couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Benoit Chesneau <bchesn...@gmail.com>
Subject Re: git commit: updated refs/heads/2028-feature-intermediate-tls-certs to 4925bf6
Date Sun, 12 Jan 2014 13:06:21 GMT
first link should be

https://github.com/refuge/couch_core/blob/master/apps/couch_httpd/src/couch_httpd.erl#L73


On Sun, Jan 12, 2014 at 2:01 PM, Benoit Chesneau <bchesneau@gmail.com>wrote:

> Some certs passed to  couchdb (ala  nginx) already contain the cafile, we
> should detect it instead:
>
> I have a fix in rcouch for that:
>
>
> https://github.com/refuge/couch_core/blob/master/apps/couch_core/blob/master/apps/couch_httpd/src/couch_httpd.erl#L73
>
> and:
>
>
> https://github.com/refuge/couch_core/blob/master/apps/couch_httpd/src/couch_httpd.erl#L97
>
>
> It will land soon in the rcouch branch and will try to extract it for
> current.
>
> - benoit
>
>
> On Sun, Jan 12, 2014 at 1:54 PM, <rnewson@apache.org> wrote:
>
>> Updated Branches:
>>   refs/heads/2028-feature-intermediate-tls-certs [created] 4925bf6be
>>
>>
>> Allow cacertfile without verifying peers
>>
>>
>> Project: http://git-wip-us.apache.org/repos/asf/couchdb/repo
>> Commit: http://git-wip-us.apache.org/repos/asf/couchdb/commit/4925bf6b
>> Tree: http://git-wip-us.apache.org/repos/asf/couchdb/tree/4925bf6b
>> Diff: http://git-wip-us.apache.org/repos/asf/couchdb/diff/4925bf6b
>>
>> Branch: refs/heads/2028-feature-intermediate-tls-certs
>> Commit: 4925bf6bee49cf77aaf83311b8c7d361dc5b2252
>> Parents: a749ecb
>> Author: Robert Newson <rnewson@apache.org>
>> Authored: Sun Jan 12 11:57:41 2014 +0000
>> Committer: Robert Newson <rnewson@apache.org>
>> Committed: Sun Jan 12 12:47:19 2014 +0000
>>
>> ----------------------------------------------------------------------
>>  src/couchdb/couch_httpd.erl | 81 ++++++++++++++++------------------------
>>  1 file changed, 33 insertions(+), 48 deletions(-)
>> ----------------------------------------------------------------------
>>
>>
>>
>> http://git-wip-us.apache.org/repos/asf/couchdb/blob/4925bf6b/src/couchdb/couch_httpd.erl
>> ----------------------------------------------------------------------
>> diff --git a/src/couchdb/couch_httpd.erl b/src/couchdb/couch_httpd.erl
>> index 465bc7a..1372dec 100644
>> --- a/src/couchdb/couch_httpd.erl
>> +++ b/src/couchdb/couch_httpd.erl
>> @@ -39,57 +39,42 @@ start_link(http) ->
>>      start_link(?MODULE, [{port, Port}]);
>>  start_link(https) ->
>>      Port = couch_config:get("ssl", "port", "6984"),
>> -    CertFile = couch_config:get("ssl", "cert_file", nil),
>> -    KeyFile = couch_config:get("ssl", "key_file", nil),
>> -    Options = case CertFile /= nil andalso KeyFile /= nil of
>> +    ServerOpts0 =
>> +        [{cacertfile, couch_config:get("ssl", "cacert_file", nil)},
>> +         {keyfile, couch_config:get("ssl", "key_file", nil)},
>> +         {certfile, couch_config:get("ssl", "cert_file", nil)},
>> +         {password, couch_config:get("ssl", "password", nil)}],
>> +
>> +    case (couch_util:get_value(keyfile, ServerOpts0) == nil orelse
>> +        couch_util:get_value(certfile, ServerOpts0) == nil) of
>>          true ->
>> -            SslOpts = [{certfile, CertFile}, {keyfile, KeyFile}],
>> -
>> -            %% set password if one is needed for the cert
>> -            SslOpts1 = case couch_config:get("ssl", "password", nil) of
>> -                nil -> SslOpts;
>> -                Password ->
>> -                    SslOpts ++ [{password, Password}]
>> -            end,
>> -            % do we verify certificates ?
>> -            FinalSslOpts = case couch_config:get("ssl",
>> -                    "verify_ssl_certificates", "false") of
>> -                "false" -> SslOpts1;
>> -                "true" ->
>> -                    case couch_config:get("ssl",
>> -                            "cacert_file", nil) of
>> -                        nil ->
>> -                            io:format("Verify SSL certificate "
>> -                                ++"enabled but file containing "
>> -                                ++"PEM encoded CA certificates is "
>> -                                ++"missing", []),
>> -                            throw({error, missing_cacerts});
>> -                        CaCertFile ->
>> -                            Depth =
>> list_to_integer(couch_config:get("ssl",
>> -                                    "ssl_certificate_max_depth",
>> -                                    "1")),
>> -                            FinalOpts = [
>> -                                {cacertfile, CaCertFile},
>> -                                {depth, Depth},
>> -                                {verify, verify_peer}],
>> -                            % allows custom verify fun.
>> -                            case couch_config:get("ssl",
>> -                                    "verify_fun", nil) of
>> -                                nil -> FinalOpts;
>> -                                SpecStr ->
>> -                                    FinalOpts
>> -                                    ++ [{verify_fun,
>> make_arity_3_fun(SpecStr)}]
>> -                            end
>> -                    end
>> -            end,
>> -
>> -            [{port, Port},
>> -                {ssl, true},
>> -                {ssl_opts, FinalSslOpts}];
>> -        false ->
>>              io:format("SSL enabled but PEM certificates are missing.",
>> []),
>> -            throw({error, missing_certs})
>> +            throw({error, missing_certs});
>> +        false ->
>> +            ok
>>      end,
>> +
>> +    ServerOpts = [Opt || {_, V}=Opt <- ServerOpts0, V /= nil],
>> +
>> +    ClientOpts = case couch_config:get("ssl", "verify_ssl_certificates",
>> "false") of
>> +        "false" ->
>> +            [];
>> +        "true" ->
>> +            [{depth, list_to_integer(couch_config:get("ssl",
>> +                "ssl_certificate_max_depth", "1"))},
>> +             {verify, verify_peer}] ++
>> +            case couch_config:get("ssl", "verify_fun", nil) of
>> +                nil -> [];
>> +                SpecStr ->
>> +                    [{verify_fun, make_arity_3_fun(SpecStr)}]
>> +            end
>> +    end,
>> +    SslOpts = ServerOpts ++ ClientOpts,
>> +
>> +    Options =
>> +        [{port, Port},
>> +         {ssl, true},
>> +         {ssl_opts, SslOpts}],
>>      start_link(https, Options).
>>  start_link(Name, Options) ->
>>      % read config and register for configuration changes
>>
>>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message