couchdb-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From beno...@apache.org
Subject svn commit: r1143764 - in /couchdb/trunk: etc/couchdb/default.ini.tpl.in etc/couchdb/local.ini src/couchdb/couch_httpd.erl src/couchdb/couch_replicator_utils.erl
Date Thu, 07 Jul 2011 11:19:13 GMT
Author: benoitc
Date: Thu Jul  7 11:19:13 2011
New Revision: 1143764

URL: http://svn.apache.org/viewvc?rev=1143764&view=rev
Log:
improve SSL handling. Allows a couch node to handle ssl validation and pass ssl certificate
to the replication  for such nodes.

close ticket #COUCHDB-1208 .


Modified:
    couchdb/trunk/etc/couchdb/default.ini.tpl.in
    couchdb/trunk/etc/couchdb/local.ini
    couchdb/trunk/src/couchdb/couch_httpd.erl
    couchdb/trunk/src/couchdb/couch_replicator_utils.erl

Modified: couchdb/trunk/etc/couchdb/default.ini.tpl.in
URL: http://svn.apache.org/viewvc/couchdb/trunk/etc/couchdb/default.ini.tpl.in?rev=1143764&r1=1143763&r2=1143764&view=diff
==============================================================================
--- couchdb/trunk/etc/couchdb/default.ini.tpl.in (original)
+++ couchdb/trunk/etc/couchdb/default.ini.tpl.in Thu Jul  7 11:19:13 2011
@@ -179,6 +179,13 @@ connection_timeout = 30000
 ; See the `inet` Erlang module's man page for the full list of options.
 socket_options = [{keepalive, true}, {nodelay, false}]
 ; set to true to validate peer certificates
+; Path to a file containing the user's certificate.
+;cert_file = /full/path/to/server_cert.pem
+; Path to file containing user's private PEM encoded key.
+;key_file = /full/path/to/server_key.pem
+; String containing the user's password. Only used if the private keyfile is password protected.

+;password = somepassword
+; set to true to validate peer certificates
 verify_ssl_certificates = false
 ; file containing a list of peer trusted certificates (PEM format)
 ; ssl_trusted_certificates_file = /etc/ssl/certs/ca-certificates.crt

Modified: couchdb/trunk/etc/couchdb/local.ini
URL: http://svn.apache.org/viewvc/couchdb/trunk/etc/couchdb/local.ini?rev=1143764&r1=1143763&r2=1143764&view=diff
==============================================================================
--- couchdb/trunk/etc/couchdb/local.ini (original)
+++ couchdb/trunk/etc/couchdb/local.ini Thu Jul  7 11:19:13 2011
@@ -51,7 +51,17 @@
 [ssl]
 ;cert_file = /full/path/to/server_cert.pem
 ;key_file = /full/path/to/server_key.pem
-
+;password = somepassword
+; set to true to validate peer certificates
+verify_ssl_certificates = false
+; Path to file containing PEM encoded CA certificates (trusted
+; certificates used for verifying a peer certificate). May be omitted if
+; you do not want to verify the peer.
+;cacert_file = /full/path/to/cacertf
+; The verification fun (optionnal) if not specidied, the default
+; verification fun will be used.
+;verify_fun = {Module, VerifyFun}
+ssl_certificate_max_depth = 1
 ; To enable Virtual Hosts in CouchDB, add a vhost = path directive. All requests to
 ; the Virual Host will be redirected to the path. In the example below all requests
 ; to http://example.com/ are redirected to /database.

