Return-Path: 
 <dev-return-11727-apmail-couchdb-dev-archive=couchdb.apache.org@couchdb.apache.org>
Delivered-To: apmail-couchdb-dev-archive@www.apache.org
Received: (qmail 4008 invoked from network); 15 Sep 2010 22:10:00 -0000
Received: from unknown (HELO mail.apache.org) (140.211.11.3)
  by 140.211.11.9 with SMTP; 15 Sep 2010 22:10:00 -0000
Received: (qmail 63685 invoked by uid 500); 15 Sep 2010 22:10:00 -0000
Delivered-To: apmail-couchdb-dev-archive@couchdb.apache.org
Received: (qmail 63629 invoked by uid 500); 15 Sep 2010 22:09:59 -0000
Mailing-List: contact dev-help@couchdb.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@couchdb.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@couchdb.apache.org>
List-Post: <mailto:dev@couchdb.apache.org>
List-Id: <dev.couchdb.apache.org>
Reply-To: dev@couchdb.apache.org
Delivered-To: mailing list dev@couchdb.apache.org
Received: (qmail 63621 invoked by uid 99); 15 Sep 2010 22:09:59 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 15 Sep 2010 22:09:59 +0000
X-ASF-Spam-Status: No, hits=2.2 required=10.0
	tests=FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,SPF_PASS,T_TO_NO_BRKTS_FREEMAIL
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: domain of fdmanana@gmail.com designates
 209.85.214.180 as permitted sender)
Received: from [209.85.214.180] (HELO mail-iw0-f180.google.com)
 (209.85.214.180)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 15 Sep 2010 22:09:55 +0000
Received: by iwn8 with SMTP id 8so681305iwn.11
        for <dev@couchdb.apache.org>; Wed, 15 Sep 2010 15:09:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=domainkey-signature:mime-version:received:sender:received
         :in-reply-to:references:date:x-google-sender-auth:message-id:subject
         :from:to:content-type;
        bh=UnXBq3iyHe6xrvqEGw5vya4WBG2eyMRolHUHPTHtaQI=;
        b=dpyU3IdfQ0wePM42vnjDZIxKE6kKCUwjUBHn/G473m2vaAHSkTfvELYBeNbKuJOwR9
         HcmPv++poXcU7n3GnhrgAdNQX/kpOcRAAgYLc7kEqukqfHWAaqDUJ59JsTS3s3SaZaX7
         rt8Xb34Oqrsv8YlGHjczTMXDGhxpcM3dcTV+4=
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=mime-version:sender:in-reply-to:references:date
         :x-google-sender-auth:message-id:subject:from:to:content-type;
        b=TdZuS6WJnTGSSleF9Q6MFSuDsZVa6+PiXKBG5+kwUpjnbT4lo09dzEgDeIUP+kVOqr
         aVhfDJKmRS81JktOTj1is7VZ8ThJClzQXiU4UgU+tpSWJBfJmzuDAb2/rAaye/fL0NaO
         benXDYA/CF4g6vRb0BfVcUM/E5l1VAuP/dFnA=
MIME-Version: 1.0
Received: by 10.231.166.9 with SMTP id k9mr2266541iby.127.1284588573987; Wed,
 15 Sep 2010 15:09:33 -0700 (PDT)
Sender: fdmanana@gmail.com
Received: by 10.231.170.20 with HTTP; Wed, 15 Sep 2010 15:09:33 -0700 (PDT)
In-Reply-To: <68B9E470-ED4C-43B6-92C6-CA538D8AE3D5@cern.ch>
References: <AANLkTi==GqB9SKuphKJ69OucqjpUrX2m4x1wjfmrgt9N@mail.gmail.com>
	<68B9E470-ED4C-43B6-92C6-CA538D8AE3D5@cern.ch>
Date: Wed, 15 Sep 2010 23:09:33 +0100
X-Google-Sender-Auth: yEUsUGhdT_oXoP1dk4wlArTpzLM
Message-ID: <AANLkTi=yMTsY6ikUsGohuWDBvwOCeU5ChnBvtsZusPoP@mail.gmail.com>
Subject: Re: CouchDB 1.1
From: Filipe David Manana <fdmanana@apache.org>
To: dev@couchdb.apache.org
Content-Type: multipart/alternative; boundary=005045013dcca3150304905395af

--005045013dcca3150304905395af
Content-Type: text/plain; charset=UTF-8

On Wed, Sep 15, 2010 at 10:13 PM, James Jackson <james.jackson@cern.ch>wrote:

> Hi,
>
> > 1) The replicator allows ssl connections to hosts with self-signed
> > certificates by default, obviating the security of the protocol. Since
> > this is the OTP default (seriously), we probably want to get a patch
> > upstream as well.
>
> There is a patch for this here:
>
> https://issues.apache.org/jira/browse/COUCHDB-878
>
> I have a local patch which folds this verification function with the added
> ability for SSL replication sessions to be be authenticated by a key / cert
> pair; I haven't had a chance to test it though (waiting on our
> authenticating front-end to be set up) so haven't submitted the patch. If
> somebody is willing to test it, I can open up a ticket with the patch.
>
> As essentially the patch builds SSL parameters for the http_db objects
> which get passed around the replicator, it made sense to factor the
> verification and SSL certification stuff into one 'get_ssl_parameters'
> function.
>

Looks fine, but actually doesn't deal with the new SSL implementation from
OTP R14A.

I've been working on it as part of desktopcouch but didn't commit it to the
ASF repository:

http://github.com/fdmanana/desktopcouch-ubuntu-10_10/commit/49eb401b991f334ab06cc7a0f4031c7aafb927a7

Doing a few more testing before committing it.


>
> Regards,
> James.




-- 
Filipe David Manana,
fdmanana@gmail.com, fdmanana@apache.org

"Reasonable men adapt themselves to the world.
 Unreasonable men adapt the world to themselves.
 That's why all progress depends on unreasonable men."

--005045013dcca3150304905395af--