You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@couchdb.apache.org by "jiahuili430 (via GitHub)" <gi...@apache.org> on 2023/05/04 18:25:42 UTC
[GitHub] [couchdb] jiahuili430 opened a new pull request, #4575: Fix warnings about TLS distribution
jiahuili430 opened a new pull request, #4575:
URL: https://github.com/apache/couchdb/pull/4575
When the CouchDB custom (couch) distribution is enabled, using `remsh-tls` or `remsh -t` will get a warning:
```
=WARNING REPORT==== 4-May-2023::12:43:28.893022 ===
Description: "Server authenticity is not verified since certificate path validation is not enabled"
Reason: "The option {verify, verify_peer} and one of the options 'cacertfile' or 'cacerts' are required to enable this."
```
Add `{verify, verify_none}` to suppress warnings.
<!-- Thank you for your contribution!
Please file this form by replacing the Markdown comments
with your text. If a section needs no action - remove it.
Also remember, that CouchDB uses the Review-Then-Commit (RTC) model
of code collaboration. Positive feedback is represented +1 from committers
and negative is a -1. The -1 also means veto, and needs to be addressed
to proceed. Once there are no objections, the PR can be merged by a
CouchDB committer.
See: http://couchdb.apache.org/bylaws.html#decisions for more info. -->
## Overview
<!-- Please give a short brief for the pull request,
what problem it solves or how it makes things better. -->
## Testing recommendations
<!-- Describe how we can test your changes.
Does it provide any behaviour that the end users
could notice? -->
## Related Issues or Pull Requests
<!-- If your changes affect multiple components in different
repositories please put links to those issues or pull requests here. -->
## Checklist
- [ ] Code is written and works correctly
- [ ] Changes are covered by tests
- [ ] Any new configurable parameters are documented in `rel/overlay/etc/default.ini`
- [x] Documentation changes were made in the `src/docs` folder
- [ ] Documentation changes were backported (separated PR) to affected branches
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] jiahuili430 commented on a diff in pull request #4575: TLS: add {verify, verify_peer} to enable verification for OTP 26
Posted by "jiahuili430 (via GitHub)" <gi...@apache.org>.
jiahuili430 commented on code in PR #4575:
URL: https://github.com/apache/couchdb/pull/4575#discussion_r1198937030
##########
configure:
##########
@@ -69,22 +69,58 @@ Options:
EOF
}
-# This is just an example to generate a certfile for TLS distribution.
-# This is not an endorsement of specific expiration limits, key sizes, or algorithms.
+# Just an example to generate certificates for TLS distribution.
+# It's not an endorsement of specific expiration limits, key sizes, or algorithms.
generate_tls_dev_cert() {
- if [ ! -e "${rootdir}/dev/erlserver.pem" ]; then
- openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem
- cat key.pem cert.pem > dev/erlserver.pem && rm key.pem cert.pem
- fi
+ if [ "$ERLANG_VER" -lt 26 ]; then
+ if [ ! -e "${rootdir}/dev/erlserver.pem" ]; then
+ openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem
+ cat key.pem cert.pem > dev/erlserver.pem && rm key.pem cert.pem
+ fi
- if [ ! -e "${rootdir}/dev/couch_ssl_dist.conf" ]; then
- cat > "${rootdir}/dev/couch_ssl_dist.conf" << EOF
-[{server,
- [{certfile, "${rootdir}/dev/erlserver.pem"},
- {secure_renegotiate, true}]},
- {client,
- [{secure_renegotiate, true}]}].
+ if [ ! -e "${rootdir}/dev/couch_ssl_dist.conf" ]; then
+ cat >"${rootdir}/dev/couch_ssl_dist.conf" <<EOF
+[{server, [
+ {certfile, "${rootdir}/dev/erlserver.pem"},
+ {secure_renegotiate, true}
+ ]},
+ {client, [
+ {secure_renegotiate, true}
+ ]}
+].
EOF
+ fi
+ else
+ if [ ! -e "${rootdir}/dev/erlserver.pem" ]; then
+ echo "Make sure to use different values for the Common Name (FQDN) in CA certificate and certificate."
