Uploaded image for project: 'CouchDB'
  1. CouchDB
  2. COUCHDB-878

[PATCH] Verify SSL Certificate Chain when doing SSL replication

    Details

    • Type: Improvement
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 1.0.1
    • Fix Version/s: None
    • Component/s: Replication
    • Labels:
      None
    • Skill Level:
      Regular Contributors Level (Easy to Medium)

      Description

      When doing an SSL replication, CouchDB does not check the certificate chain. This renders the SSL support absolutely useless since an attacker who is in the position of doing man-in-the-middle attacks can send an invalid certificate and gets all my data (push replication).

      The attached patch passes a verify_fun in ssl_options to ibrowse in order to validate the certificate path. Two new configuration options are introduced: ssl.verify (bool) and ssl.cacertfile (string). Set the latter to a PEM file containing the root CA for your certificate.

      Documentation updates are not included in the patch. Also, error handling is not included (only io:fwrite is used).

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                mstapelberg Michael Stapelberg
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated: