picking selective cipher suites

All,

We have a requirement to secure all our internal services and as part of that our audit team mandated us to use a predefined set of cipher suites to secure the service endpoints. The cipher suites that we are allowed to use are

TLS 1.2:

TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

TLS 1.3:

TLS_AES_128_GCM_SHA256
TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256

Is there any way to instruct the CockroachDB process to use the mentioned ciphers only?

Thanks

Hello @sdevs!

I’m hoping that you have our dedicated offering to enable these parameters as doing it within the serverless offering is not possible. To get you started, I recommend checking out the following docs:

Encryption | CockroachDB Docs focuses on TLS 1.2 configuration per node
Authentication | CockroachDB Docs focuses on TLS 1.3 as well as TLS 1.2

Ultimately, you’re going to want to create a security certificate by following cockroach cert | CockroachDB Docs - and if you have any further questions, I strongly recommend opening a ticket with support to address your specific requirements.