Over the wire Data Encryption between CBL and Sync Gateway

Dear couchbase forum,

Is the data transferred over the wire between the CBL and the sync gateway using the WebSocket based protocol encrypted?
If yes, is this encryption configurable?

Best regards,
Faris Ahmed

A good idea for start could be to use wss (instead of ws) and use something like Let’s encrypt on your load balancer node. On the server side you can enable/disable encryption algorithms. So disable old algorithms but make sure that all supported devices will support the algorithms. Older Android versions don’t support all algorithms.

I am using wss, as far as I know the s in wss only affects the first hand schake between client and sync gateway, after the upgrade from http to websocket will the client use the public key of the SSL/TLS to encrypt the data in the binary websocket channel?
or will the client generate a symmetric key and send it to the server using the public key, then both parties start a symmetric encryption?
Where can I enable/disable encryption algorithims in the server? please note that I am only intereset in the encryption between the client and the server.
Any documentation to “old algorithms”?


This is above my pay grade. Still I’d very much expect that all data is encrypted after the handshake. You can check which hashing algorithms are enabled using this website. I guess you will get more insightful answers about ssl hashing algorithms on a different forum. Or maybe someone else can help out!

Communication between Couchbase Lite clients and Sync Gateway is encrypted using SSL/TLS. System uses PKI / asymmetric encryption . You will configure the public and private keys on sync gateway . You can also specify the level of TLS to be supported.

Does this mean that during replication the client uses the public key of the sync gateway to encrypt the data sent to the SG, the SG uses its private key to decrypt the data?
How about the other way around? how does encryption work if SG wants to send data to the CBL? does CBL also have a public and private keys?

Ours is not a custom implementation. We are using standards based TLS protocol. TLS is intended for bi-directional encryption (as a side note, I don’t see the point of a one-way encryption protocol if one exists)
At a high level, this is how TLS works

  • The establishment of key to be used for session encryption is done during handshake.
  • After server cert authentication and initial negotiation of cipher suite (we don’t do client certs), the client side creates a pre-master key that is encrypted with the server public key. The pre-master key is then used on client and server to generate the session/master key which is used to encrypt the remainder of the session.
  • There are different options for the establishment of the symmetric key . The pre-master key option is one. There is Diffie-Hellman as well .

The gist of it is that PKI encryption is used for the initial authentication and negotiation during handshake . Symmetric encryption is used for data transfer using keys that are generated/derived during the handshake process.
If you are interested in the specifics of how TLS works, you may want to refer to the RFC .

That’s not true. TLS (SSL) sits beneath HTTP or WebSockets in the network stack. So TLS encrypts all the traffic over a socket, no matter what protocol it is. After the WebSocket handshake, the protocol does switch from HTTP to WebSockets, but it’s still on the same TCP socket so it’s still encrypted by TLS.


We decided to use ssl in sync gateway component. There are mobile clients which have cblite in their tablet.

I generated my own self-signed certificate and run the local sync gateway with this certificate. I’m able to connect sync gw api (such as _changes) through https in my browser. Then my colleague needed to use this certificated sync gw in his computer to debug. Until now, we were using classical “ws:…” approach. He replaced with “wss:…” But he gets “The remote certificate is invalid according to the validation procedure”. What else should we do here in order to establish connection between cb lite and cb sync gw?


This post is not a part of the original thread, and should be moved to its own thread.