Add tls-cipher-suites flag for cockroach start
#19594
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
✅ Deploy Preview for cockroachdb-interactivetutorials-docs canceled.
|
✅ Deploy Preview for cockroachdb-api-docs canceled.
|
✅ Netlify Preview
To edit notification comments on pull requests, go to your Netlify site configuration. |
rmloveland
approved these changes
May 9, 2025
| @@ -108,6 +108,7 @@ Flag | Description | |||
| `--external-io-disable-implicit-credentials` | This optional flag disables the use of implicit credentials when accessing external cloud storage services for bulk operations (e.g, [`BACKUP`]({% link {{ page.version.version }}/backup.md %})). | |||
| `--node-cert-distinguished-name` <a name="flags-node-cert-distinguished-name"></a> | A string with a comma separated list of distinguished name (DN) mappings in `{attribute-type}={attribute-value}` format in accordance with [RFC4514](https://www.rfc-editor.org/rfc/rfc4514) for the [`node` user]({% link {{ page.version.version }}/security-reference/authorization.md %}#node-user). If this flag is set, this needs to be an exact match with the DN subject in the client certificate provided for the `node` user. By exact match, we mean that the order of attributes in the argument to this flag must match the order of attributes in the DN subject in the certificate. For more information, see [Certificate-based authentication using multiple values from the X.509 Subject field]({% link {{ page.version.version }}/certificate-based-authentication-using-the-x509-subject-field.md %}). | |||
| `--root-cert-distinguished-name` <a name="flags-root-cert-distinguished-name"></a> | A string with a comma separated list of distinguished name (DN) mappings in `{attribute-type}={attribute-value}` format in accordance with [RFC4514](https://www.rfc-editor.org/rfc/rfc4514) for the [`root` user]({% link {{ page.version.version }}/security-reference/authorization.md %}#root-user). If this flag is set, this needs to be an exact match with the DN subject in the client certificate provided for the `root` user. By exact match, we mean that the order of attributes in the argument to this flag must match the order of attributes in the DN subject in the certificate. For more information, see [Certificate-based authentication using multiple values from the X.509 Subject field]({% link {{ page.version.version }}/certificate-based-authentication-using-the-x509-subject-field.md %}). | |||
| `--tls-cipher-suites` <a name="tls-cipher-suites"></a> | A comma-separated list of TLS cipher suites to allow for SQL, RPC, and HTTP connections, limited to those [supported by CockroachDB]({% link {{ page.version.version }}/authentication.md %}#supported-cipher-suites). Connections using disallowed cipher suites will be rejected during the TLS handshake and logged to `cockroach.log`. Look for log messages containing: `presented cipher ... not in allowed cipher suite list`.<br>Example usage: `--tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_AES_128_GCM_SHA256`. | |||
There was a problem hiding this comment.
is this 'new in v25.2' ? if so we could add that little include thingy to the table description cell if you want (non-blocking obv)
There was a problem hiding this comment.
@rmloveland Thanks! Yes, I'll add that.
souravcrl
approved these changes
May 9, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
DOC-13564
Updated and cross-linked:
Will backport to v24.1, v24.2, v24.3, v25.1 post-review