You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@couchdb.apache.org by fd...@apache.org on 2010/12/07 21:37:56 UTC

svn commit: r1043193 - in /couchdb/branches/1.0.x: etc/couchdb/default.ini.tpl.in src/couchdb/couch_rep.erl src/couchdb/couch_rep_httpc.erl

Author: fdmanana
Date: Tue Dec  7 20:37:56 2010
New Revision: 1043193

URL: http://svn.apache.org/viewvc?rev=1043193&view=rev
Log:
Merged revision 1023274 from trunk:

Replicator: fix issues when a peer is accessible via SSL.
Closes COUCHDB-491.


Modified:
    couchdb/branches/1.0.x/etc/couchdb/default.ini.tpl.in
    couchdb/branches/1.0.x/src/couchdb/couch_rep.erl
    couchdb/branches/1.0.x/src/couchdb/couch_rep_httpc.erl

Modified: couchdb/branches/1.0.x/etc/couchdb/default.ini.tpl.in
URL: http://svn.apache.org/viewvc/couchdb/branches/1.0.x/etc/couchdb/default.ini.tpl.in?rev=1043193&r1=1043192&r2=1043193&view=diff
==============================================================================
--- couchdb/branches/1.0.x/etc/couchdb/default.ini.tpl.in (original)
+++ couchdb/branches/1.0.x/etc/couchdb/default.ini.tpl.in Tue Dec  7 20:37:56 2010
@@ -121,4 +121,10 @@ compressible_types = text/*, application
 
 [replicator]
 max_http_sessions = 10
-max_http_pipeline_size = 10
\ No newline at end of file
+max_http_pipeline_size = 10
+; set to true to validate peer certificates
+verify_ssl_certificates = false
+; file containing a list of peer trusted certificates (PEM format)
+; ssl_trusted_certificates_file = /etc/ssl/certs/ca-certificates.crt
+; maximum peer certificate depth (must be set even if certificate validation is off)
+ssl_certificate_max_depth = 3

Modified: couchdb/branches/1.0.x/src/couchdb/couch_rep.erl
URL: http://svn.apache.org/viewvc/couchdb/branches/1.0.x/src/couchdb/couch_rep.erl?rev=1043193&r1=1043192&r2=1043193&view=diff
==============================================================================
--- couchdb/branches/1.0.x/src/couchdb/couch_rep.erl (original)
+++ couchdb/branches/1.0.x/src/couchdb/couch_rep.erl Tue Dec  7 20:37:56 2010
@@ -564,7 +564,10 @@ open_db({Props}, _UserCtx, ProxyParams, 
         auth = AuthProps,
         headers = lists:ukeymerge(1, Headers, DefaultHeaders)
     },
-    Db = Db1#http_db{options = Db1#http_db.options ++ ProxyParams},
+    Db = Db1#http_db{
+        options = Db1#http_db.options ++ ProxyParams ++
+            couch_rep_httpc:ssl_options(Db1)
+    },
     couch_rep_httpc:db_exists(Db, CreateTarget);
 open_db(<<"http://",_/binary>>=Url, _, ProxyParams, CreateTarget) ->
     open_db({[{<<"url">>,Url}]}, [], ProxyParams, CreateTarget);

Modified: couchdb/branches/1.0.x/src/couchdb/couch_rep_httpc.erl
URL: http://svn.apache.org/viewvc/couchdb/branches/1.0.x/src/couchdb/couch_rep_httpc.erl?rev=1043193&r1=1043192&r2=1043193&view=diff
==============================================================================
--- couchdb/branches/1.0.x/src/couchdb/couch_rep_httpc.erl (original)
+++ couchdb/branches/1.0.x/src/couchdb/couch_rep_httpc.erl Tue Dec  7 20:37:56 2010
@@ -16,6 +16,7 @@
 
 -export([db_exists/1, db_exists/2, full_url/1, request/1, redirected_request/2,
     redirect_url/2, spawn_worker_process/1, spawn_link_worker_process/1]).
+-export([ssl_options/1]).
 
 request(#http_db{} = Req) ->
     do_request(Req).
@@ -246,3 +247,35 @@ oauth_header(Url, QS, Action, Props) ->
     Params = oauth:signed_params(Method, Url, QSL, Consumer, Token, TokenSecret)
         -- QSL,
     {"Authorization", "OAuth " ++ oauth_uri:params_to_header_string(Params)}.
+
+ssl_options(#http_db{url = Url}) ->
+    case ibrowse_lib:parse_url(Url) of
+    #url{protocol = https} ->
+        Depth = list_to_integer(
+            couch_config:get("replicator", "ssl_certificate_max_depth", "3")
+        ),
+        SslOpts = [{depth, Depth} |
+        case couch_config:get("replicator", "verify_ssl_certificates") of
+        "true" ->
+            ssl_verify_options(true);
+        _ ->
+            ssl_verify_options(false)
+        end],
+        [{is_ssl, true}, {ssl_options, SslOpts}];
+    #url{protocol = http} ->
+        []
+    end.
+
+ssl_verify_options(Value) ->
+    ssl_verify_options(Value, erlang:system_info(otp_release)).
+
+ssl_verify_options(true, OTPVersion) when OTPVersion >= "R14" ->
+    CAFile = couch_config:get("replicator", "ssl_trusted_certificates_file"),
+    [{verify, verify_peer}, {cacertfile, CAFile}];
+ssl_verify_options(false, OTPVersion) when OTPVersion >= "R14" ->
+    [{verify, verify_none}];
+ssl_verify_options(true, _OTPVersion) ->
+    CAFile = couch_config:get("replicator", "ssl_trusted_certificates_file"),
+    [{verify, 2}, {cacertfile, CAFile}];
+ssl_verify_options(false, _OTPVersion) ->
+    [{verify, 0}].