Uploaded image for project: 'CouchDB'
  1. CouchDB
  2. COUCHDB-878

[PATCH] Verify SSL Certificate Chain when doing SSL replication

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Closed
    • Major
    • Resolution: Won't Fix
    • 1.0.1
    • None
    • Replication
    • None
    • Regular Contributors Level (Easy to Medium)

    Description

      When doing an SSL replication, CouchDB does not check the certificate chain. This renders the SSL support absolutely useless since an attacker who is in the position of doing man-in-the-middle attacks can send an invalid certificate and gets all my data (push replication).

      The attached patch passes a verify_fun in ssl_options to ibrowse in order to validate the certificate path. Two new configuration options are introduced: ssl.verify (bool) and ssl.cacertfile (string). Set the latter to a PEM file containing the root CA for your certificate.

      Documentation updates are not included in the patch. Also, error handling is not included (only io:fwrite is used).

      Attachments

        1. couchdb-ssl-verify-chain.patch
          3 kB
          Michael Stapelberg

        Issue Links

          duplicates

          Improvement - An improvement or enhancement to an existing feature or task. COUCHDB-1208 Improve SSL handling. allows a couch node to handle ssl validation and pass ssl certficate to the replication

          • Major - Major loss of function.
          • Closed

          Activity

            People

              Unassigned Unassigned
              mstapelberg Michael Stapelberg
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: