You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@couchdb.apache.org by GitBox <gi...@apache.org> on 2021/05/25 09:58:16 UTC

[GitHub] [couchdb] jlami opened a new issue #3581: Windows TLS 1.3

jlami opened a new issue #3581:
URL: https://github.com/apache/couchdb/issues/3581


   ## Description
   When I setup a replication to or from our server on my localhost, it fails with the following message in the logs:
   ```
   TLS client: In state hello received SERVER ALERT: Fatal - Protocol Version
   couch_replicator_httpc: auth plugin initialization failed "<domain>/<db>/" {session_request_failed,"<domain>/_session","<login>",{conn_failed,{error,{tls_alert,"protocol version"}}}}
   throw:{replication_auth_error,{session_request_failed,"<domain>/_session","<login>",{conn_failed,{error,{tls_alert,"protocol version"}}}}}: Replication a1bdd0826e477495f682c9016b72a3ac+continuous failed to start "<domain>/<db>/" -> "http://localhost:5984/<db>/" doc <<"shards/c0000000-dfffffff/_replicator.1534774612">>:<<"ca70b757bcaeb8d72c9763af3e00073a">> stack:[{couch_replicator_httpc,setup,1,[{file,"src/couch_replicator_httpc.erl"},{line,59}]},{couch_replicator_api_wrap,db_open,3,[{file,"src/couch_replicator_api_wrap.erl"},{line,74}]}]
   ```
   
   ## Steps to Reproduce
   We have setup our server with the following configuration: https://ssl-config.mozilla.org/#server=haproxy&version=2.0&config=modern&openssl=1.1.1f&guideline=5.6
   
   I can test if it works if I move from 'Modern' to 'Intermediate', but I was hoping to keep our server on Modern.
   
   ## Your Environment
   
   * CouchDB version used: 3.1.1
   * Browser name and version: N/A
   * Operating system and version: Windows 10 2004
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [couchdb] MrOats commented on issue #3581: Windows TLS 1.3

Posted by GitBox <gi...@apache.org>.

MrOats commented on issue #3581:
URL: https://github.com/apache/couchdb/issues/3581#issuecomment-951291195


   Can confirm with fresh Let's Encrypt certs that I receive the same error.
   
   Is there a workaround for this for now?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [couchdb] bdoyle0182 commented on issue #3581: Windows TLS 1.3

Posted by GitBox <gi...@apache.org>.

bdoyle0182 commented on issue #3581:
URL: https://github.com/apache/couchdb/issues/3581#issuecomment-1069638499


   @MrOats does that config work now? I filed an issue awhile back where I couldn't get the couchdb server to start when trying to set that config option. It was on couchdb 3.1.1 at that time and tried multiple erlang versions
   
   https://github.com/apache/couchdb/issues/3324


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [couchdb] wohali commented on issue #3581: Windows TLS 1.3

Posted by GitBox <gi...@apache.org>.

wohali commented on issue #3581:
URL: https://github.com/apache/couchdb/issues/3581#issuecomment-951322692


   The only workaround for now would be to use a reverse proxy to terminate the SSL/TLS connection, sitting between your client and the database.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [couchdb] MrOats commented on issue #3581: Windows TLS 1.3

Posted by GitBox <gi...@apache.org>.

MrOats commented on issue #3581:
URL: https://github.com/apache/couchdb/issues/3581#issuecomment-951324989


   > 
   > 
   > The only workaround for now would be to use a reverse proxy to terminate the SSL/TLS connection, sitting between your client and the database.
   
   Updated my original comment with a different workaround


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [couchdb] wohali commented on issue #3581: Windows TLS 1.3

Posted by GitBox <gi...@apache.org>.

wohali commented on issue #3581:
URL: https://github.com/apache/couchdb/issues/3581#issuecomment-848047173


   This requires updating the version of Erlang we use in CouchDB to a newer version, as the Erlang ssl client did not gain TLS v1.3 until Erlang 22.1.
   
   This will not happen sooner than CouchDB 3.3 or 4.0. Sorry about that.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [couchdb] jlami commented on issue #3581: Windows TLS 1.3

Posted by GitBox <gi...@apache.org>.

jlami commented on issue #3581:
URL: https://github.com/apache/couchdb/issues/3581#issuecomment-848568758


   That's too bad, but thanks for the feedback!


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [couchdb] MrOats removed a comment on issue #3581: Windows TLS 1.3

Posted by GitBox <gi...@apache.org>.

MrOats removed a comment on issue #3581:
URL: https://github.com/apache/couchdb/issues/3581#issuecomment-951324989


   > 
   > 
   > The only workaround for now would be to use a reverse proxy to terminate the SSL/TLS connection, sitting between your client and the database.
   
   Updated my original comment with a different workaround


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [couchdb] MrOats edited a comment on issue #3581: Windows TLS 1.3

Posted by GitBox <gi...@apache.org>.

MrOats edited a comment on issue #3581:
URL: https://github.com/apache/couchdb/issues/3581#issuecomment-951291195


   Can confirm with fresh Let's Encrypt certs that I receive the same error.
   
   The workaround is to specify the following in your CouchDB config (like local.ini):
   ```ini
   [ssl]
   tls_versions = ['tlsv1.2']
   ```


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [couchdb] wohali edited a comment on issue #3581: Windows TLS 1.3

Posted by GitBox <gi...@apache.org>.

wohali edited a comment on issue #3581:
URL: https://github.com/apache/couchdb/issues/3581#issuecomment-951322692


   Another workaround for now would be to use a reverse proxy to terminate the SSL/TLS connection, sitting between your client and the database.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org