- Yugabyte Platform - 2.4 and higher
I need to understand how to use the cipher_list g-flag.
The added security feature was introduced in 2.4.5, 2.6, and 22.214.171.124.
This feature is based on the OpenSSL library and allows Yugabyte users to specify cipher lists using FLAGS_cipher_list for TLS 1.2 and below. Additionally cipher suites can be specified using FLAGS_ciphersuites for TLS 1.3.
- Log into the Yugaware Platform UI
- For users with TLS 1.2, modify the g-flags for both t-servers and masters to reflect an inclusive or exclusive set of ciphers you desired to be used/omitted.
Important: These flags do NOT requires a restart or rolling restart. Doing so will result in loss of connectivity between nodes in the cluster.
- This particular flag would allow all default ciphers for TLS 1.2 to be accepted, except those matching the category of ciphers omitted. Omission is defined by use of the ! character.
For those using TLS 1.3, cipher_list should be converted to ciphersuite.
- This would allow all TLS 1.3 ciphersuites by default, and omit all CHACHA20 ciphers.
You can investigate man openssl-ciphers for additional options, and methods of use.