couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Klaus Trainer (JIRA)" <>
Subject [jira] [Created] (COUCHDB-2100) Implement TLS-SRP (RFC 5054)
Date Mon, 24 Feb 2014 15:41:20 GMT
Klaus Trainer created COUCHDB-2100:

             Summary: Implement TLS-SRP (RFC 5054)
                 Key: COUCHDB-2100
             Project: CouchDB
          Issue Type: New Feature
      Security Level: public (Regular issues)
          Components: HTTP Interface
            Reporter: Klaus Trainer

TLS-SRP, which provides a password-based mutual (i.e., for both client
and server) authentication for TLS, is supported in Erlang/OTP since

As implementing support for TLS-SRP in CouchDB would mean to just add
new functionality, it can likely be implemented without making CouchDB
incompatible with older Erlang/OTP releases at the same time.  With
regard to the ssl application API, adding TLS-SRP-support would
concretely mean to add additional options (i.e., `srp_identity` and
`user_lookup_fun`) when calling `listen` or rather `connect` in the case
that TLS-SRP is supported in that particular version of the ssl


* Users can use TLS without having to deal with certificate authorities.
* Password authentication is less prone than certificate authentication
  to certain types of configuration mistakes, such as expired
  certificates or mismatched common name fields.
* TLS-SRP is forward-secure.


* While there are several TLS-SRP implementations out there (e.g., in
  GnuTLS, OpenSSL, Apache mod_gnutls, cURL, TLS Lite, and
  SecureBlackbox), it is still not implemented in browsers.
* If an attacker learns a user's SRP verifier (e.g., by gaining access
  to a user document), the attacker can masquerade as the real server to
  that user (c.f. section 3.3 in RFC 5054).

This message was sent by Atlassian JIRA

View raw message