Open topic with navigation
Previous to the release of NuoDB 4.0, NuoDB used Secure Remote Password (SRP), as defined in RFC 2945, for authentication and key exchange for all network protocols including those between Storage Managers (SMs) and Transaction Engines (TEs), between clients and TEs, between (
nuoagent) admin services and SMs and TEs, and between (
nuoagent) admin services themselves. When authentication is successful, further communication is encrypted using a cipher; this cipher is automatically negotiated when the network connection is created.
Note: When using NuoDB AdminAn interface for domain and database management. NuoDB Admin (nuoadmin) may be used instead of nuoagent and nuorestsvc services. When using nuoadmin, use nuocmd instead of the nuodbmgr Command Line Interface (CLI) tool. for database and domain management, the default network encryption is TLS. NuoDB Admin services (
nuoadmin) do not use SRP. By default, communications are encrypted using TLS for admin-to-admin communications. Furthermore, the admin-to-engine (either a SM or a TE) and engine-to-engine connections are secured using TLS 1.2.
Negotiation of protocols and ciphers occurs individually for each network connection created. Therefore, some clients may be communicating with one protocol while others may be using another. The same is true for individual SMs or TEs. Since every SM and every TE requires a network connection to every other SM and TE, it's not possible for a new SM or a new TE to join the database unless it has at least one network protocol in common with every SM and TE already present in the database.
Although NuoDB 4.0 supports both SRP and TLS, all NuoDB engines (SMs and TEs) will prefer TLS (if available. If the TLS connection should fail, the engine falls back to SRP. To turn off SRP fallback, set the
cipher-suites database option to
TLS. For more information on using
cipher-suites, see Database Options.
NuoDB engines (SMs and TEs) use
OpenSSL v1.1.1b. For the list of supported cipher suites, see OpenSSL documentation.
Cipher suites available to NuoDB Admin processes are determined by the Java environment that is being used. NuoDB only supports TLS 1.2 or above.
NuoDB 4.0 does not support cipher suite selection. All OpenSSL cipher suites are available
TLS is supported by NuoDB's C, C++, JDBC, and Python drivers.
For information on enabling TLS in NuoDB's C and C++ driver, see Enabling TLS in the C++ Driver.
For information on enabling TLS in NuoDB's JDBC driver, see Enabling TLS in the JDBC Driver.
For information on enabling TLS in NuoDB's Python driver, see https://github.com/nuodb/nuodb-python.
NuoDB SRP supports the following ciphers:
||AES-256 cipher in CTR mode. This is a strong cipher using a 256-bit key.|
||This cipher is not considered secure. Where possible, this cipher should not be used.|
||No encryption is used at all. This should only be used if the entire network is protected through other means.|
Note: Cipher names are case-sensitive and must be used exactly as seen in the table above.
Note: The default list of ciphers is
AES-256-CTR,RC4. The database does not allow the
None cipher by default: it must be explicitly added to the list before it can be used
RC4 cipher is not considered secure, it is provided for backwards compatibility as older releases of NuoDB supported only this cipher. If you do not need backwards compatibility, you can override the default list of ciphers to remove the
NuoDB supports the following database options for overriding the default list of ciphers:
enabled-ciphers - a comma-separated list of ciphers that the database accepts from clients (both SQL clients and admin clients).
peer-ciphers - a comma-separated list of ciphers that the database accepts from other SMs and TEs, and from admin services.
Note: The comma-separated lists of ciphers referred to here are ordered by most preferable to least preferable. The most preferable cipher to the server that is also supported by the client is the cipher chosen.
For more information on using these options, see Database Options.
The NuoDB clients provided with the NuoDB package (C and C++ drivers) support the same ciphers as supported for the TEs. The latest JDBC driver also supports all ciphers described in Network Encryption. For other NuoDB Drivers, see the documentation for that driver (links to relevant documentation available About NuoDB Drivers).
Note: All drivers support at least the
To specify which ciphers the client accepts during negotiation, configure the
ciphers connection property to contain a comma-separated list of ciphers. For more information, see Connection Properties (NuoAgent).