Modified: couchdb/trunk/src/couchdb/couch_httpd.erl
URL: http://svn.apache.org/viewvc/couchdb/trunk/src/couchdb/couch_httpd.erl?rev=1143764&r1=1143763&r2=1143764&view=diff
==============================================================================
--- couchdb/trunk/src/couchdb/couch_httpd.erl (original)
+++ couchdb/trunk/src/couchdb/couch_httpd.erl Thu Jul  7 11:19:13 2011
@@ -40,16 +40,54 @@ start_link(https) ->
     CertFile = couch_config:get("ssl", "cert_file", nil),
     KeyFile = couch_config:get("ssl", "key_file", nil),
     Options = case CertFile /= nil andalso KeyFile /= nil of
-                  true ->
-                      [{port, Port},
-                       {ssl, true},
-                       {ssl_opts, [
-                             {certfile, CertFile},
-                             {keyfile, KeyFile}]}];
-                  false ->
-                      io:format("SSL enabled but PEM certificates are missing.", []),
-                      throw({error, missing_certs})
-              end,
+        true ->
+            SslOpts = [{certfile, CertFile}, {keyfile, KeyFile}],
+
+            %% set password if one is needed for the cert
+            SslOpts1 = case couch_config:get("ssl", "password", nil) of
+                nil -> SslOpts;
+                Password ->
+                    SslOpts ++ [{password, Password}]
+            end,
+            % do we verify certificates ?
+            FinalSslOpts = case couch_config:get("ssl",
+                    "verify_ssl_certificates", false) of
+                false -> SslOpts1;
+                _ ->
+                    case couch_config:get("ssl",
+                            "cacert_file", nil) of
+                        nil ->
+                            io:format("Verify SSL certificate "
+                                ++"enabled but file containing "
+                                ++"PEM encoded CA certificates is "
+                                ++"missing", []),
+                            throw({error, missing_cacerts});
+                        CaCertFile ->
+                            Depth = list_to_integer(couch_config:get("ssl",
+                                    "ssl_certificate_max_depth",
+                                    "1")),
+                            FinalOpts = [
+                                {cacertfile, CaCertFile},
+                                {depth, Depth},
+                                {verify, verify_peer}],
+                            % allows custom verify fun.
+                            case couch_config:get("ssl",
+                                    "verify_fun", nil) of
+                                nil -> FinalOpts;
+                                SpecStr ->
+                                    FinalOpts 
+                                    ++ [{verify_fun, make_arity_3_fun(SpecStr)}]
+                            end
+                    end
+            end,
+            
+            [{port, Port},
+                {ssl, true},
+                {ssl_opts, FinalSslOpts}];
+        false ->
+            io:format("SSL enabled but PEM certificates are missing.", []),
+            throw({error, missing_certs})
+    end,
     start_link(https, Options).
 start_link(Name, Options) ->
     % read config and register for configuration changes

Modified: couchdb/trunk/src/couchdb/couch_replicator_utils.erl
URL: http://svn.apache.org/viewvc/couchdb/trunk/src/couchdb/couch_replicator_utils.erl?rev=1143764&r1=1143763&r2=1143764&view=diff
==============================================================================
--- couchdb/trunk/src/couchdb/couch_replicator_utils.erl (original)
+++ couchdb/trunk/src/couchdb/couch_replicator_utils.erl Thu Jul  7 11:19:13 2011
@@ -291,8 +291,22 @@ ssl_params(Url) ->
             couch_config:get("replicator", "ssl_certificate_max_depth", "3")
         ),
         VerifyCerts = couch_config:get("replicator", "verify_ssl_certificates"),
+        CertFile = couch_config:get("replicator", "cert_file", nil),
+        KeyFile = couch_config:get("replicator", "key_file", nil),
+        Password = couch_config:get("replicator", "password", nil),
         SslOpts = [{depth, Depth} | ssl_verify_options(VerifyCerts =:= "true")],
-        [{is_ssl, true}, {ssl_options, SslOpts}];
+        SslOpts1 = case CertFile /= nil andalso KeyFile /= nil of
+            true ->
+                case Password of
+                    nil -> 
+                        [{certfile, CertFile}, {keyfile, KeyFile}] ++ SslOpts;
+                    _ -> 
+                        [{certfile, CertFile}, {keyfile, KeyFile},
+                            {password, Password}] ++ SslOpts
+                end;
+            false -> SslOpts
+        end,
+        [{is_ssl, true}, {ssl_options, SslOpts1}];
     #url{protocol = http} ->
         []
     end.



Mime
View raw message