first link should be https://github.com/refuge/couch_core/blob/master/apps/couch_httpd/src/couch_httpd.erl#L73
On Sun, Jan 12, 2014 at 2:01 PM, Benoit Chesneau <[email protected]>wrote: > Some certs passed to couchdb (ala nginx) already contain the cafile, we > should detect it instead: > > I have a fix in rcouch for that: > > > https://github.com/refuge/couch_core/blob/master/apps/couch_core/blob/master/apps/couch_httpd/src/couch_httpd.erl#L73 > > and: > > > https://github.com/refuge/couch_core/blob/master/apps/couch_httpd/src/couch_httpd.erl#L97 > > > It will land soon in the rcouch branch and will try to extract it for > current. > > - benoit > > > On Sun, Jan 12, 2014 at 1:54 PM, <[email protected]> wrote: > >> Updated Branches: >> refs/heads/2028-feature-intermediate-tls-certs [created] 4925bf6be >> >> >> Allow cacertfile without verifying peers >> >> >> Project: http://git-wip-us.apache.org/repos/asf/couchdb/repo >> Commit: http://git-wip-us.apache.org/repos/asf/couchdb/commit/4925bf6b >> Tree: http://git-wip-us.apache.org/repos/asf/couchdb/tree/4925bf6b >> Diff: http://git-wip-us.apache.org/repos/asf/couchdb/diff/4925bf6b >> >> Branch: refs/heads/2028-feature-intermediate-tls-certs >> Commit: 4925bf6bee49cf77aaf83311b8c7d361dc5b2252 >> Parents: a749ecb >> Author: Robert Newson <[email protected]> >> Authored: Sun Jan 12 11:57:41 2014 +0000 >> Committer: Robert Newson <[email protected]> >> Committed: Sun Jan 12 12:47:19 2014 +0000 >> >> ---------------------------------------------------------------------- >> src/couchdb/couch_httpd.erl | 81 ++++++++++++++++------------------------ >> 1 file changed, 33 insertions(+), 48 deletions(-) >> ---------------------------------------------------------------------- >> >> >> >> http://git-wip-us.apache.org/repos/asf/couchdb/blob/4925bf6b/src/couchdb/couch_httpd.erl >> ---------------------------------------------------------------------- >> diff --git a/src/couchdb/couch_httpd.erl b/src/couchdb/couch_httpd.erl >> index 465bc7a..1372dec 100644 >> --- a/src/couchdb/couch_httpd.erl >> +++ b/src/couchdb/couch_httpd.erl >> @@ -39,57 +39,42 @@ start_link(http) -> >> start_link(?MODULE, [{port, Port}]); >> start_link(https) -> >> Port = couch_config:get("ssl", "port", "6984"), >> - CertFile = couch_config:get("ssl", "cert_file", nil), >> - KeyFile = couch_config:get("ssl", "key_file", nil), >> - Options = case CertFile /= nil andalso KeyFile /= nil of >> + ServerOpts0 = >> + [{cacertfile, couch_config:get("ssl", "cacert_file", nil)}, >> + {keyfile, couch_config:get("ssl", "key_file", nil)}, >> + {certfile, couch_config:get("ssl", "cert_file", nil)}, >> + {password, couch_config:get("ssl", "password", nil)}], >> + >> + case (couch_util:get_value(keyfile, ServerOpts0) == nil orelse >> + couch_util:get_value(certfile, ServerOpts0) == nil) of >> true -> >> - SslOpts = [{certfile, CertFile}, {keyfile, KeyFile}], >> - >> - %% set password if one is needed for the cert >> - SslOpts1 = case couch_config:get("ssl", "password", nil) of >> - nil -> SslOpts; >> - Password -> >> - SslOpts ++ [{password, Password}] >> - end, >> - % do we verify certificates ? >> - FinalSslOpts = case couch_config:get("ssl", >> - "verify_ssl_certificates", "false") of >> - "false" -> SslOpts1; >> - "true" -> >> - case couch_config:get("ssl", >> - "cacert_file", nil) of >> - nil -> >> - io:format("Verify SSL certificate " >> - ++"enabled but file containing " >> - ++"PEM encoded CA certificates is " >> - ++"missing", []), >> - throw({error, missing_cacerts}); >> - CaCertFile -> >> - Depth = >> list_to_integer(couch_config:get("ssl", >> - "ssl_certificate_max_depth", >> - "1")), >> - FinalOpts = [ >> - {cacertfile, CaCertFile}, >> - {depth, Depth}, >> - {verify, verify_peer}], >> - % allows custom verify fun. >> - case couch_config:get("ssl", >> - "verify_fun", nil) of >> - nil -> FinalOpts; >> - SpecStr -> >> - FinalOpts >> - ++ [{verify_fun, >> make_arity_3_fun(SpecStr)}] >> - end >> - end >> - end, >> - >> - [{port, Port}, >> - {ssl, true}, >> - {ssl_opts, FinalSslOpts}]; >> - false -> >> io:format("SSL enabled but PEM certificates are missing.", >> []), >> - throw({error, missing_certs}) >> + throw({error, missing_certs}); >> + false -> >> + ok >> end, >> + >> + ServerOpts = [Opt || {_, V}=Opt <- ServerOpts0, V /= nil], >> + >> + ClientOpts = case couch_config:get("ssl", "verify_ssl_certificates", >> "false") of >> + "false" -> >> + []; >> + "true" -> >> + [{depth, list_to_integer(couch_config:get("ssl", >> + "ssl_certificate_max_depth", "1"))}, >> + {verify, verify_peer}] ++ >> + case couch_config:get("ssl", "verify_fun", nil) of >> + nil -> []; >> + SpecStr -> >> + [{verify_fun, make_arity_3_fun(SpecStr)}] >> + end >> + end, >> + SslOpts = ServerOpts ++ ClientOpts, >> + >> + Options = >> + [{port, Port}, >> + {ssl, true}, >> + {ssl_opts, SslOpts}], >> start_link(https, Options). >> start_link(Name, Options) -> >> % read config and register for configuration changes >> >> >
