Details
-
Improvement
-
Status: Closed
-
Major
-
Resolution: Won't Fix
-
1.0.1
-
None
-
None
-
Regular Contributors Level (Easy to Medium)
Description
When doing an SSL replication, CouchDB does not check the certificate chain. This renders the SSL support absolutely useless since an attacker who is in the position of doing man-in-the-middle attacks can send an invalid certificate and gets all my data (push replication).
The attached patch passes a verify_fun in ssl_options to ibrowse in order to validate the certificate path. Two new configuration options are introduced: ssl.verify (bool) and ssl.cacertfile (string). Set the latter to a PEM file containing the root CA for your certificate.
Documentation updates are not included in the patch. Also, error handling is not included (only io:fwrite is used).
Attachments
Attachments
Issue Links
- duplicates
-
COUCHDB-1208 Improve SSL handling. allows a couch node to handle ssl validation and pass ssl certficate to the replication
- Closed