couchdb icon indicating copy to clipboard operation
couchdb copied to clipboard

Published 20 hours ago verified publisher icon apache

Windows TLS 1.3

Open jlami opened this issue 3 years ago • 7 comments

Description

When I setup a replication to or from our server on my localhost, it fails with the following message in the logs:

TLS client: In state hello received SERVER ALERT: Fatal - Protocol Version
couch_replicator_httpc: auth plugin initialization failed "<domain>/<db>/" {session_request_failed,"<domain>/_session","<login>",{conn_failed,{error,{tls_alert,"protocol version"}}}}
throw:{replication_auth_error,{session_request_failed,"<domain>/_session","<login>",{conn_failed,{error,{tls_alert,"protocol version"}}}}}: Replication a1bdd0826e477495f682c9016b72a3ac+continuous failed to start "<domain>/<db>/" -> "http://localhost:5984/<db>/" doc <<"shards/c0000000-dfffffff/_replicator.1534774612">>:<<"ca70b757bcaeb8d72c9763af3e00073a">> stack:[{couch_replicator_httpc,setup,1,[{file,"src/couch_replicator_httpc.erl"},{line,59}]},{couch_replicator_api_wrap,db_open,3,[{file,"src/couch_replicator_api_wrap.erl"},{line,74}]}]

Steps to Reproduce

We have setup our server with the following configuration: https://ssl-config.mozilla.org/#server=haproxy&version=2.0&config=modern&openssl=1.1.1f&guideline=5.6

I can test if it works if I move from 'Modern' to 'Intermediate', but I was hoping to keep our server on Modern.

Your Environment

  • CouchDB version used: 3.1.1
  • Browser name and version: N/A
  • Operating system and version: Windows 10 2004

jlami avatar May 25 '21 09:05 jlami

This requires updating the version of Erlang we use in CouchDB to a newer version, as the Erlang ssl client did not gain TLS v1.3 until Erlang 22.1.

This will not happen sooner than CouchDB 3.3 or 4.0. Sorry about that.

wohali avatar May 25 '21 16:05 wohali

That's too bad, but thanks for the feedback!

jlami avatar May 26 '21 08:05 jlami

Can confirm with fresh Let's Encrypt certs that I receive the same error.

The workaround is to specify the following in your CouchDB config (like local.ini):

[ssl]
tls_versions = ['tlsv1.2']

MrOats avatar Oct 25 '21 20:10 MrOats

Another workaround for now would be to use a reverse proxy to terminate the SSL/TLS connection, sitting between your client and the database.

wohali avatar Oct 25 '21 20:10 wohali

@MrOats does that config work now? I filed an issue awhile back where I couldn't get the couchdb server to start when trying to set that config option. It was on couchdb 3.1.1 at that time and tried multiple erlang versions

https://github.com/apache/couchdb/issues/3324

bdoyle0182 avatar Mar 16 '22 21:03 bdoyle0182

Are we sure it isn't using TLSv1.3?

echo | openssl s_client -tls1_3 -connect localhost:6984 
    ...
    New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
    ...


curl -k https://localhost:6984/_all_dbs -v -u admin:password
    ...
    SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
    ...
    Server: CouchDB/3.2.1 (Erlang OTP/23)
    ...

Actually... this is the unix version.

snackerphi avatar Apr 06 '22 06:04 snackerphi

Hi, ist this still a problem with the current release version (3.2.2)?

big-r81 avatar Jun 27 '22 11:06 big-r81

Closing this, we're >= Erlang 23 right now. Please reopen if it'S not working with the actual windows version of CouchDB.

big-r81 avatar Oct 25 '22 07:10 big-r81