couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brendan O'Connor (Created) (JIRA)" <j...@apache.org>
Subject [jira] [Created] (COUCHDB-1448) Client Certificate Validation Nonfunctional
Date Fri, 23 Mar 2012 23:39:29 GMT
Client Certificate Validation Nonfunctional
-------------------------------------------

                 Key: COUCHDB-1448
                 URL: https://issues.apache.org/jira/browse/COUCHDB-1448
             Project: CouchDB
          Issue Type: Bug
          Components: HTTP Interface
    Affects Versions: 1.2
         Environment: OSX 10.7/Ubuntu 11.10, Erlang R15B/R14B4
            Reporter: Brendan O'Connor


CouchDB commit: 4cd60f3d1683a3445c3248f48ae064fb573db2a1 (from build-couchdb) on both platforms
(OSX / R14B4, and Ubuntu / R15B).

Attempting to use client SSL certificate validation. In local.ini, if I specify cert_file
and key_file, *server* SSL certificate functionality works as expected. If I also specify
a cacert_file and set verify_ssl_certificates = true, I get the following crash:

============
[info] [<0.31.0>] Apache CouchDB has started on https://127.0.0.1:6984/
[error] [<0.165.0>] SSL: hello: ssl_handshake.erl:249:Fatal error: internal error


=ERROR REPORT==== 23-Mar-2012::17:12:03 ===
SSL: hello: ssl_handshake.erl:249:Fatal error: internal error
[error] [<0.164.0>] SSL: hello: ssl_handshake.erl:249:Fatal error: internal error


=ERROR REPORT==== 23-Mar-2012::17:12:03 ===
SSL: hello: ssl_handshake.erl:249:Fatal error: internal error
[error] [<0.166.0>] SSL: hello: ssl_handshake.erl:249:Fatal error: internal error


=ERROR REPORT==== 23-Mar-2012::17:12:03 ===
SSL: hello: ssl_handshake.erl:249:Fatal error: internal error
[error] [<0.145.0>] {error_report,<0.30.0>,
                                  {<0.145.0>,std_error,
                                   [{application,mochiweb},
                                    "Accept failed error",
                                    "{error,\"internal error\"}"]}}

=ERROR REPORT==== 23-Mar-2012::17:12:03 ===
    application: mochiweb
    "Accept failed error"
    "{error,\"internal error\"}"
[error] [<0.144.0>] {error_report,<0.30.0>,
                                  {<0.144.0>,std_error,
                                   [{application,mochiweb},
                                    "Accept failed error",
                                    "{error,\"internal error\"}"]}}

=ERROR REPORT==== 23-Mar-2012::17:12:03 ===
    application: mochiweb
    "Accept failed error"
    "{error,\"internal error\"}"
[error] [<0.145.0>] {error_report,<0.30.0>,
                     {<0.145.0>,crash_report,
                      [[{initial_call,
                         {mochiweb_acceptor,init,
                          ['Argument__1','Argument__2','Argument__3']}},
                        {pid,<0.145.0>},
                        {registered_name,[]},
                        {error_info,
                         {exit,
                          {error,accept_failed},
                          [{mochiweb_acceptor,init,3,
                            [{file,
                              "/Users/ussjoin/Desktop/build-couchdb/dependencies/couchdb/src/mochiweb/mochiweb_acceptor.erl"},
                             {line,33}]},
                           {proc_lib,init_p_do_apply,3,
                            [{file,"proc_lib.erl"},{line,227}]}]}},
                        {ancestors,
                         [https,couch_secondary_services,couch_server_sup,
                          <0.31.0>]},
                        {messages,[]},
                        {links,[<0.142.0>]},
                        {dictionary,[]},
                        {trap_exit,false},
                        {status,running},
                        {heap_size,2584},
                        {stack_size,24},
                        {reductions,912}],
                       []]}}

=CRASH REPORT==== 23-Mar-2012::17:12:03 ===
  crasher:
    initial call: mochiweb_acceptor:init/3
    pid: <0.145.0>
    registered_name: []
    exception exit: {error,accept_failed}
      in function  mochiweb_acceptor:init/3 (/Users/ussjoin/Desktop/build-couchdb/dependencies/couchdb/src/mochiweb/mochiweb_acceptor.erl,
line 33)
    ancestors: [https,couch_secondary_services,couch_server_sup,<0.31.0>]
    messages: []
    links: [<0.142.0>]
    dictionary: []
    trap_exit: false
    status: running
    heap_size: 2584
    stack_size: 24
    reductions: 912
  neighbours:
[error] [<0.142.0>] {error_report,<0.30.0>,
                        {<0.142.0>,std_error,
                         {mochiweb_socket_server,310,
                             {acceptor_error,{error,accept_failed}}}}}

============

>From the browser side, the browser was never even asked by CouchDB to submit a client
certificate; it crashes before it gets to that point.

Similar result when specifying ssl_trusted_certificates_file and verify_ssl_certificates=true
in the replicator section of default.ini; a crash and nothing happens on replication attempts.


Workaround:

In replicator, specify cert_file and key_file, but leave verify_ssl_certificates = false.
Use nginx to verify the client certificates (and serve server SSL if you wish). Replication
proceeds with client+server SSL as expected, without having to use a proxy on the sending
side. (The downside is that you have to use nginx-- if this feature worked as expected, the
use case could be solved in CouchDB alone.)



--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message