TLS Constraints

Created by Jamie Martin, Modified on Tue, 18 Oct 2022 at 04:49 PM by Jamie Martin

Cipher Suite


Gremlin does not support cipher suites considered to be weak. This includes:



  • SSL1, SSL2, SSL3, TLS1 or TLS1.1.

  • RC4.

  • DES or triple DES.

  • EXPORT ciphersuites.

  • MAC-then-encrypt ciphersuites.

  • Ciphersuites without forward secrecy.

  • Renegotiation.

  • Kerberos.

  • Compression.

  • Discrete-log Diffie-Hellman.

  • Automatic protocol version downgrade.


For more information on these considerations, see A review of protocol vulnerabilities.


Self-Signed Certificates


The following are constraints on valid certificates accepted by Gremlin:




  • Per RFC6125 recommendation, a Certificate must have a defined Subject Alternative Name (Gremlin ignores the `CN` field)

  • For end-entity certificates (the server’s certificate), they must not also be a Certificate Authority (CA)


The following is an example on how to create a certificate that works with Gremlin, though there are other ways to produce valid certificates.


openssl req \
  -x509 \
  -newkey rsa:4096 \
  -keyout key.pem \
  -out cert.pem \
  -sha256 \
  -days 365 \
  -nodes \
  -addext 'subjectAltName = DNS:host.docker.internal' \
  -addext 'basicConstraints=critical,CA:FALSE'

 

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select atleast one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article