couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Michael Stapelberg (JIRA)" <j...@apache.org>
Subject [jira] Created: (COUCHDB-878) [PATCH] Verify SSL Certificate Chain when doing SSL replication
Date Mon, 06 Sep 2010 21:01:34 GMT
[PATCH] Verify SSL Certificate Chain when doing SSL replication
---------------------------------------------------------------

                 Key: COUCHDB-878
                 URL: https://issues.apache.org/jira/browse/COUCHDB-878
             Project: CouchDB
          Issue Type: Improvement
          Components: Replication
    Affects Versions: 1.0.1
            Reporter: Michael Stapelberg


When doing an SSL replication, CouchDB does not check the certificate chain. This renders
the SSL support absolutely useless since an attacker who is in the position of doing man-in-the-middle
attacks can send an invalid certificate and gets all my data (push replication).

The attached patch passes a verify_fun in ssl_options to ibrowse in order to validate the
certificate path. Two new configuration options are introduced: ssl.verify (bool) and ssl.cacertfile
(string). Set the latter to a PEM file containing the root CA for your certificate.

Documentation updates are not included in the patch. Also, error handling is not included
(only io:fwrite is used).

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message