[PATCH] Verify SSL Certificate Chain when doing SSL replication
---------------------------------------------------------------
Key: COUCHDB-878
URL: https://issues.apache.org/jira/browse/COUCHDB-878
Project: CouchDB
Issue Type: Improvement
Components: Replication
Affects Versions: 1.0.1
Reporter: Michael Stapelberg
When doing an SSL replication, CouchDB does not check the certificate chain.
This renders the SSL support absolutely useless since an attacker who is in the
position of doing man-in-the-middle attacks can send an invalid certificate and
gets all my data (push replication).
The attached patch passes a verify_fun in ssl_options to ibrowse in order to
validate the certificate path. Two new configuration options are introduced:
ssl.verify (bool) and ssl.cacertfile (string). Set the latter to a PEM file
containing the root CA for your certificate.
Documentation updates are not included in the patch. Also, error handling is
not included (only io:fwrite is used).
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
