TLS/SSL 1.2 hints and tips - Noteworthy at Compose

Published

This is your weekly summary of Compose news for those changes and updates which can make your life easier. In this edition and with weeks to go before the TLS 1.0/1.1 shutdown we show some particular fixes you may want to ensure you have in place. We've also got a round-up of the last weeks Compose Articles.

A TLS Refresh

As we've previously mentioned, on March 1st, we'll be switching Compose and Compose services to use TLS 1.2 only. TLS is the later version of the encrypted connection protocol which started with SSL. TLS 1.2 is the most recent version, introduced a decade ago. Many applications and tools use TLS and SSL in their documentation and flags interchangeably.

The current exceptions to the TLS 1.2 only date are PostgreSQL and Compose for MySQL beta - we are deferring TLS 1.2 only until a future update.

TL;DR

Applications should be able to handle, with ease, the TLSv1.2 only setting when it arrives on the 1st March. There are ways you can confirm you are using TLSv1.2. Beware of hard-coding TLS settings.

Handshaking

When an encrypted connection is being set up, the first thing negotiated is how the two ends are going to do the encryption handshaking. The highest available version is selected and tried between the client and server.

If that doesn't work, they step down through the handshake versions, till they find one they can agree on using. This logic means that most applications will just agree on using TLSv1.2 as it'll be the first handshake they agree on.

When TLSv1.3 becomes widespread, the handshake negotiation logic means that once client and server both have TLSv1.3, they'll start using it.

Why do we mention this? Well, it's important to realize that setting TLSv1.2 on a TLS/SSL connection will mean that the code will need to be revisited for TLSv1.3. Ideally, you should try and run with your system defaults and let the handshake negotiation and fallback just happen. But things are rarely ideal and there is code where this kind of thing gets hardwired.

So, what we'll discuss here is some situations where we often find TLS versions hard-wired, and ways to find out what was actually negotiated.

Java

Many Java drivers for different databases rely on being passed an SSLContext object to configure their TLS/SSL connection. Where your code is getting an SSLContext, ensure it is getting TLSv1.2 like so:

SSLContext sslContext = SSLContext.getInstance("TLSv1.2");  

That'll ensure you get a TLSv1.2 connection. The getInstance() insists on being given that string and there's no "highest version available" setting.

Node.js

With Node.js most TLS/SSL enabled drivers will tend to use the system streams. You may want to confirm you are using TLSv1.2, so for a practical example, let's look at connecting with Node-Redis driver.

client = redis.createClient(connectionString, {  
      tls: { servername: new URL(connectionString).hostname }
console.log(client.stream.getProtocol());  

The Node-Redis driver has a stream field which is the socket connection to the server. Calling getProtocol() on that will return the TLS version. Here, we print it out for a quick check.

Scylla and Python

Python's TLS/SSL stack is somewhat idiosyncratic. For example, as we've documented you need to pass the ssl_version as an option when setting up a Scylla connection. The fix is simple, just switch to make your TLS version explicitly 1.2.

ssl_options = {  
    'ca_certs': '/path/to/lechain.crt',
    'ssl_version': ssl.PROTOCOL_TLSv1_2
}

Compose Articles.

In the past week of Compose Articles, we've looked at PHP and Janusgraph, an easy way to get PostgreSQL performance stats and the latest news on database updates being released into the wild:

That's it for this week's Noteworthy at Compose. Onwards to next week!


Read more articles about Compose databases - use our Curated Collections Guide for articles on each database type. If you have any feedback about this or any other Compose article, drop the Compose Articles team a line at articles@compose.com. We're happy to hear from you.

Dj Walker-Morgan
Dj Walker-Morgan is Compose's resident Content Curator, and has been both a developer and writer since Apples came in II flavors and Commodores had Pets. Love this article? Head over to Dj Walker-Morgan’s author page to keep reading.

Conquer the Data Layer

Spend your time developing apps, not managing databases.