Skip to content

Add tls-cipher-suites flag for cockroach start #19594

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
May 12, 2025
Merged

Add tls-cipher-suites flag for cockroach start #19594

merged 5 commits into from
May 12, 2025

Conversation

@mikeCRL
Copy link
Contributor

@mikeCRL mikeCRL commented May 9, 2025
edited
Loading

@netlify
Copy link

netlify bot commented May 9, 2025
edited
Loading

Deploy Preview for cockroachdb-interactivetutorials-docs canceled.

Name Link
🔨 Latest commit 04ef09d
🔍 Latest deploy log https://app.netlify.com/sites/cockroachdb-interactivetutorials-docs/deploys/68223c9ab5330400084529aa

@netlify
Copy link

netlify bot commented May 9, 2025
edited
Loading

Deploy Preview for cockroachdb-api-docs canceled.

Name Link
🔨 Latest commit 04ef09d
🔍 Latest deploy log https://app.netlify.com/sites/cockroachdb-api-docs/deploys/68223c9abf486000089dd053

@github-actions
Copy link

github-actions bot commented May 9, 2025

Files changed:

@mikeCRL mikeCRL requested review from biplav-crl and souravcrl May 9, 2025 04:24
@netlify
Copy link

netlify bot commented May 9, 2025
edited
Loading

Netlify Preview

Name Link
🔨 Latest commit 04ef09d
🔍 Latest deploy log https://app.netlify.com/sites/cockroachdb-docs/deploys/68223c9adf9ea300083bbcdf
😎 Deploy Preview https://deploy-preview-19594--cockroachdb-docs.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

@rmloveland rmloveland self-requested a review May 9, 2025 17:36
rmloveland
rmloveland approved these changes May 9, 2025
View reviewed changes
Copy link
Contributor

@rmloveland rmloveland left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

src/current/v25.2/cockroach-start.md
`--external-io-disable-implicit-credentials` | This optional flag disables the use of implicit credentials when accessing external cloud storage services for bulk operations (e.g, [`BACKUP`]({% link {{ page.version.version }}/backup.md %})).
`--node-cert-distinguished-name` <a name="flags-node-cert-distinguished-name"></a> | A string with a comma separated list of distinguished name (DN) mappings in `{attribute-type}={attribute-value}` format in accordance with [RFC4514](https://www.rfc-editor.org/rfc/rfc4514) for the [`node` user]({% link {{ page.version.version }}/security-reference/authorization.md %}#node-user). If this flag is set, this needs to be an exact match with the DN subject in the client certificate provided for the `node` user. By exact match, we mean that the order of attributes in the argument to this flag must match the order of attributes in the DN subject in the certificate. For more information, see [Certificate-based authentication using multiple values from the X.509 Subject field]({% link {{ page.version.version }}/certificate-based-authentication-using-the-x509-subject-field.md %}).
`--root-cert-distinguished-name` <a name="flags-root-cert-distinguished-name"></a> | A string with a comma separated list of distinguished name (DN) mappings in `{attribute-type}={attribute-value}` format in accordance with [RFC4514](https://www.rfc-editor.org/rfc/rfc4514) for the [`root` user]({% link {{ page.version.version }}/security-reference/authorization.md %}#root-user). If this flag is set, this needs to be an exact match with the DN subject in the client certificate provided for the `root` user. By exact match, we mean that the order of attributes in the argument to this flag must match the order of attributes in the DN subject in the certificate. For more information, see [Certificate-based authentication using multiple values from the X.509 Subject field]({% link {{ page.version.version }}/certificate-based-authentication-using-the-x509-subject-field.md %}).
`--tls-cipher-suites` <a name="tls-cipher-suites"></a> | A comma-separated list of TLS cipher suites to allow for SQL, RPC, and HTTP connections, limited to those [supported by CockroachDB]({% link {{ page.version.version }}/authentication.md %}#supported-cipher-suites). Connections using disallowed cipher suites will be rejected during the TLS handshake and logged to `cockroach.log`. Look for log messages containing: `presented cipher ... not in allowed cipher suite list`.<br>Example usage: `--tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_AES_128_GCM_SHA256`.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is this 'new in v25.2' ? if so we could add that little include thingy to the table description cell if you want (non-blocking obv)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@rmloveland Thanks! Yes, I'll add that.

@mikeCRL mikeCRL merged commit bb4079e into main May 12, 2025
6 checks passed
@mikeCRL mikeCRL deleted the cockroach-start-tls-ciphers branch May 12, 2025 18:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rmloveland rmloveland rmloveland approved these changes

@souravcrl souravcrl souravcrl approved these changes

@biplav-crl biplav-crl Awaiting requested review from biplav-crl

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mikeCRL @rmloveland @souravcrl