Cipher Suite
Gremlin does not support cipher suites considered to be weak. This includes:
- SSL1, SSL2, SSL3, TLS1 or TLS1.1.
- RC4.
- DES or triple DES.
- EXPORT ciphersuites.
- MAC-then-encrypt ciphersuites.
- Ciphersuites without forward secrecy.
- Renegotiation.
- Kerberos.
- Compression.
- Discrete-log Diffie-Hellman.
- Automatic protocol version downgrade.
For more information on these considerations, see A review of protocol vulnerabilities.
Self-Signed Certificates
The following are constraints on valid certificates accepted by Gremlin:
- Per RFC6125 recommendation, a Certificate must have a defined Subject Alternative Name (Gremlin ignores the `CN` field)
- For end-entity certificates (the server’s certificate), they must not also be a Certificate Authority (CA)
The following is an example on how to create a certificate that works with Gremlin, though there are other ways to produce valid certificates.
openssl req \
-x509 \
-newkey rsa:4096 \
-keyout key.pem \
-out cert.pem \
-sha256 \
-days 365 \
-nodes \
-addext 'subjectAltName = DNS:host.docker.internal' \
-addext 'basicConstraints=critical,CA:FALSE'