[
https://issues.apache.org/jira/browse/COUCHDB-878?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Paul Joseph Davis updated COUCHDB-878:
--------------------------------------
Skill Level: Regular Contributors Level (Easy to Medium)
> [PATCH] Verify SSL Certificate Chain when doing SSL replication
> ---------------------------------------------------------------
>
> Key: COUCHDB-878
> URL: https://issues.apache.org/jira/browse/COUCHDB-878
> Project: CouchDB
> Issue Type: Improvement
> Components: Replication
> Affects Versions: 1.0.1
> Reporter: Michael Stapelberg
> Attachments: couchdb-ssl-verify-chain.patch
>
>
> When doing an SSL replication, CouchDB does not check the certificate chain.
> This renders the SSL support absolutely useless since an attacker who is in
> the position of doing man-in-the-middle attacks can send an invalid
> certificate and gets all my data (push replication).
> The attached patch passes a verify_fun in ssl_options to ibrowse in order to
> validate the certificate path. Two new configuration options are introduced:
> ssl.verify (bool) and ssl.cacertfile (string). Set the latter to a PEM file
> containing the root CA for your certificate.
> Documentation updates are not included in the patch. Also, error handling is
> not included (only io:fwrite is used).
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
