couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Filipe David Manana <fdman...@apache.org>
Subject Re: CouchDB 1.1
Date Sat, 18 Sep 2010 19:13:50 GMT
There are a lot of issues with SSL support in OTP.

I've been struggling with it recently:

http://www.erlang.org/cgi-bin/ezmlm-cgi?2:mss:2005:201009:nkpigljldefpimkjppbn

I've been working on this code:

http://github.com/fdmanana/desktopcouch/commit/d5d3adccb4a602699c494f4499684ac545c11320

But not yet ready to go to trunk until I get some more answers.

And yes, unknown_ca is not perfect since it might mean a CA not in the list
of known CAs or a self-signed certificate (I guess). I was using this in OTP
R13:

VerifyFun13 = fun(ErrorList) ->
        Filtered = lists:foldl(
            fun({bad_cert, unknown_ca}, Acc) ->
                Acc;
            ({bad_cert, cert_expired}, Acc) ->
                Acc;
            (Other, Acc) ->
                [Other | Acc]
            end, [], ErrorList),
        length(Filtered) =:= 0
    end,

and this on R14:
To make things worse, there are different option values in the new SSL
implementation that is the default for R14, like the verify_fun itself:

VerifyFun = {
        fun(_, {bad_cert, unknown_ca}, UserState) ->
            {valid, UserState};
        (_, {bad_cert, cert_expired}, UserState) ->
            {valid, UserState};
        (_, {bad_cert, _} = Reason, _) ->
            {fail, Reason};
        (_, {extension, _}, UserState) ->
            {unknown, UserState};
        (_, valid, UserState) ->
            {valid, UserState}
    end, []},

With the default SSL implementation on R13 (basically a wrapper around
OpenSSL library) I often get strange errors like:

               {{'EXIT',<0.336.0>,
                    {error,
                        {badinfo,
                            {tcp,#Port<0.2316>,

<<",\n{\"seq\":16,\"id\":\"11548683-15d35f091858b9c33f561ea0922e8b48-responses\",\"changes\":[{\"rev\":\"1-08c70a0b26001af33fa899d3ef314602\"}]}\r\n80\r\n,\n{\"seq\":17,\"id\":\"11551303-15d35f091858b9c33f561ea0922e8b48-responses\",\"changes\":[{\"rev\":\"1-c47fce9036725d71bcb2ff663720455b\"}]}\r\n80\r\n,\n{\"seq\":18,\"id\":\"13049320-15d35f091858b9c33f561ea0922e8b48-responses\",\"changes\":[{\"rev\":\"1-6cc1f285720bc29571fec2ecc315b001\"}]}\r\n80\r\n,\n{\"seq\":19,\"id\":\"13050209-15d35f091858b9c33f561ea0922e8b48-responses\",\"changes\":[{\"rev\":\"1-740341796485458015a17f052425fa3a\"}]}\r\n80\r\n,\n{\"seq\":20,\"id\":\"13062601-15d35f091858b9c33f561ea0922e8b48-responses\",\"changes\":[{\"rev\":\"1-76f97e535654cb2ddedb6e66c05b08b0\"}]}\r\n80\r\n,\n{\"seq\":21,\"id\":\"16406358-15d35f091858b9c33f561ea0922e8b48-responses\",\"changes\":[{\"rev\":\"1-6ee4dad15da6e10b45d70352d957c77e\"}]}\r\n80\r\n,\n{\"seq\":22,\"id\":\"16510937-15d35f091858b9c33f561ea0922e8b48-responses\",\"changes\":[{\"rev\":\"1-7bba444efa1d17c6a7d671301168f132\"}]}\r\n80\r\n,\n{\"seq\":23,\"id\":\"17906615-15d35f091858b9c33f561ea0922e8b48-responses\",\"changes\":[{\"rev\":\"1-c5e149a0ecb271fc83d67b99f07968ad\"}]}\r\n80\r\n,\n{\"seq\":24,\"id\":\"17915955-15d35f091858b9c33f561ea0922e8b48-responses\",\"changes\":[{\"rev\":\"1-6d4927f7f819d9154a16ffeddbef92e9\"}]}\r\n">>}}}},

On the other with the new SSL implementation (default on R14) these
ocassional errors seem to be gone.
On the other hand with the new implementation I can no longer open the
certificates file in Ubuntu (/etc/ssl/certs/ca-certificates.crt) - it throws
an exception when invoking ssl:connect/3.

I'll keep you informed as I do more progress.

cheers

On Sat, Sep 18, 2010 at 7:15 PM, Robert Newson <robert.newson@gmail.com>
wrote:
>
> Replicator DB is awesome and the killer feature of 1.1 for sure
> (though range support is pretty awesome too...)
>
> We need to resolve the SSL issues first (the unknown_ca problem, at
> least). Also there's speculation that the mochiweb upgrade broke
> pipelining (as we can't find the code that used to do it with
> unrecv()).
>
> B.
>
> On Sat, Sep 18, 2010 at 7:08 PM, Chris Anderson <jchris@apache.org> wrote:
> > On Sat, Sep 18, 2010 at 10:57 AM, Jan Lehnardt <jan@apache.org> wrote:
> >>
> >> On 15 Sep 2010, at 23:40, David Kendal wrote:
> >>
> >>> What about full-text indexing and searching (built-in, without
> >>> Lucene)? There was a project to do that a while back, did it ever get
> >>> anywhere? Or was it integrated into trunk and released and I just
> >>> never noticed?
> >>
> >> FTI is a good feature, but we don't have anything there yet.
> >>
> >> I think the reason for a 1.1 release would be releasing new features
> >> we already have (SSL) or are currently working on (maybe new Futon)
> >> but not ones we still have a whole lot of work to do on.
> >>
> >
> > The replicator db is the big one. I think we should get a UI for that
> > before we release. Once we have that I think we are good for 1.1. (SSL
> > is rad too).
> >
> > I think we should hold the new Futon for 1.2 so it can go into trunk
> > right after a release and get some baking time.
> >
> > Chris
> >
> >> Anyone, correct me if I'm wrong :)
> >>
> >> Cheers
> >> Jan
> >> --
> >>
> >>
> >
> >
> >
> > --
> > Chris Anderson
> > http://jchrisa.net
> > http://couch.io
> >



--
Filipe David Manana,
fdmanana@gmail.com, fdmanana@apache.org

"Reasonable men adapt themselves to the world.
 Unreasonable men adapt the world to themselves.
 That's why all progress depends on unreasonable men."

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message