Thank you all, my solution is currently to use stunnel in front of CouchDB.
Foucauld 2015-06-22 20:51 GMT+02:00 Sebastian Rothbucher < [email protected]>: > Hi, > > self-signed certificates are difficult in general as it strongly depends on > the client whether / how one can actually add the public key to the list of > trusted keys. Java improved over the years; Chrome is very picky (which in > my opinion is a good thing - nonetheless, you can proceed if you click away > several warnings). > > Anyway, I'm afraid there is no general answer, but the client is the place > 2 look for > > Hope this helps a little > > Cheers > Sebastian > > > On Mon, Jun 22, 2015 at 8:24 PM, Jason Winshell (Bear River) < > [email protected]> wrote: > > > I only did the tests during development, so I was using self-signed > > certificates. > > > > Wish I had more information for you. Our app is behind a load balance > > proxy. > > > > Jason > > > > > On Jun 22, 2015, at 11:00 AM, Foucauld Degeorges <[email protected]> > > wrote: > > > > > > Well, the whole reason I'm using CouchDB was to *not* have a server... > > > That's a bit disappointing, but I'll consider it. I hope erlang will be > > > fixed though. > > > Is this specific with self-signed certificates, or is SSL broken in > > general? > > > Thank you for this answer. > > > > > > 2015-06-22 19:55 GMT+02:00 Jason Winshell (Bear River) < > > [email protected] > > >> : > > > > > >> Hi, > > >> > > >> I went this this problem as well. The last time I looked at this I > > learned > > >> that the erlang SSL implementation was buggy. Regardless, having a > > database > > >> provide SSL directly is not the best way to go about things. Use a > front > > >> end web server. You get other benefits as well, such as header control > > and > > >> the possibility of offloading SSL to a hardware load balancer. It's > just > > >> not worth pursuing. > > >> > > >> > > >>> On Jun 22, 2015, at 10:52 AM, Foucauld Degeorges <[email protected]> > > >> wrote: > > >>> > > >>> Thanks for your help. > > >>> The OS is Windows, but the problem may be similar. > > >>> > > >>> 2015-06-22 19:26 GMT+02:00 Paul Okstad <[email protected]>: > > >>> > > >>>> Hi, > > >>>> > > >>>> I had a similar problem and I found the culprit to be the OS version > > of > > >>>> Ubuntu that I was using. Must be a bad library included with that > > >>>> distribution. Check out the bottom of this wiki page I wrote: > > >>>> > > >> > > > https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=48203146 > > >>>> > > >>>> On Monday, June 22, 2015, Foucauld Degeorges <[email protected]> > > wrote: > > >>>> > > >>>>> Hello, > > >>>>> > > >>>>> (This question may have been asked before, I'm sorry if it has, > but I > > >>>>> haven't found a search field on the archives page). > > >>>>> > > >>>>> I'm having issues to make CouchDB work with HTTPS and a self-signed > > >>>>> certificate. > > >>>>> Depending on the client, the connection is accepted or refused: > > >>>>> > > >>>>> - accepted by curl -k > > >>>>> - refused by Chrome: ERR_SSL_PROTOCOL_ERROR > > >>>>> - Firefox first asks to add a security exception, then rejects the > > >>>>> connection: sec_error_invalid_key > > >>>>> > > >>>>> You may look at the associated StackOverflow question > > >>>>> < > > >>>>> > > >>>> > > >> > > > http://stackoverflow.com/questions/30939983/couchdb-over-https-and-self-certified-certificate-browsers-reject-it/30964160 > > >>>>>> > > >>>>> for > > >>>>> extra info. > > >>>>> I have read somewhere that Web browsers have recently become more > > >> strict > > >>>>> concerning self-signed certificates. Is there a workaround, or > > >> something > > >>>>> I'm missing? > > >>>>> > > >>>>> Thanks > > >>>>> Foucauld Degeorges > > >>>>> > > >>>> > > >>>> > > >>>> -- > > >>>> -- > > >>>> Paul Okstad > > >>>> http://pokstad.com > > >>>> > > >> > > >> > > > > >
