Uploaded image for project: 'CouchDB'
  1. CouchDB
  2. COUCHDB-1448

Client Certificate Validation Nonfunctional

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Won't Fix
    • Affects Version/s: 1.2
    • Fix Version/s: None
    • Component/s: HTTP Interface
    • Environment:

      OSX 10.7/Ubuntu 11.10, Erlang R15B/R14B4

      Description

      CouchDB commit: 4cd60f3d1683a3445c3248f48ae064fb573db2a1 (from build-couchdb) on both platforms (OSX / R14B4, and Ubuntu / R15B).

      Attempting to use client SSL certificate validation. In local.ini, if I specify cert_file and key_file, server SSL certificate functionality works as expected. If I also specify a cacert_file and set verify_ssl_certificates = true, I get the following crash:

      ============
      [info] [<0.31.0>] Apache CouchDB has started on https://127.0.0.1:6984/
      [error] [<0.165.0>] SSL: hello: ssl_handshake.erl:249:Fatal error: internal error

      =ERROR REPORT==== 23-Mar-2012::17:12:03 ===
      SSL: hello: ssl_handshake.erl:249:Fatal error: internal error
      [error] [<0.164.0>] SSL: hello: ssl_handshake.erl:249:Fatal error: internal error

      =ERROR REPORT==== 23-Mar-2012::17:12:03 ===
      SSL: hello: ssl_handshake.erl:249:Fatal error: internal error
      [error] [<0.166.0>] SSL: hello: ssl_handshake.erl:249:Fatal error: internal error

      =ERROR REPORT==== 23-Mar-2012::17:12:03 ===
      SSL: hello: ssl_handshake.erl:249:Fatal error: internal error
      [error] [<0.145.0>] {error_report,<0.30.0>,
      {<0.145.0>,std_error,
      [

      {application,mochiweb},
      "Accept failed error",
      "{error,\"internal error\"}"]}}

      =ERROR REPORT==== 23-Mar-2012::17:12:03 ===
      application: mochiweb
      "Accept failed error"
      "{error,"internal error"}"
      [error] [<0.144.0>] {error_report,<0.30.0>,
      {<0.144.0>,std_error,
      [{application,mochiweb}

      ,
      "Accept failed error",
      "

      {error,\"internal error\"}"]}}

      =ERROR REPORT==== 23-Mar-2012::17:12:03 ===
      application: mochiweb
      "Accept failed error"
      "{error,"internal error"}

      "
      [error] [<0.145.0>] {error_report,<0.30.0>,
      {<0.145.0>,crash_report,
      [[{initial_call,
      {mochiweb_acceptor,init,
      ['Argument__1','Argument__2','Argument__3']}},

      {pid,<0.145.0>}

      ,

      {registered_name,[]}

      ,
      {error_info,
      {exit,

      {error,accept_failed},
      [{mochiweb_acceptor,init,3,
      [{file, "/Users/ussjoin/Desktop/build-couchdb/dependencies/couchdb/src/mochiweb/mochiweb_acceptor.erl"},
      {line,33}]},
      {proc_lib,init_p_do_apply,3,
      [{file,"proc_lib.erl"},{line,227}]}]}},
      {ancestors, [https,couch_secondary_services,couch_server_sup, <0.31.0>]},
      {messages,[]},
      {links,[<0.142.0>]},
      {dictionary,[]},
      {trap_exit,false},
      {status,running},
      {heap_size,2584},
      {stack_size,24},
      {reductions,912}],
      []]}}

      =CRASH REPORT==== 23-Mar-2012::17:12:03 ===
      crasher:
      initial call: mochiweb_acceptor:init/3
      pid: <0.145.0>
      registered_name: []
      exception exit: {error,accept_failed}

      in function mochiweb_acceptor:init/3 (/Users/ussjoin/Desktop/build-couchdb/dependencies/couchdb/src/mochiweb/mochiweb_acceptor.erl, line 33)
      ancestors: [https,couch_secondary_services,couch_server_sup,<0.31.0>]
      messages: []
      links: [<0.142.0>]
      dictionary: []
      trap_exit: false
      status: running
      heap_size: 2584
      stack_size: 24
      reductions: 912
      neighbours:
      [error] [<0.142.0>] {error_report,<0.30.0>,
      {<0.142.0>,std_error,
      {mochiweb_socket_server,310,
      {acceptor_error,

      {error,accept_failed}

      }}}}

      ============

      From the browser side, the browser was never even asked by CouchDB to submit a client certificate; it crashes before it gets to that point.

      Similar result when specifying ssl_trusted_certificates_file and verify_ssl_certificates=true in the replicator section of default.ini; a crash and nothing happens on replication attempts.

      Tried increasing ssl_certificate_max_depth to 2 and 3 on both the local.ini[ssl] side and the default.ini[replicator] side, with no apparent effect.

      Workaround:

      In replicator, specify cert_file and key_file, but leave verify_ssl_certificates = false. Use nginx to verify the client certificates (and serve server SSL if you wish). Replication proceeds with client+server SSL as expected, without having to use a proxy on the sending side. (The downside is that you have to use nginx-- if this feature worked as expected, the use case could be solved in CouchDB alone.)

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              ussjoin Brendan O'Connor
            • Votes:
              2 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: