Return-Path: X-Original-To: apmail-couchdb-dev-archive@www.apache.org Delivered-To: apmail-couchdb-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 6414410F29 for ; Sun, 12 Jan 2014 13:03:49 +0000 (UTC) Received: (qmail 89904 invoked by uid 500); 12 Jan 2014 13:02:37 -0000 Delivered-To: apmail-couchdb-dev-archive@couchdb.apache.org Received: (qmail 89838 invoked by uid 500); 12 Jan 2014 13:02:33 -0000 Mailing-List: contact dev-help@couchdb.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@couchdb.apache.org Delivered-To: mailing list dev@couchdb.apache.org Received: (qmail 89792 invoked by uid 99); 12 Jan 2014 13:02:31 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 12 Jan 2014 13:02:31 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of bchesneau@gmail.com designates 209.85.128.45 as permitted sender) Received: from [209.85.128.45] (HELO mail-qe0-f45.google.com) (209.85.128.45) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 12 Jan 2014 13:02:26 +0000 Received: by mail-qe0-f45.google.com with SMTP id nd7so802588qeb.4 for ; Sun, 12 Jan 2014 05:02:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=FkzV7l+O9EkIIFAwbfxfZzyW8J8TTIXfzoXxGl6mhFI=; b=o0ttZUAZC9IAxnDTrphTFq2m0sV/CKtD0S6+2nIatELqrY6RixW3BUlr40693cHXdT p0LoJtGHELsmKpQhL+F2qh9CurZMjHBaBKcIYgszXLk3aI2V9NAaOMNm0wZVvCf0nFav DFsHa7zY3bWXSNadpQVUGQrbbT7s/YXUI4QNNZ34jY0g/zdzX4tp4b1Y3iEYFzOFTkBn 4fK0O5Yuu4LBkfdM9jwTJLkBxBxOE3xj7+JkAwNVIvbjRMDcsCGm79V+dCeChk1yKL2J SGvJXCEcSPHJAxU0DjWC5gsIYjcr/aY/C4raeaKw+3XLqU4KiCANpxN///EYOTJzmdr2 /P2Q== X-Received: by 10.49.6.70 with SMTP id y6mr23366700qey.6.1389531725614; Sun, 12 Jan 2014 05:02:05 -0800 (PST) MIME-Version: 1.0 Received: by 10.96.58.195 with HTTP; Sun, 12 Jan 2014 05:01:45 -0800 (PST) In-Reply-To: <70c695285f7c4125b1f937553572d402@git.apache.org> References: <70c695285f7c4125b1f937553572d402@git.apache.org> From: Benoit Chesneau Date: Sun, 12 Jan 2014 14:01:45 +0100 Message-ID: Subject: Re: git commit: updated refs/heads/2028-feature-intermediate-tls-certs to 4925bf6 To: "dev@couchdb.apache.org" Cc: commits@couchdb.apache.org Content-Type: multipart/alternative; boundary=047d7bdc9c90e8d56504efc5906f X-Virus-Checked: Checked by ClamAV on apache.org --047d7bdc9c90e8d56504efc5906f Content-Type: text/plain; charset=ISO-8859-1 Some certs passed to couchdb (ala nginx) already contain the cafile, we should detect it instead: I have a fix in rcouch for that: https://github.com/refuge/couch_core/blob/master/apps/couch_core/blob/master/apps/couch_httpd/src/couch_httpd.erl#L73 and: https://github.com/refuge/couch_core/blob/master/apps/couch_httpd/src/couch_httpd.erl#L97 It will land soon in the rcouch branch and will try to extract it for current. - benoit On Sun, Jan 12, 2014 at 1:54 PM, wrote: > Updated Branches: > refs/heads/2028-feature-intermediate-tls-certs [created] 4925bf6be > > > Allow cacertfile without verifying peers > > > Project: http://git-wip-us.apache.org/repos/asf/couchdb/repo > Commit: http://git-wip-us.apache.org/repos/asf/couchdb/commit/4925bf6b > Tree: http://git-wip-us.apache.org/repos/asf/couchdb/tree/4925bf6b > Diff: http://git-wip-us.apache.org/repos/asf/couchdb/diff/4925bf6b > > Branch: refs/heads/2028-feature-intermediate-tls-certs > Commit: 4925bf6bee49cf77aaf83311b8c7d361dc5b2252 > Parents: a749ecb > Author: Robert Newson > Authored: Sun Jan 12 11:57:41 2014 +0000 > Committer: Robert Newson > Committed: Sun Jan 12 12:47:19 2014 +0000 > > ---------------------------------------------------------------------- > src/couchdb/couch_httpd.erl | 81 ++++++++++++++++------------------------ > 1 file changed, 33 insertions(+), 48 deletions(-) > ---------------------------------------------------------------------- > > > > http://git-wip-us.apache.org/repos/asf/couchdb/blob/4925bf6b/src/couchdb/couch_httpd.erl > ---------------------------------------------------------------------- > diff --git a/src/couchdb/couch_httpd.erl b/src/couchdb/couch_httpd.erl > index 465bc7a..1372dec 100644 > --- a/src/couchdb/couch_httpd.erl > +++ b/src/couchdb/couch_httpd.erl > @@ -39,57 +39,42 @@ start_link(http) -> > start_link(?MODULE, [{port, Port}]); > start_link(https) -> > Port = couch_config:get("ssl", "port", "6984"), > - CertFile = couch_config:get("ssl", "cert_file", nil), > - KeyFile = couch_config:get("ssl", "key_file", nil), > - Options = case CertFile /= nil andalso KeyFile /= nil of > + ServerOpts0 = > + [{cacertfile, couch_config:get("ssl", "cacert_file", nil)}, > + {keyfile, couch_config:get("ssl", "key_file", nil)}, > + {certfile, couch_config:get("ssl", "cert_file", nil)}, > + {password, couch_config:get("ssl", "password", nil)}], > + > + case (couch_util:get_value(keyfile, ServerOpts0) == nil orelse > + couch_util:get_value(certfile, ServerOpts0) == nil) of > true -> > - SslOpts = [{certfile, CertFile}, {keyfile, KeyFile}], > - > - %% set password if one is needed for the cert > - SslOpts1 = case couch_config:get("ssl", "password", nil) of > - nil -> SslOpts; > - Password -> > - SslOpts ++ [{password, Password}] > - end, > - % do we verify certificates ? > - FinalSslOpts = case couch_config:get("ssl", > - "verify_ssl_certificates", "false") of > - "false" -> SslOpts1; > - "true" -> > - case couch_config:get("ssl", > - "cacert_file", nil) of > - nil -> > - io:format("Verify SSL certificate " > - ++"enabled but file containing " > - ++"PEM encoded CA certificates is " > - ++"missing", []), > - throw({error, missing_cacerts}); > - CaCertFile -> > - Depth = > list_to_integer(couch_config:get("ssl", > - "ssl_certificate_max_depth", > - "1")), > - FinalOpts = [ > - {cacertfile, CaCertFile}, > - {depth, Depth}, > - {verify, verify_peer}], > - % allows custom verify fun. > - case couch_config:get("ssl", > - "verify_fun", nil) of > - nil -> FinalOpts; > - SpecStr -> > - FinalOpts > - ++ [{verify_fun, > make_arity_3_fun(SpecStr)}] > - end > - end > - end, > - > - [{port, Port}, > - {ssl, true}, > - {ssl_opts, FinalSslOpts}]; > - false -> > io:format("SSL enabled but PEM certificates are missing.", > []), > - throw({error, missing_certs}) > + throw({error, missing_certs}); > + false -> > + ok > end, > + > + ServerOpts = [Opt || {_, V}=Opt <- ServerOpts0, V /= nil], > + > + ClientOpts = case couch_config:get("ssl", "verify_ssl_certificates", > "false") of > + "false" -> > + []; > + "true" -> > + [{depth, list_to_integer(couch_config:get("ssl", > + "ssl_certificate_max_depth", "1"))}, > + {verify, verify_peer}] ++ > + case couch_config:get("ssl", "verify_fun", nil) of > + nil -> []; > + SpecStr -> > + [{verify_fun, make_arity_3_fun(SpecStr)}] > + end > + end, > + SslOpts = ServerOpts ++ ClientOpts, > + > + Options = > + [{port, Port}, > + {ssl, true}, > + {ssl_opts, SslOpts}], > start_link(https, Options). > start_link(Name, Options) -> > % read config and register for configuration changes > > --047d7bdc9c90e8d56504efc5906f--