couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dave Cottlehuber <>
Subject Re: CouchDB 2.0 crashing with SSL
Date Sat, 18 Mar 2017 11:01:08 GMT
On Wed, 15 Mar 2017, at 13:06, Frédéric Audon wrote:
> with
> ciphers = undefined
> tls_versions = undefined
> secure_renegotiate = undefined
> no crash but curl -k
> curl: (35) Unknown SSL protocol error in connection to

Salut Frédéric

Can you please retry with:

curl -vsk

and post the output?

Also, your acceptable cipher list is very short, can you try this with a
larger list to see if you get the same failure?

If you can build from source, try using the very latest 19.3 erlang
release and a recent OpenSSL and see if that changes -- SSL support is
continually improving in OTP itself.

I generally test SSL in erlang using these (very old) certs: as I know
they work, and then swap in my own certs along the way.

In any case the issue is simple: either our mochiweb fork, or the
underlying OTP release + OpenSSL doesn't have sufficient cipher support
for the client you are using. The fix is equally simple - use an SSL
terminator in front, haproxy, nginx for example, and hand plain HTTP to
CouchDB. While it is *possible* to have Couch working reasonably well
without this, you will find as we have, that over time, the SSL support
in OTP can be a long way behind what browsers and API clients expect,
that there can be a significant performance & memory usage gap, and we
have better things to do than fiddling it time & time again or tracking
down exactly what a  specific problematic browser needs.

Patching our mochiweb fork is non-trivial, we have some necessary
changes that IIRC since 2.4.0 are not straightforwards to port.

> >> > mochiweb_socket:add_unbroken_ciphers_default/1(line:34) <=

^ this is where things start to go wrong...

> > I use couchdDB 1.6 with SSL. It works very well.

Curious to know if 1.6 uses the same version of OTP & OpenSSL or not.


View raw message