The Couchbase Server 7.0 Beta is now available with some additional enhancements to strengthen the security of the platform. Couchbase uses TLS encryption across our portfolio to ensure communication across the network is secure, meaning that outside parties cannot eavesdrop or tamper with the requests your application makes to the database or even the data travelling between the nodes in the cluster or between clusters. A new important announcement is the introduction of TLS 1.3 support.
What is TLS ?
Let’s start with a bit of history.
When people talk about accessing secure websites such as e-commerce or online banking, you will often hear people refer to SSL encryption as being the underlying system which keeps them safe. This is a common mistake. Secure Sockets Layer (SSL) was originally the system used to do this but was replaced in 1999 with the introduction of Transport Layer Security (TLS) (RFC 2246) as the method in which the world uses to secure online communications. Over time this was improved upon with the TLS 1.1 (RFC 4346) standard in 2006, and again followed up with the TLS 1.2 standard in 2008 (RFC 5246). But what about HTTPS, doesn’t that refer to SSL ? No, the S in HTTPS refers to secure HTTP.
In the summer of 2018, the final specification for the TLS 1.3 standard was agreed on as RFC 8446 and this is now what we are introducing in Couchbase Server 7.0.
TLS consists of a client and a server. The client will initiate the connection with a handshake, where it will present a list of cipher suites that it knows how to handle. A cipher suite is a set of cryptographic algorithms which usually includes a key exchange algorithm, a bulk encryption algorithm, and a message authentication code (MAC) algorithm. From this list the server will pick a set of functions that it also knows how to communicate with and then will notify the client on how to proceed.
Why is Couchbase adding TLS 1.3 support ?
TLS version 1.2 remains a secure option to this day, but by adopting the newer 1.3 standards we are future proofing against threats which haven’t yet been discovered. Just like any other security, over time algorithms and protocols improve, becoming more secure and adding additional features to make it more difficult to intercept or tamper with communications.
For example, the older TLS 1.2 enables administrators to configure cipher suite preferences to make sure the stronger ciphers are preferred over weaker ones, but most administrators don’t take advantage of this ability and leave the default ordering of ciphers which makes them unknowingly vulnerable. With the introduction of TLS 1.3, many of these older ciphers aren’t even available as an option so the default available cipher suites are already at a higher standard.
Currently Google Chrome, the world’s most popular web browser, no longer supports connecting to websites secured using the TLS 1.0 or 1.1 protocol. There are similar measures that have been put in place in Firefox, Safari and Edge. And the PCI DSS security standard, which is mandated for companies handling credit card payments, has required at least TLS 1.1 since July 2018, with strong guidance to use TLS 1.2. Many industries consider TLS 1.0 and 1.1 as no longer secure and this is why Couchbase recommends that customers use TLS 1.2 or higher for all use-cases. With the introduction of TLS 1.3 we are one step ahead of the standards.
How do I use TLS 1.3 with Couchbase Server 7.0 ?
It’s a simple process and we’re going to use the excellent free SSL/TLS test tool from http://testssl.sh to verify what protocols are in use.
You can get the latest copy from their website as a download or a git clone, we’re going to download it with their git repository using a Ubuntu 16 machine.
1 2 |
git clone --depth 1 https://github.com/drwetter/testssl.sh.git testssl cd testssl/ |
Next we’ll test a default installation of the Couchbase Server 7.0 Beta. For the purpose of brevity we’ll call the Test SSL tool without additional headers and warnings, and only show the protocol information. We’ll run this tool on one of the Couchbase Server nodes against the Data Service TLS encrypted port.
1 2 3 4 5 6 7 8 9 10 |
./testssl.sh --quiet --warnings off -p localhost:11207 Testing protocols via sockets except NPN+ALPN SSLv2 not offered (OK) SSLv3 not offered (OK) TLS 1 offered (deprecated) TLS 1.1 offered (deprecated) TLS 1.2 offered (OK) TLS 1.3 offered (OK): final NPN/SPDY not offered ALPN/HTTP2 not offered |
As you can see, the Server and Client have negotiated the strongest protocol they both understand and so the final connection is established with TLS 1.3 without any configuration changes needed.
What if we wanted to ensure the cluster doesn’t even offer the deprecated older TLS 1.0/1.1 protocols ? We can issue a cluster-wide CLI command to require TLS version 1.2 as the minimum.
1 2 3 4 |
/opt/couchbase/bin/couchbase-cli setting-security -c localhost:8091 \ -u Administrator -p password --set --tls-min-version tlsv1.2 SUCCESS: Security settings updated |
And then re-test the Data Service port again.
1 2 3 4 5 6 7 8 9 10 |
./testssl.sh --quiet --warnings off -p localhost:11207 Testing protocols via sockets except NPN+ALPN SSLv2 not offered (OK) SSLv3 not offered (OK) TLS 1 not offered TLS 1.1 not offered TLS 1.2 offered (OK) TLS 1.3 offered (OK): final NPN/SPDY not offered ALPN/HTTP2 not offered |
As you can see, only TLS 1.2 and higher was offered as an option.
At the time of writing, TLS 1.3 hasn’t been implemented across all of the Couchbase Services in the Couchbase Server 7.0 Beta, so the cluster-wide option of setting a TLS 1.3 minimum isn’t yet available.
What you can do though, is set the minimum TLS to 1.3 on the services where it is available using the REST API. Let’s set the Data Service encrypted port to only allow TLS 1.3.
1 2 |
curl -k https://localhost:18091/settings/security/data/tlsMinVersion \ -u Administrator:password -X POST -d "tlsv1.3" |
And then re-run the test tool.
1 2 3 4 5 6 7 8 9 10 11 12 |
./testssl.sh --quiet --warnings off -p localhost:11207 localhost:11207 appears to support TLS 1.3 ONLY. You better use --openssl= Testing protocols via sockets except NPN+ALPN SSLv2 not offered (OK) SSLv3 not offered (OK) TLS 1 not offered TLS 1.1 not offered TLS 1.2 not offered TLS 1.3 offered (OK): final NPN/SPDY not offered ALPN/HTTP2 not offered |
As you can see, TLS 1.3 is now the only offered option available.
Give the Couchbase Server 7.0 Beta a try today and use some of our new security features !
Availability and Duration of Beta
Documentation
Additional Blogs
Scopes and Collections for Modern Multi-Tenant Applications: Couchbase 7.0
Couchbase Transactions with N1QL
Get the Beta of Community Edition and Enterprise Edition
Couchbase 7 Beta is available for both Enterprise and Community Editions. Everyone can download the software from https://staging.couchbase.com/downloads
Customer support is available via your regular support channels, while Community support is available through the Couchbase forums at https://staging.couchbase.com/forums/