couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sebastian Rothbucher <sebastianrothbuc...@googlemail.com>
Subject Re: SSL with self-signed certificates
Date Mon, 22 Jun 2015 18:51:06 GMT
Hi,

self-signed certificates are difficult in general as it strongly depends on
the client whether / how one can actually add the public key to the list of
trusted keys. Java improved over the years; Chrome is very picky (which in
my opinion is a good thing - nonetheless, you can proceed if you click away
several warnings).

Anyway, I'm afraid there is no general answer, but the client is the place
2 look for

Hope this helps a little

Cheers
    Sebastian


On Mon, Jun 22, 2015 at 8:24 PM, Jason Winshell (Bear River) <
jasonw@bearriver.com> wrote:

> I only did the tests during development, so I was using self-signed
> certificates.
>
> Wish I had more information for you. Our app is behind a load balance
> proxy.
>
> Jason
>
> > On Jun 22, 2015, at 11:00 AM, Foucauld Degeorges <foucdeg@gmail.com>
> wrote:
> >
> > Well, the whole reason I'm using CouchDB was to *not* have a server...
> > That's a bit disappointing, but I'll consider it. I hope erlang will be
> > fixed though.
> > Is this specific with self-signed certificates, or is SSL broken in
> general?
> > Thank you for this answer.
> >
> > 2015-06-22 19:55 GMT+02:00 Jason Winshell (Bear River) <
> jasonw@bearriver.com
> >> :
> >
> >> Hi,
> >>
> >> I went this this problem as well. The last time I looked at this I
> learned
> >> that the erlang SSL implementation was buggy. Regardless, having a
> database
> >> provide SSL directly is not the best way to go about things. Use a front
> >> end web server. You get other benefits as well, such as header control
> and
> >> the possibility of offloading SSL to a hardware load balancer. It's just
> >> not worth pursuing.
> >>
> >>
> >>> On Jun 22, 2015, at 10:52 AM, Foucauld Degeorges <foucdeg@gmail.com>
> >> wrote:
> >>>
> >>> Thanks for your help.
> >>> The OS is Windows, but the problem may be similar.
> >>>
> >>> 2015-06-22 19:26 GMT+02:00 Paul Okstad <pokstad@gmail.com>:
> >>>
> >>>> Hi,
> >>>>
> >>>> I had a similar problem and I found the culprit to be the OS version
> of
> >>>> Ubuntu that I was using. Must be a bad library included with that
> >>>> distribution. Check out the bottom of this wiki page I wrote:
> >>>>
> >>
> https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=48203146
> >>>>
> >>>> On Monday, June 22, 2015, Foucauld Degeorges <foucdeg@gmail.com>
> wrote:
> >>>>
> >>>>> Hello,
> >>>>>
> >>>>> (This question may have been asked before, I'm sorry if it has,
but I
> >>>>> haven't found a search field on the archives page).
> >>>>>
> >>>>> I'm having issues to make CouchDB work with HTTPS and a self-signed
> >>>>> certificate.
> >>>>> Depending on the client, the connection is accepted or refused:
> >>>>>
> >>>>>  - accepted by curl -k
> >>>>>  - refused by Chrome: ERR_SSL_PROTOCOL_ERROR
> >>>>>  - Firefox first asks to add a security exception, then rejects
the
> >>>>>  connection: sec_error_invalid_key
> >>>>>
> >>>>> You may look at the associated StackOverflow question
> >>>>> <
> >>>>>
> >>>>
> >>
> http://stackoverflow.com/questions/30939983/couchdb-over-https-and-self-certified-certificate-browsers-reject-it/30964160
> >>>>>>
> >>>>> for
> >>>>> extra info.
> >>>>> I have read somewhere that Web browsers have recently become more
> >> strict
> >>>>> concerning self-signed certificates. Is there a workaround, or
> >> something
> >>>>> I'm missing?
> >>>>>
> >>>>> Thanks
> >>>>> Foucauld Degeorges
> >>>>>
> >>>>
> >>>>
> >>>> --
> >>>> --
> >>>> Paul Okstad
> >>>> http://pokstad.com
> >>>>
> >>
> >>
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message