This is your weekly summary of Compose news for those changes and updates which can make your life easier. In this edition and with weeks to go before the TLS 1.0/1.1 shutdown we show some particular fixes you may want to ensure you have in place. We've also got a round-up of the last weeks Compose Articles.

A TLS Refresh

As we've previously mentioned, on March 1st, we'll be switching Compose and Compose services to use TLS 1.2 only. TLS is the later version of the encrypted connection protocol which started with SSL. TLS 1.2 is the most recent version, introduced a decade ago. Many applications and tools use TLS and SSL in their documentation and flags interchangeably.

The current exceptions to the TLS 1.2 only date are PostgreSQL and Compose for MySQL beta - we are deferring TLS 1.2 only until a future update.

TL;DR

Applications should be able to handle, with ease, the TLSv1.2 only setting when it arrives on the 1st March. There are ways you can confirm you are using TLSv1.2. Beware of hard-coding TLS settings.

Handshaking

When an encrypted connection is being set up, the first thing negotiated is how the two ends are going to do the encryption handshaking. The highest available version is selected and tried between the client and server.

If that doesn't work, they step down through the handshake versions, till they find one they can agree on using. This logic means that most applications will just agree on using TLSv1.2 as it'll be the first handshake they agree on.

When TLSv1.3 becomes widespread, the handshake negotiation logic means that once client and server both have TLSv1.3, they'll start using it.

Why do we mention this? Well, it's important to realize that setting TLSv1.2 on a TLS/SSL connection will mean that the code will need to be revisited for TLSv1.3. Ideally, you should try and run with your system defaults and let the handshake negotiation and fallback just happen. But things are rarely ideal and there is code where this kind of thing gets hardwired.

So, what we'll discuss here is some situations where we often find TLS versions hard-wired, and ways to find out what was actually negotiated.

Java

Many Java drivers for different databases rely on being passed an SSLContext object to configure their TLS/SSL connection. Where your code is getting an SSLContext, ensure it is getting TLSv1.2 like so:

SSLContext sslContext = SSLContext.getInstance("TLSv1.2");  

That'll ensure you get a TLSv1.2 connection. The getInstance() insists on being given that string and there's no "highest version available" setting.

Node.js

With Node.js most TLS/SSL enabled drivers will tend to use the system streams. You may want to confirm you are using TLSv1.2, so for a practical example, let's look at connecting with Node-Redis driver.

client = redis.createClient(connectionString, {  
      tls: { servername: new URL(connectionString).hostname }
console.log(client.stream.getProtocol());  

The Node-Redis driver has a stream field which is the socket connection to the server. Calling getProtocol() on that will return the TLS version. Here, we print it out for a quick check.

Scylla and Python

Python's TLS/SSL stack is somewhat idiosyncratic. For example, as we've documented you need to pass the ssl_version as an option when setting up a Scylla connection. The fix is simple, just switch to make your TLS version explicitly 1.2.

ssl_options = {  
    'ca_certs': '/path/to/lechain.crt',
    'ssl_version': ssl.PROTOCOL_TLSv1_2
}

Compose Articles.

In the past week of Compose Articles, we've looked at PHP and Janusgraph, an easy way to get PostgreSQL performance stats and the latest news on database updates being released into the wild:

• In Powering PHP With JanusGraph, Don Omondi, a regular Compose Write Stuff contributor, introduced us to his work in bringing PHP and JanusGraph together with his PHP-OGM library.
• Getting performance statistics on your PostgreSQL database can be a chore but in Easy PostgreSQL performance stats with pgHero and Docker show how, with a minimal footprint, you can quickly get those numbers and more insight into how your PostgreSQL is running.
• With the latest NewsBits we bring you up to date with the week's news, from the upstream updates for PostgreSQL, Elasticsearch, Redis, and MongoDB, to Chrome's "Not Secure" surprise for January and Linux's security fixes in 4.15.

That's it for this week's Noteworthy at Compose. Onwards to next week!

Read more articles about Compose databases - use our Curated Collections Guide for articles on each database type. If you have any feedback about this or any other Compose article, drop the Compose Articles team a line at articles@compose.com. We're happy to hear from you.