nsthakur7 opened a new issue, #5211: URL: https://github.com/apache/couchdb/issues/5211
[NOTE]: # ( ^^ Provide a general summary of the issue in the title above. ^^ ) ## Description Our vulnerability management tool - Qualys Scan reports a vulnerability > QID-38863 | Weak SSL/TLS Key Exchange. For the remediation, it suggests changing the SSL/TLS server configuration to only allow strong key exchanges. Key exchanges used on the server should provide at least 112 bits of security, so the minimum key size to not flag this QID should be: 2048 bit key size for Diffie Hellman (DH) or RSA key exchanges 224 bit key size for Elliptic Curve Diffie Hellman (EDCH) key exchanges. [NOTE]: # ( Describe the problem you're encountering. ) # Issue The problem is that the CouchDB config file (local.ini) only allows the specification of the cipher suites but does not have a config setting to specify ECC curves. We have specified strong TLS/SSL exchange keys at Windows Server Registry SChannel, but CouchDB doesn't load those ECC curves. Here is the output of "SSLSCAN.exe 127.0.0.1:5984 (The weak TLS/SSL exchange keys are highlighted in RED)  ## Steps to Reproduce The sslscan tool list the cipher and exchange key loaded by couchdb. sslscan.exe --tls12 127.0.0.1:5984 ## Expected Behaviour * Need a config setting in the [SSL] section, which allows to specify the Elliptic curve (ECC) keys to use. We want to specify strong key exchanges like secp224k1, secp224r1, secp256k1, secp256r1. * We cannot upgrade to TLS1.3 due to infrastructure limitations at the moment. * We want to disable the ECC curves highlighted in RED in the attached file  Kindly suggests how we can remediate this security vulnerability. ## Your Environment # UAT environment # https://localhost:5984 * CouchDB version used: 3.2.2 * Browser name and version: Edge and Version 128.0.2739.54 (Official Build) (64-bit) * Operating system and version: Microsoft Windows Server 2016 Datacenter ## Additional Context [TIP]: # ( Add any other context about the problem here. ) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
