couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alexander Shorin <kxe...@gmail.com>
Subject Re: TLS client certificates internal error
Date Tue, 08 Dec 2015 02:35:30 GMT
Hi,

To make stack full, what is your Erlang version? Was the only one
error line in CouchDB logs you posted here?

Few else thoughts:
isn't this Ubuntu openssl bug?
http://serverfault.com/questions/389197/ssl-routinesssl23-writessl-handshake-failure

--
,,,^..^,,,


On Tue, Dec 8, 2015 at 4:58 AM, Michael Power
<Michael.Power@elotouch.com> wrote:
> Hello,
>
> I am trying to get couchdb to work with client certificates.  I can’t seem to get it
to work.  I am getting an internal error from couchdb.
>
> Here is how I am currently trying to connect:
>
> openssl s_client -connect localhost:6984 -cert ~mpower/couchdb.cert.pem -key ~mpower/private/couchdb.key.pem
-CAfile /etc/my-ca/couchdb/certs/ca-chain.cert.pem
>
>
> This is what I get in response:
>
> CONNECTED(00000003)
>
> 139699789244064:error:14094438:SSL routines:SSL3_READ_BYTES:tlsv1 alert internal error:s3_pkt.c:1262:SSL
alert number 80
>
> 139699789244064:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
>
> …
>
>
>
> I can see this in the couchdb log:
>
> [Tue, 08 Dec 2015 01:37:51 GMT] [error] [<0.834.0>] SSL: hello: ssl_handshake.erl:154:Fatal
error: internal error
>
>
> I know my files work because I can run my own ssl server on the same port:
>
> openssl s_server -accept 6984 -key /etc/couchdb/private/couchdb.key.pem -cert /etc/couchdb/couchdb.cert.pem
-CAfile /etc/my-ca/couchdb/certs/ca-chain.cert.pem -verify 2
>
>
>
> For couchdb if I disable client certificates in the configuration everything works:
>
> verify_ssl_certificates = false
>
>
> openssl s_client -connect localhost:6984 -cert ~mpower/couchdb.cert.pem -key ~mpower/private/couchdb.key.pem
-CAfile /etc/my-ca/couchdb/certs/ca-chain.cert.pem
>
> …
>
> hello
>
> HTTP/1.1 400 Bad Request
>
> Server: MochiWeb/1.0 (Any of you quaids got a smint?)
>
> Date: Tue, 08 Dec 2015 01:50:33 GMT
>
> Content-Length: 0
>
>
> closed
>
>
> Here is what my ssl configuration looks like:
>
> [daemons]
>
> httpsd = {couch_httpd, start_link, [https]}
>
> [ssl]
>
> verify_ssl_certificates = true
>
> ssl_certificate_max_depth = 2
>
> cert_file = /etc/couchdb/couchdb.cert.pem
>
> key_file = /etc/couchdb/private/couchdb.key.pem
>
> cacert_file = /etc/my-ca/couchdb/certs/ca-chain.cert.pem
>
>
> Some other information:
>
> /etc/couchdb/local.d$ couchdb -V
>
> couchdb - Apache CouchDB 1.5.0
>
>
> /etc/couchdb/local.d$ lsb_release -a
>
> No LSB modules are available.
>
> Distributor ID: Ubuntu
>
> Description: Ubuntu 14.04.1 LTS
>
> Release: 14.04
>
> Codename: trusty
>
>
> /etc/couchdb/local.d$ dpkg -s couchdb
>
> Package: couchdb
>
> Status: install ok installed
>
> Priority: optional
>
> Section: misc
>
> Installed-Size: 95
>
> Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
>
> Architecture: all
>
> Version: 1.5.0-0ubuntu1
>
> Replaces: couchdb-bin (<= 1.0.1-0ubuntu18)
>
> Depends: couchdb-bin (>= 1.5.0-0ubuntu1), adduser, upstart
>
> Conffiles:
>
>  /etc/init/couchdb.conf 54253885fde3bea9c06459cb2895a458
>
>  /etc/couchdb/local.ini bffa95158f7a754b3af2885b7af50d1d
>
>  /etc/logrotate.d/couchdb 5502805e702b3b3db79c47adbd9ea511
>
> Description: RESTful document oriented database - system-wide instance
>
>  Apache CouchDB is a distributed, fault-tolerant and schema-free
>
>  document-oriented database accessible via a RESTful HTTP/JSON API. Among other
>
>  features, it provides robust, incremental replication with bi-directional
>
>  conflict detection and resolution, and is queryable and indexable using a
>
>  table-oriented view engine with JavaScript acting as the default view
>
>  definition language.
>
>  .
>
>  CouchDB is written in Erlang, but can be easily accessed from any environment
>
>  that provides means to make HTTP requests. There are a multitude of third-party
>
>  client libraries that make this even easier for a variety of programming
>
>  languages and environments.
>
>  .
>
>  This package adds the Upstart job and other items needed for a system-wide
>
>  CouchDB instance that is started at boot.
>
> Homepage: http://couchdb.apache.org/
>
> Original-Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.hu>
>
>
> What do I need to do to enable client certificates?
>
>
> Michael Power

Mime
View raw message