couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Timothy McKernan <>
Subject Two-way SSL authentication?
Date Thu, 17 Nov 2016 14:36:28 GMT
Has there been any interest in adding support for two-way SSL
authentication? More specifically, I'm looking for a way to:

   - Verify a client's cert is valid,
      - Check the cert's Certificate Authority(s) against a local store,
      - Query a remote service to verify the cert hasn't been revoked
   - Use the client's Distinguished Name to query a remote service (LDAP
   would be fine) to verify the user is authorized to connect,
   - Use the client's Distinguished Name to authenticate the user in
   CouchDb, returning the user ctx.

I've looked at how to add an auth handler in 2.0.0 and read some older
posts about it. It looks like at least src/chttpd/src/chttpd_auth.erl and
src/couch/src/couch_httpd_auth.erl need to be edited to use any new
handlers, is that right?

I think my questions come down to:

   - Is there going to be support for two-way SSL auth?
   - If not, is the authentication handler code going to be updated to
   allow new handlers to be plugged in (having the handlers implement a known
   interface) rather than hand-edit the above code?
   - I my requirements also suggest allowing a chain of handlers to be
   called, so that the details of CouchDb auth vs. CRL verification vs. LDAP
   can all be called one after the other, only going to the next handler if
   the previous handler succeeded.

Right now I'm just trying to understand the scope of what's required to add
this, especially if it seems I'd be the one doing it.


  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message