couchdb-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From gar...@apache.org
Subject [01/47] couchdb commit: updated refs/heads/Update-Sidebar-Ui to c173e52
Date Mon, 19 May 2014 16:17:19 GMT
Repository: couchdb
Updated Branches:
  refs/heads/Update-Sidebar-Ui 9acf15d52 -> c173e52be (forced update)


Support for user configurable SSL ciphers


Project: http://git-wip-us.apache.org/repos/asf/couchdb/repo
Commit: http://git-wip-us.apache.org/repos/asf/couchdb/commit/fdb2188a
Tree: http://git-wip-us.apache.org/repos/asf/couchdb/tree/fdb2188a
Diff: http://git-wip-us.apache.org/repos/asf/couchdb/diff/fdb2188a

Branch: refs/heads/Update-Sidebar-Ui
Commit: fdb2188afa4ed6b9b9aac1e4d3a989e73f0454ce
Parents: 4124506
Author: Terin Stock <terinjokes@gmail.com>
Authored: Sun Apr 20 11:40:25 2014 +0100
Committer: Robert Newson <rnewson@apache.org>
Committed: Sun Apr 20 12:07:10 2014 +0100

----------------------------------------------------------------------
 etc/couchdb/local.ini         |  9 +++++++++
 share/doc/src/config/http.rst | 24 ++++++++++++++++++++++++
 src/couchdb/couch_httpd.erl   |  8 +++++++-
 3 files changed, 40 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/couchdb/blob/fdb2188a/etc/couchdb/local.ini
----------------------------------------------------------------------
diff --git a/etc/couchdb/local.ini b/etc/couchdb/local.ini
index 8aae331..b102881 100644
--- a/etc/couchdb/local.ini
+++ b/etc/couchdb/local.ini
@@ -75,6 +75,15 @@ verify_ssl_certificates = false
 ;verify_fun = {Module, VerifyFun}
 ; maximum peer certificate depth
 ssl_certificate_max_depth = 1
+;
+; Reject renegotiations that do not live up to RFC 5746.
+;secure_renegotiate = true
+; The cipher suites that should be supported.
+; Can be specified in erlang format "{ecdhe_ecdsa,aes_128_cbc,sha256}"
+; or in OpenSSL format "ECDHE-ECDSA-AES128-SHA256".
+;ciphers = ["ECDHE-ECDSA-AES128-SHA256", "ECDHE-ECDSA-AES128-SHA"]
+; The SSL/TLS versions to support
+;tls_versions = [sslv3, tlsv1, 'tlsv1.1', 'tlsv1.2']
 
 ; To enable Virtual Hosts in CouchDB, add a vhost = path directive. All requests to
 ; the Virual Host will be redirected to the path. In the example below all requests

http://git-wip-us.apache.org/repos/asf/couchdb/blob/fdb2188a/share/doc/src/config/http.rst
----------------------------------------------------------------------
diff --git a/share/doc/src/config/http.rst b/share/doc/src/config/http.rst
index 1ae3abe..dfe8d5a 100644
--- a/share/doc/src/config/http.rst
+++ b/share/doc/src/config/http.rst
@@ -387,6 +387,30 @@ Secure Socket Level Options
       [ssl]
       verify_ssl_certificates = false
 
+  .. config:option:: secure_renegotiate :: Enable secure renegotiation
+
+    Set to `true` to reject renegotiation attempt that does not live up to RFC 5746::
+
+      [ssl]
+      secure_renegotiate = true
+
+  .. config:option:: ciphers :: Specify permitted server cipher list
+
+    Set to the cipher suites that should be supported which can be
+    specified in erlang format "{ecdhe_ecdsa,aes_128_cbc,sha256}" or
+    in OpenSSL format "ECDHE-ECDSA-AES128-SHA256".
+
+      [ssl]
+      ciphers = ["ECDHE-ECDSA-AES128-SHA256", "ECDHE-ECDSA-AES128-SHA"]
+
+  .. config:option:: tls_versions :: Specify permitted server SSL/TLS
+                     protocol versions
+
+    Set to a list of permitted SSL/TLS protocol versions::
+
+      [ssl]
+      tls_versions = [sslv3 | tlsv1 | 'tlsv1.1' | 'tlsv1.2']
+
 
 .. _cors:
 .. _config/cors:

http://git-wip-us.apache.org/repos/asf/couchdb/blob/fdb2188a/src/couchdb/couch_httpd.erl
----------------------------------------------------------------------
diff --git a/src/couchdb/couch_httpd.erl b/src/couchdb/couch_httpd.erl
index 7ee3e3a..3eb2e39 100644
--- a/src/couchdb/couch_httpd.erl
+++ b/src/couchdb/couch_httpd.erl
@@ -39,11 +39,17 @@ start_link(http) ->
     start_link(?MODULE, [{port, Port}]);
 start_link(https) ->
     Port = couch_config:get("ssl", "port", "6984"),
+    {ok, Ciphers} = couch_util:parse_term(couch_config:get("ssl", "ciphers", "nil")),
+    {ok, Versions} = couch_util:parse_term(couch_config:get("ssl", "tls_versions", "nil")),
+    {ok, SecureRenegotiate} = couch_util:parse_term(couch_config:get("ssl", "secure_renegotiate",
"nil")),
     ServerOpts0 =
         [{cacertfile, couch_config:get("ssl", "cacert_file", nil)},
          {keyfile, couch_config:get("ssl", "key_file", nil)},
          {certfile, couch_config:get("ssl", "cert_file", nil)},
-         {password, couch_config:get("ssl", "password", nil)}],
+         {password, couch_config:get("ssl", "password", nil)},
+         {secure_renegotiate, SecureRenegotiate},
+         {versions, Versions},
+         {ciphers, Ciphers}],
 
     case (couch_util:get_value(keyfile, ServerOpts0) == nil orelse
         couch_util:get_value(certfile, ServerOpts0) == nil) of


Mime
View raw message