Hi folks, I believe that TLS 1.2 is disabled by default in v22.2. However there is no reference to this in our 22.2 documentation. Please see the difference between: https://www.cockroachlabs.com/docs/v22.2/authentication#background-on-public-key-cryptography-and-digital-certificates  https://www.cockroachlabs.com/docs/v23.1/authentication#background-on-public-key-cryptography-and-digital-certificates Can this be corrected? Wondering if its because this change was introduced from 22.2.4?{quote}

exalate-issue-sync[bot] commented 8 months ago

Michael Lewis (mikeCRL) commented: To clarify, it looks like the release note text here was from 22.2 alpha 1. Later, in 22.2.4, it looks like we re-added these cipher suites, but disabled them by default. See https://cockroachlabs.atlassian.net/browse/DOC-8159