Return-Path: X-Original-To: apmail-couchdb-dev-archive@www.apache.org Delivered-To: apmail-couchdb-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id A34BF10F36 for ; Sun, 12 Jan 2014 13:07:19 +0000 (UTC) Received: (qmail 97433 invoked by uid 500); 12 Jan 2014 13:07:10 -0000 Delivered-To: apmail-couchdb-dev-archive@couchdb.apache.org Received: (qmail 97403 invoked by uid 500); 12 Jan 2014 13:07:09 -0000 Mailing-List: contact dev-help@couchdb.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@couchdb.apache.org Delivered-To: mailing list dev@couchdb.apache.org Received: (qmail 97385 invoked by uid 99); 12 Jan 2014 13:07:06 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 12 Jan 2014 13:07:06 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of bchesneau@gmail.com designates 209.85.128.47 as permitted sender) Received: from [209.85.128.47] (HELO mail-qe0-f47.google.com) (209.85.128.47) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 12 Jan 2014 13:07:02 +0000 Received: by mail-qe0-f47.google.com with SMTP id 5so6139310qeb.34 for ; Sun, 12 Jan 2014 05:06:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=cMQhIpnTIhDCSbGz/2oxdf4foSZ/7vCMdAH+rdoO2dQ=; b=ICzxsYVFjyZ3cvu7WPHWVo7yIVPKq+xdO6XRwxII7vK1x/m0yQDnXhRfPl9aZx11xX VKhqqmylYhzTPnkvAfYDxNj69fWF+bNiOyNn0YCqCAIiRNhdK6wBltWkIMpFzqJWZc1/ z+x4iam9qiMdav0W49cWo5ulAsbT5zu85u7Bij79CixMe1qLWp6rgF57gtO0+wyBb++N 5A8a6Zl2NI3cmOcHEdqEqeflU18J6foiXmsL0sqBW6pqUEF1UstJtH2jQX6ptUvnDls2 paFLbiuhV9ujTho2/D3w7eW6+BSNSUpEEGZSjOx23QOcfdywlb3B8HYu/0f7CS4tCPM/ pDMQ== X-Received: by 10.224.97.7 with SMTP id j7mr29074085qan.81.1389532001326; Sun, 12 Jan 2014 05:06:41 -0800 (PST) MIME-Version: 1.0 Received: by 10.96.58.195 with HTTP; Sun, 12 Jan 2014 05:06:21 -0800 (PST) In-Reply-To: References: <70c695285f7c4125b1f937553572d402@git.apache.org> From: Benoit Chesneau Date: Sun, 12 Jan 2014 14:06:21 +0100 Message-ID: Subject: Re: git commit: updated refs/heads/2028-feature-intermediate-tls-certs to 4925bf6 To: "dev@couchdb.apache.org" Cc: commits@couchdb.apache.org Content-Type: multipart/alternative; boundary=001a11c3ec7e57dc3c04efc5a1bc X-Virus-Checked: Checked by ClamAV on apache.org --001a11c3ec7e57dc3c04efc5a1bc Content-Type: text/plain; charset=ISO-8859-1 first link should be https://github.com/refuge/couch_core/blob/master/apps/couch_httpd/src/couch_httpd.erl#L73 On Sun, Jan 12, 2014 at 2:01 PM, Benoit Chesneau wrote: > Some certs passed to couchdb (ala nginx) already contain the cafile, we > should detect it instead: > > I have a fix in rcouch for that: > > > https://github.com/refuge/couch_core/blob/master/apps/couch_core/blob/master/apps/couch_httpd/src/couch_httpd.erl#L73 > > and: > > > https://github.com/refuge/couch_core/blob/master/apps/couch_httpd/src/couch_httpd.erl#L97 > > > It will land soon in the rcouch branch and will try to extract it for > current. > > - benoit > > > On Sun, Jan 12, 2014 at 1:54 PM, wrote: > >> Updated Branches: >> refs/heads/2028-feature-intermediate-tls-certs [created] 4925bf6be >> >> >> Allow cacertfile without verifying peers >> >> >> Project: http://git-wip-us.apache.org/repos/asf/couchdb/repo >> Commit: http://git-wip-us.apache.org/repos/asf/couchdb/commit/4925bf6b >> Tree: http://git-wip-us.apache.org/repos/asf/couchdb/tree/4925bf6b >> Diff: http://git-wip-us.apache.org/repos/asf/couchdb/diff/4925bf6b >> >> Branch: refs/heads/2028-feature-intermediate-tls-certs >> Commit: 4925bf6bee49cf77aaf83311b8c7d361dc5b2252 >> Parents: a749ecb >> Author: Robert Newson >> Authored: Sun Jan 12 11:57:41 2014 +0000 >> Committer: Robert Newson >> Committed: Sun Jan 12 12:47:19 2014 +0000 >> >> ---------------------------------------------------------------------- >> src/couchdb/couch_httpd.erl | 81 ++++++++++++++++------------------------ >> 1 file changed, 33 insertions(+), 48 deletions(-) >> ---------------------------------------------------------------------- >> >> >> >> http://git-wip-us.apache.org/repos/asf/couchdb/blob/4925bf6b/src/couchdb/couch_httpd.erl >> ---------------------------------------------------------------------- >> diff --git a/src/couchdb/couch_httpd.erl b/src/couchdb/couch_httpd.erl >> index 465bc7a..1372dec 100644 >> --- a/src/couchdb/couch_httpd.erl >> +++ b/src/couchdb/couch_httpd.erl >> @@ -39,57 +39,42 @@ start_link(http) -> >> start_link(?MODULE, [{port, Port}]); >> start_link(https) -> >> Port = couch_config:get("ssl", "port", "6984"), >> - CertFile = couch_config:get("ssl", "cert_file", nil), >> - KeyFile = couch_config:get("ssl", "key_file", nil), >> - Options = case CertFile /= nil andalso KeyFile /= nil of >> + ServerOpts0 = >> + [{cacertfile, couch_config:get("ssl", "cacert_file", nil)}, >> + {keyfile, couch_config:get("ssl", "key_file", nil)}, >> + {certfile, couch_config:get("ssl", "cert_file", nil)}, >> + {password, couch_config:get("ssl", "password", nil)}], >> + >> + case (couch_util:get_value(keyfile, ServerOpts0) == nil orelse >> + couch_util:get_value(certfile, ServerOpts0) == nil) of >> true -> >> - SslOpts = [{certfile, CertFile}, {keyfile, KeyFile}], >> - >> - %% set password if one is needed for the cert >> - SslOpts1 = case couch_config:get("ssl", "password", nil) of >> - nil -> SslOpts; >> - Password -> >> - SslOpts ++ [{password, Password}] >> - end, >> - % do we verify certificates ? >> - FinalSslOpts = case couch_config:get("ssl", >> - "verify_ssl_certificates", "false") of >> - "false" -> SslOpts1; >> - "true" -> >> - case couch_config:get("ssl", >> - "cacert_file", nil) of >> - nil -> >> - io:format("Verify SSL certificate " >> - ++"enabled but file containing " >> - ++"PEM encoded CA certificates is " >> - ++"missing", []), >> - throw({error, missing_cacerts}); >> - CaCertFile -> >> - Depth = >> list_to_integer(couch_config:get("ssl", >> - "ssl_certificate_max_depth", >> - "1")), >> - FinalOpts = [ >> - {cacertfile, CaCertFile}, >> - {depth, Depth}, >> - {verify, verify_peer}], >> - % allows custom verify fun. >> - case couch_config:get("ssl", >> - "verify_fun", nil) of >> - nil -> FinalOpts; >> - SpecStr -> >> - FinalOpts >> - ++ [{verify_fun, >> make_arity_3_fun(SpecStr)}] >> - end >> - end >> - end, >> - >> - [{port, Port}, >> - {ssl, true}, >> - {ssl_opts, FinalSslOpts}]; >> - false -> >> io:format("SSL enabled but PEM certificates are missing.", >> []), >> - throw({error, missing_certs}) >> + throw({error, missing_certs}); >> + false -> >> + ok >> end, >> + >> + ServerOpts = [Opt || {_, V}=Opt <- ServerOpts0, V /= nil], >> + >> + ClientOpts = case couch_config:get("ssl", "verify_ssl_certificates", >> "false") of >> + "false" -> >> + []; >> + "true" -> >> + [{depth, list_to_integer(couch_config:get("ssl", >> + "ssl_certificate_max_depth", "1"))}, >> + {verify, verify_peer}] ++ >> + case couch_config:get("ssl", "verify_fun", nil) of >> + nil -> []; >> + SpecStr -> >> + [{verify_fun, make_arity_3_fun(SpecStr)}] >> + end >> + end, >> + SslOpts = ServerOpts ++ ClientOpts, >> + >> + Options = >> + [{port, Port}, >> + {ssl, true}, >> + {ssl_opts, SslOpts}], >> start_link(https, Options). >> start_link(Name, Options) -> >> % read config and register for configuration changes >> >> > --001a11c3ec7e57dc3c04efc5a1bc--