couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Benoit Chesneau <bchesn...@gmail.com>
Subject Re: git commit: updated refs/heads/2028-feature-intermediate-tls-certs to 4925bf6
Date Sun, 12 Jan 2014 13:01:45 GMT
Some certs passed to  couchdb (ala  nginx) already contain the cafile, we
should detect it instead:

I have a fix in rcouch for that:

https://github.com/refuge/couch_core/blob/master/apps/couch_core/blob/master/apps/couch_httpd/src/couch_httpd.erl#L73

and:

https://github.com/refuge/couch_core/blob/master/apps/couch_httpd/src/couch_httpd.erl#L97


It will land soon in the rcouch branch and will try to extract it for
current.

- benoit


On Sun, Jan 12, 2014 at 1:54 PM, <rnewson@apache.org> wrote:

> Updated Branches:
>   refs/heads/2028-feature-intermediate-tls-certs [created] 4925bf6be
>
>
> Allow cacertfile without verifying peers
>
>
> Project: http://git-wip-us.apache.org/repos/asf/couchdb/repo
> Commit: http://git-wip-us.apache.org/repos/asf/couchdb/commit/4925bf6b
> Tree: http://git-wip-us.apache.org/repos/asf/couchdb/tree/4925bf6b
> Diff: http://git-wip-us.apache.org/repos/asf/couchdb/diff/4925bf6b
>
> Branch: refs/heads/2028-feature-intermediate-tls-certs
> Commit: 4925bf6bee49cf77aaf83311b8c7d361dc5b2252
> Parents: a749ecb
> Author: Robert Newson <rnewson@apache.org>
> Authored: Sun Jan 12 11:57:41 2014 +0000
> Committer: Robert Newson <rnewson@apache.org>
> Committed: Sun Jan 12 12:47:19 2014 +0000
>
> ----------------------------------------------------------------------
>  src/couchdb/couch_httpd.erl | 81 ++++++++++++++++------------------------
>  1 file changed, 33 insertions(+), 48 deletions(-)
> ----------------------------------------------------------------------
>
>
>
> http://git-wip-us.apache.org/repos/asf/couchdb/blob/4925bf6b/src/couchdb/couch_httpd.erl
> ----------------------------------------------------------------------
> diff --git a/src/couchdb/couch_httpd.erl b/src/couchdb/couch_httpd.erl
> index 465bc7a..1372dec 100644
> --- a/src/couchdb/couch_httpd.erl
> +++ b/src/couchdb/couch_httpd.erl
> @@ -39,57 +39,42 @@ start_link(http) ->
>      start_link(?MODULE, [{port, Port}]);
>  start_link(https) ->
>      Port = couch_config:get("ssl", "port", "6984"),
> -    CertFile = couch_config:get("ssl", "cert_file", nil),
> -    KeyFile = couch_config:get("ssl", "key_file", nil),
> -    Options = case CertFile /= nil andalso KeyFile /= nil of
> +    ServerOpts0 =
> +        [{cacertfile, couch_config:get("ssl", "cacert_file", nil)},
> +         {keyfile, couch_config:get("ssl", "key_file", nil)},
> +         {certfile, couch_config:get("ssl", "cert_file", nil)},
> +         {password, couch_config:get("ssl", "password", nil)}],
> +
> +    case (couch_util:get_value(keyfile, ServerOpts0) == nil orelse
> +        couch_util:get_value(certfile, ServerOpts0) == nil) of
>          true ->
> -            SslOpts = [{certfile, CertFile}, {keyfile, KeyFile}],
> -
> -            %% set password if one is needed for the cert
> -            SslOpts1 = case couch_config:get("ssl", "password", nil) of
> -                nil -> SslOpts;
> -                Password ->
> -                    SslOpts ++ [{password, Password}]
> -            end,
> -            % do we verify certificates ?
> -            FinalSslOpts = case couch_config:get("ssl",
> -                    "verify_ssl_certificates", "false") of
> -                "false" -> SslOpts1;
> -                "true" ->
> -                    case couch_config:get("ssl",
> -                            "cacert_file", nil) of
> -                        nil ->
> -                            io:format("Verify SSL certificate "
> -                                ++"enabled but file containing "
> -                                ++"PEM encoded CA certificates is "
> -                                ++"missing", []),
> -                            throw({error, missing_cacerts});
> -                        CaCertFile ->
> -                            Depth =
> list_to_integer(couch_config:get("ssl",
> -                                    "ssl_certificate_max_depth",
> -                                    "1")),
> -                            FinalOpts = [
> -                                {cacertfile, CaCertFile},
> -                                {depth, Depth},
> -                                {verify, verify_peer}],
> -                            % allows custom verify fun.
> -                            case couch_config:get("ssl",
> -                                    "verify_fun", nil) of
> -                                nil -> FinalOpts;
> -                                SpecStr ->
> -                                    FinalOpts
> -                                    ++ [{verify_fun,
> make_arity_3_fun(SpecStr)}]
> -                            end
> -                    end
> -            end,
> -
> -            [{port, Port},
> -                {ssl, true},
> -                {ssl_opts, FinalSslOpts}];
> -        false ->
>              io:format("SSL enabled but PEM certificates are missing.",
> []),
> -            throw({error, missing_certs})
> +            throw({error, missing_certs});
> +        false ->
> +            ok
>      end,
> +
> +    ServerOpts = [Opt || {_, V}=Opt <- ServerOpts0, V /= nil],
> +
> +    ClientOpts = case couch_config:get("ssl", "verify_ssl_certificates",
> "false") of
> +        "false" ->
> +            [];
> +        "true" ->
> +            [{depth, list_to_integer(couch_config:get("ssl",
> +                "ssl_certificate_max_depth", "1"))},
> +             {verify, verify_peer}] ++
> +            case couch_config:get("ssl", "verify_fun", nil) of
> +                nil -> [];
> +                SpecStr ->
> +                    [{verify_fun, make_arity_3_fun(SpecStr)}]
> +            end
> +    end,
> +    SslOpts = ServerOpts ++ ClientOpts,
> +
> +    Options =
> +        [{port, Port},
> +         {ssl, true},
> +         {ssl_opts, SslOpts}],
>      start_link(https, Options).
>  start_link(Name, Options) ->
>      % read config and register for configuration changes
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message