For many, “Cryptography” is the little green lock icon next to the web address of their favorite websites, and for others, they might recall the TLS vulnerabilities that have hit in recent years. Data is today’s digital gold, and in the quest to steal critical data, hackers are coming up with clever ways of stealing information. With the ever changing attack landscape in mind, Couchbase Server 6.5 adds a new way to easily configure the server cipher suites. In this blog, we’ll go over the basics of ciphers and explain how you can configure Couchbase to use the latest and greatest ciphers.

Basics of TLS Cipher Suites

A cipher suite is basically a complete set of methods (also known as algorithms) needed to secure a network connection through TLS (Transport Layer Security). Each cipher suite has its own distinct notation as shown below –


Now, let’s break that down-

  • TLS indicates that TLS protocol will be used to establish a secure communication. Remember that a protocol simply defines how the algorithms should be used.
  • ECDHE indicates that the Elliptic-Curve Diffie-Hellman will be leveraged for key exchange. This is how the keys will be exchanged between client and server for encrypting and decrypting data.
  • ECDSA is the algorithm, in this instance the Elliptic-Curve Digital Signature Algorithm, that is used to create a digital signature for authentication.
  • AES_256_CBC indicates that AES encryption with 256-bit key size will be leveraged to encrypt the message, and CBC indicates that the mode will be cipher block chaining.
  • SHA384 indicates that the hashing algorithm used for message verification (MAC) and in this example is SHA2 with a 384-bit key.

The TLS Handshake Protocol is responsible for the Cipher Suite negotiation between the client and server (see ‘Server Hello’), authentication of the server and optionally the client, and the secret key exchange (see green arrows below).

Figure : Client-Server Interaction During TLS Handshake

Setting Cipher Suites in Couchbase 6.5

By default (ie. without explicitly specifying the cipher suites), Couchbase Server picks the strongest common cipher between the client and the server. With Couchbase Server 6.5, you can tell Couchbase which Cipher suites to use.

As shown in the example below, we set the cipher suites in Couchbase to use TLS_RSA_WITH_AES_128_CBC_SHA. This cipher suite is then used across all Couchbase Server services including data, query, index, full-text and analytics.

# ./couchbase-cli setting-security –cipher-suites TLS_RSA_WITH_AES_128_CBC_SHA -c localhost:8091 -u Administrator -p password –set

SUCCESS: Security settings updated

# ./couchbase-cli setting-security -c localhost:8091 -u Administrator -p password –get
{“disableUIOverHttp”: false, “disableUIOverHttps”: false, “cipherSuites”: [“TLS_RSA_WITH_AES_128_CBC_SHA”], “tlsMinVersion”: “tlsv1.2”, “honorCipherOrder”: true}

Verifying Cipher Usage

To verify that the cipher is used, we can connect to any of the SSL ports in Couchbase. In the example below, we are connected to port 11207 (the data port over which Couchbase clients connect to the server).

openssl s_client -connect localhost:11207


Certificate chain

 0 s:/CN=

   i:/CN=Couchbase Server de182d2a

 1 s:/CN=Couchbase Server de182d2a

   i:/CN=Couchbase Server de182d2a

Server certificate





















issuer=/CN=Couchbase Server de182d2a

No client certificate CA names sent

SSL handshake has read 1881 bytes and written 631 bytes

New, TLSv1/SSLv3, Cipher is AES128-SHA

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE


With Cipher suites available in Couchbase Server 6.5, you can continually update your Couchbase instance to use the latest and greatest ciphers to stay safe. We hope you enjoyed this blog, and as always, we look forward to your feedback.  Do take Couchbase Server for a spin and checkout all the new cool features, you can download Couchbase 6.5.



Download Couchbase Server 6.5


Couchbase Server 6.5 Release Notes

Couchbase Server 6.5 What’s New


Blog: Announcing Couchbase Server 6.5 – What’s New and Improved

Blog: Couchbase brings Distributed Multi-document ACID Transactions to NoSQL

All 6.5 Blogs


Posted by Chaitra Ramarao, Sr. Product Manager, Couchbase Inc.

Chaitra Ramarao is a Senior Product Manager at Couchbase, NoSQL database company, leading databases tooling, cross datacenter replication and partner integrations. Her prior gigs include data analytics product management for Kaiser Permanente and software development for Hewlett Packard. She has a Bachelors degree in ECE and a Masters from Carnegie Mellon in Engineering & Technology Innovation Management.

Leave a reply