Environment
- Yugabyte Platform - 2.4 and higher
Issue
I need to understand how to use the cipher_list g-flags
tserver cipher_list gflag is documented here:
https://docs.yugabyte.com/preview/reference/configuration/yb-tserver/#cipher-list
master cipher_list gflag is documented here:
https://docs.yugabyte.com/preview/reference/configuration/yb-master/#cipher-list
Resolution
Overview
The added security feature was introduced in 2.4.5, 2.6, and 2.7.1.1.
This feature is based on the OpenSSL library and allows Yugabyte users to specify cipher lists using FLAGS_cipher_list for TLS 1.2 and below. Additionally cipher suites can be specified using FLAGS_ciphersuites for TLS 1.3.
https://www.openssl.org/docs/manmaster/man1/openssl.html
Steps
- Log into the Yugaware Platform UI
- For users with TLS 1.2, modify the g-flags for both t-servers and masters to reflect an inclusive or exclusive set of ciphers you desired to be used/omitted.
Important: These flags require a restart or rolling restart.
Example:
cipher_list DEFAULTS:!DES:!IDEA:!3DES:!RC2
- This particular flag would allow all default ciphers for TLS 1.2 to be accepted, except those matching the category of ciphers omitted. Omission is defined by use of the ! character.
For those using TLS 1.3, cipher_list should be converted to ciphersuite.
Example:
ciphersuites DEFAULTS:!CHACHA20
- This would allow all TLS 1.3 ciphersuites by default, and omit all CHACHA20 ciphers.
Additional Information
You can investigate man openssl-ciphers for additional options, and methods of use.
Comments
0 comments
Please sign in to leave a comment.