Network Encryption

Previous to the release of NuoDB 4.0, NuoDB used Secure Remote Password (SRP), as defined in RFC 2945, for authentication and key exchange for all network protocols including those between Storage Managers (SMs) and Transaction Engines (TEs), between clients and TEs, between (nuoagent) admin services and SMs and TEs, and between (nuoagent) admin services themselves. When authentication is successful, further communication is encrypted using a cipher; this cipher is automatically negotiated when the network connection is created.

Note: When using NuoDB AdminAn interface for domain and database management. NuoDB Admin (nuoadmin) may be used instead of nuoagent and nuorestsvc services. When using nuoadmin, use nuocmd instead of the nuodbmgr Command Line Interface (CLI) tool. for database and domain management, the default network encryption is TLS. NuoDB Admin services (nuoadmin) do not use SRP. By default, communications are encrypted using TLS for admin-to-admin communications. Furthermore, the admin-to-engine (either a SM or a TE) and engine-to-engine connections are secured using TLS 1.2.

Negotiation of protocols and ciphers occurs individually for each network connection created. Therefore, some clients may be communicating with one protocol while others may be using another. The same is true for individual SMs or TEs. Since every SM and every TE requires a network connection to every other SM and TE, it's not possible for a new SM or a new TE to join the database unless it has at least one network protocol in common with every SM and TE already present in the database.

Selecting TLS or SRP

Although NuoDB 4.0 supports both SRP and TLS, all NuoDB engines (SMs and TEs) will prefer TLS (if available. If the TLS connection should fail, the engine falls back to SRP. To turn off SRP fallback, set the cipher-suites database option to TLS. For more information on using cipher-suites, see Database Options.

Supported Cipher Suites

NuoDB engines (SMs and TEs) use OpenSSL v1.1.1b. For the list of supported cipher suites, see OpenSSL documentation.

Cipher suites available to NuoDB Admin processes are determined by the Java environment that is being used. NuoDB only supports TLS 1.2 or above.

Specifying Available Database Cipher Suites

NuoDB 4.0 does not support cipher suite selection. All OpenSSL cipher suites are available

Using TLS in NuoDB Drivers

TLS is supported by NuoDB's C, C++, JDBC, and Python drivers.

For information on enabling TLS in NuoDB's C and C++ driver, see Enabling TLS in the C++ Driver.

For information on enabling TLS in NuoDB's JDBC driver, see Enabling TLS in the JDBC Driver.

For information on enabling TLS in NuoDB's Python driver, see https://github.com/nuodb/nuodb-python.

Supported Ciphers

NuoDB SRP supports the following ciphers:

Name Description

AES-256-CTR

AES-256 cipher in CTR mode. This is a strong cipher using a 256-bit key.

RC4

This cipher is not considered secure. Where possible, this cipher should not be used.
None No encryption is used at all. This should only be used if the entire network is protected through other means.

Note: Cipher names are case-sensitive and must be used exactly as seen in the table above.

Note: The default list of ciphers is AES-256-CTR,RC4. The database does not allow the None cipher by default: it must be explicitly added to the list before it can be used

Although the RC4 cipher is not considered secure, it is provided for backwards compatibility as older releases of NuoDB supported only this cipher. If you do not need backwards compatibility, you can override the default list of ciphers to remove the RC4 cipher.

Specifying Available Database Ciphers

NuoDB supports the following database options for overriding the default list of ciphers:

Note: The comma-separated lists of ciphers referred to here are ordered by most preferable to least preferable. The most preferable cipher to the server that is also supported by the client is the cipher chosen.

For more information on using these options, see Database Options.

Specifying Available Client Ciphers

The NuoDB clients provided with the NuoDB package (C and C++ drivers) support the same ciphers as supported for the TEs. The latest JDBC driver also supports all ciphers described in Network Encryption. For other NuoDB Drivers, see the documentation for that driver (links to relevant documentation available About NuoDB Drivers).

Note: All drivers support at least the RC4 cipher.

To specify which ciphers the client accepts during negotiation, configure the ciphers connection property to contain a comma-separated list of ciphers. For more information, see Connection Properties (NuoAgent).