incubator-couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Michael Stapelberg (JIRA)" <j...@apache.org>
Subject [jira] Updated: (COUCHDB-878) [PATCH] Verify SSL Certificate Chain when doing SSL replication
Date Mon, 06 Sep 2010 21:03:33 GMT

     [ https://issues.apache.org/jira/browse/COUCHDB-878?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Michael Stapelberg updated COUCHDB-878:
---------------------------------------

    Attachment: couchdb-ssl-verify-chain.patch

> [PATCH] Verify SSL Certificate Chain when doing SSL replication
> ---------------------------------------------------------------
>
>                 Key: COUCHDB-878
>                 URL: https://issues.apache.org/jira/browse/COUCHDB-878
>             Project: CouchDB
>          Issue Type: Improvement
>          Components: Replication
>    Affects Versions: 1.0.1
>            Reporter: Michael Stapelberg
>         Attachments: couchdb-ssl-verify-chain.patch
>
>
> When doing an SSL replication, CouchDB does not check the certificate chain. This renders
the SSL support absolutely useless since an attacker who is in the position of doing man-in-the-middle
attacks can send an invalid certificate and gets all my data (push replication).
> The attached patch passes a verify_fun in ssl_options to ibrowse in order to validate
the certificate path. Two new configuration options are introduced: ssl.verify (bool) and
ssl.cacertfile (string). Set the latter to a PEM file containing the root CA for your certificate.
> Documentation updates are not included in the patch. Also, error handling is not included
(only io:fwrite is used).

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message