couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dave Cottlehuber <...@skunkwerks.at>
Subject Re: CouchDB 2.0 crashing with SSL
Date Sat, 18 Mar 2017 11:01:08 GMT
On Wed, 15 Mar 2017, at 13:06, Frédéric Audon wrote:
> with
> 
> ciphers = undefined
> tls_versions = undefined
> secure_renegotiate = undefined
> 
> no crash but curl -k https://127.0.0.1:6984/
> 
> curl: (35) Unknown SSL protocol error in connection to 127.0.0.1:6984

Salut Frédéric

Can you please retry with:

curl -vsk https://127.0.0.1:6984/

and post the output?

Also, your acceptable cipher list is very short, can you try this with a
larger list to see if you get the same failure?

If you can build from source, try using the very latest 19.3 erlang
release and a recent OpenSSL and see if that changes -- SSL support is
continually improving in OTP itself.

I generally test SSL in erlang using these (very old) certs:
https://github.com/mochi/mochiweb/tree/master/examples/https as I know
they work, and then swap in my own certs along the way.

In any case the issue is simple: either our mochiweb fork, or the
underlying OTP release + OpenSSL doesn't have sufficient cipher support
for the client you are using. The fix is equally simple - use an SSL
terminator in front, haproxy, nginx for example, and hand plain HTTP to
CouchDB. While it is *possible* to have Couch working reasonably well
without this, you will find as we have, that over time, the SSL support
in OTP can be a long way behind what browsers and API clients expect,
that there can be a significant performance & memory usage gap, and we
have better things to do than fiddling it time & time again or tracking
down exactly what a  specific problematic browser needs.

Patching our mochiweb fork is non-trivial, we have some necessary
changes that IIRC since 2.4.0 are not straightforwards to port.

> >> > mochiweb_socket:add_unbroken_ciphers_default/1(line:34) <=

^ this is where things start to go wrong...

> > I use couchdDB 1.6 with SSL. It works very well.

Curious to know if 1.6 uses the same version of OTP & OpenSSL or not.

A+
Dave

Mime
View raw message