CouchDB
  1. CouchDB
  2. COUCHDB-878

[PATCH] Verify SSL Certificate Chain when doing SSL replication

    Details

    • Type: Improvement Improvement
    • Status: Open
    • Priority: Major Major
    • Resolution: Unresolved
    • Affects Version/s: 1.0.1
    • Fix Version/s: None
    • Component/s: Replication
    • Labels:
      None
    • Skill Level:
      Regular Contributors Level (Easy to Medium)

      Description

      When doing an SSL replication, CouchDB does not check the certificate chain. This renders the SSL support absolutely useless since an attacker who is in the position of doing man-in-the-middle attacks can send an invalid certificate and gets all my data (push replication).

      The attached patch passes a verify_fun in ssl_options to ibrowse in order to validate the certificate path. Two new configuration options are introduced: ssl.verify (bool) and ssl.cacertfile (string). Set the latter to a PEM file containing the root CA for your certificate.

      Documentation updates are not included in the patch. Also, error handling is not included (only io:fwrite is used).

        Issue Links

          Activity

          Hide
          Jens Alfke added a comment -

          Looks like issue 1208 is the same as this, and it was fixed a few months ago. Close this one as a dup (even though it's older)?

          Show
          Jens Alfke added a comment - Looks like issue 1208 is the same as this, and it was fixed a few months ago. Close this one as a dup (even though it's older)?

            People

            • Assignee:
              Unassigned
              Reporter:
              Michael Stapelberg
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:

                Development