+ read -p "Common Name (CA certificate): " fqdn_ca
+ read -p "Common Name (certificate): " fqdn
+
+ echo "Generate CA certificate:"
+ openssl genrsa 2048 >ca-key.pem
+ openssl req -new -x509 -nodes -days 3650 -key ca-key.pem -out ca-cert.pem -subj "/CN=$fqdn_ca"
+ echo "Generate certificate:"
+ openssl req -newkey rsa:2048 -nodes -days 3650 -keyout key.pem -out req.pem -subj "/CN=$fqdn"
+ openssl x509 -req -days 3650 -set_serial 01 -in req.pem -out cert.pem -CA ca-cert.pem -CAkey ca-key.pem
+ openssl verify -CAfile ca-cert.pem ca-cert.pem cert.pem
+ cat key.pem cert.pem >dev/erlserver.pem && mv ca-cert.pem dev/ && rm ca-key.pem key.pem cert.pem req.pem
+ fi
+
+ if [ ! -e "${rootdir}/dev/couch_ssl_dist.conf" ]; then
+ cat >"${rootdir}/dev/couch_ssl_dist.conf" <<EOF
+[{server, [
+ {certfile, "${rootdir}/dev/erlserver.pem"},
+ {secure_renegotiate, true}
+ ]},
+ {client, [
+ {secure_renegotiate, true},
+ {verify, verify_peer},
+ {cacertfile, "${rootdir}/dev/ca-cert.pem"},
+ {server_name_indication, "$fqdn"}
+ ]}
+].
Review Comment:
Using the same conf and certificates, OTP 26 passed, but OTP 24/25 failed with `{bad_cert,hostname_check_failed}`.
I'll keep trying, thanks for your suggestion.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] rnewson commented on a diff in pull request #4575: TLS: add {verify, verify_peer} to enable verification for OTP 26
Posted by "rnewson (via GitHub)" <gi...@apache.org>.
rnewson commented on code in PR #4575:
URL: https://github.com/apache/couchdb/pull/4575#discussion_r1202463799
##########
dev/remsh-tls:
##########
@@ -20,7 +20,7 @@ if [ -z $NODE ]; then
fi
if [ -z $HOST ]; then
- HOST="127.0.0.1"
+ HOST=$(hostname -f)
Review Comment:
What is forcing us away from `127.0.0.1` for this?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] jiahuili430 commented on a diff in pull request #4575: TLS: add {verify, verify_peer} to enable verification for OTP 26
Posted by "jiahuili430 (via GitHub)" <gi...@apache.org>.
jiahuili430 commented on code in PR #4575:
URL: https://github.com/apache/couchdb/pull/4575#discussion_r1205493157
##########
dev/run:
##########
@@ -264,6 +278,10 @@ def setup_context(opts, args):
"auto_ports": opts.auto_ports,
"locald_configs": opts.locald_configs,
"with_nouveau": opts.with_nouveau,
+ "enable_tls": opts.enable_tls,
+ "tcp_node": opts.tcp_node,
+ "hostname": socket.gethostname() if opts.enable_tls else "127.0.0.1",
+ "bind_address": "0.0.0.0" if opts.enable_tls else "127.0.0.1",
Review Comment:
Thanks for all the info, especially for generating the correct certificates to pass validation!
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] jiahuili430 commented on a diff in pull request #4575: Fix warnings about TLS distribution
Posted by "jiahuili430 (via GitHub)" <gi...@apache.org>.
jiahuili430 commented on code in PR #4575:
URL: https://github.com/apache/couchdb/pull/4575#discussion_r1186735302
##########
src/docs/src/cluster/tls_erlang_distribution.rst:
##########
@@ -36,10 +36,11 @@ the ``certificate`` and its ``private key``.
.. code-block:: text
[{server,
- [{certfile, "</path/to/erlserver.pem>"},
+ [{certfile, "<absolute_path/to/erlserver.pem>"},
Review Comment:
Add leading `/` back, thanks for the review.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] rnewson commented on a diff in pull request #4575: TLS: add {verify, verify_peer} to enable verification for OTP 26
Posted by "rnewson (via GitHub)" <gi...@apache.org>.
rnewson commented on code in PR #4575:
URL: https://github.com/apache/couchdb/pull/4575#discussion_r1205184804
##########
dev/run:
##########
@@ -264,6 +278,10 @@ def setup_context(opts, args):
"auto_ports": opts.auto_ports,
"locald_configs": opts.locald_configs,
"with_nouveau": opts.with_nouveau,
+ "enable_tls": opts.enable_tls,
+ "tcp_node": opts.tcp_node,
+ "hostname": socket.gethostname() if opts.enable_tls else "127.0.0.1",
+ "bind_address": "0.0.0.0" if opts.enable_tls else "127.0.0.1",
Review Comment:
```#!/bin/sh
mkdir -p out
./certs self-signed \
--out-cert out/ca-cert.pem --out-key out/ca-key.pem \
--template root-ca \
--subject '/CN=CouchDB Root CA'
for NODE in $@; do
./certs create-cert \
--issuer-cert out/ca-cert.pem --issuer-key out/ca-key.pem \
--out-cert "out/${NODE}-cert.pem" --out-key "out/${NODE}-key.pem" \
--template node \
--subject '/OU=CouchDB' \
--host 127.0.0.1 \
--node "${NODE}"
done
```
```
1> Parse = fun(File) ->
1> {ok, PemBin} = file:read_file(File),
1> [{_, DerCert, _}] = public_key:pem_decode(PemBin),
1> OTPCert = public_key:pkix_decode_cert(DerCert,otp),
1> inet_tls_dist:cert_nodes(OTPCert) end.
#Fun<erl_eval.44.65746770>
2>
2> Parse("node1-cert.pem").
["node1@127.0.0.1"]
3> Parse("node2-cert.pem").
["node2@127.0.0.1"]
4> Parse("node3-cert.pem").
["node3@127.0.0.1"]
5>
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] rnewson commented on a diff in pull request #4575: TLS: add `{verify, verify_peer}` to enable verification
Posted by "rnewson (via GitHub)" <gi...@apache.org>.
rnewson commented on code in PR #4575:
URL: https://github.com/apache/couchdb/pull/4575#discussion_r1207360857
##########
dev/remsh-tls:
##########
@@ -24,6 +24,6 @@ if [ -z $HOST ]; then
fi
NAME="remsh$$@$HOST"
Review Comment:
I think it was maybe optional previously with ```{verify_fun, {inet_tls_dist, verify_client, undefined}},``` option, but I am getting confused at this point.
Jessica and I have independently shown that 'node1@127.0.0.1' can start up with node2-dist.conf (which points at node2-cert.pem which has the dirname of 'node2') and still ping 'node2@127.0.0.1' which uses node2-dist.conf also.
So erlang does not check the node name embedded in the cert and apparently cannot be configured to do so.
the `inet_tls_dist:cert_nodes/1` function (and parse_extensions) just exists to tease me.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] jiahuili430 commented on a diff in pull request #4575: TLS: add `{verify, verify_peer}` to enable verification
Posted by "jiahuili430 (via GitHub)" <gi...@apache.org>.
jiahuili430 commented on code in PR #4575:
URL: https://github.com/apache/couchdb/pull/4575#discussion_r1211852216
##########
src/couch_dist/README.md:
##########
@@ -0,0 +1,160 @@
+# couch_dist
+
+`couch_dist` implements a custom distribution protocol -- `couch`, which allows
+nodes to connect using different protocols, such as Transport Layer Security
+(TLS) and Transmission Control Protocol (TCP).
+
+`TLS` can provide extra verification and security, but requires proper
+certificates and configuration to set up the environment.
+
+## Set up a custom Erlang distribution
+
+1. Specify the distribution protocol in `vm.args`
+2. Specify different distribution protocols for different nodes in `vm.args`
+3. Generate certificates using `certs`
+4. Specify security and other SSL options in `couch_dist.conf`
+
+Examples:
+
+1. `vm.args`:
+
+ ```vm.args
+ -proto_dist couch
+ -couch_dist no_tls '"clouseau@127.0.0.1"'
+ -ssl_dist_optfile </absolute/path/to/couch_dist.conf>
+ ```
+
+2. `couch_dist.conf`:
+
+ - `erlserver.pem`: contains the certificate and its private key.
+ - `{verify, verify_peer}`: you can specify the hostname with `{server_name_indication, <hostname>}`.
+ - `{fail_if_no_peer_cert, true}`: should be used on the server side only,
Review Comment:
How about adding this to the `gen_cert` script?
Generate different `couch_dist.conf` files for different erlang versions.
```bash
ERL_VER=$(erl -eval "io:put_chars(erlang:system_info(otp_release)), halt()." -noshell)
if [ $ERL_VER -ge "26" ]; then
OPTS="{verify, verify_peer}"
else
OPTS="{verify, verify_peer},
{fail_if_no_peer_cert, true}"
fi
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] jiahuili430 commented on a diff in pull request #4575: TLS: add {verify, verify_peer} to enable verification for OTP 26
Posted by "jiahuili430 (via GitHub)" <gi...@apache.org>.
jiahuili430 commented on code in PR #4575:
URL: https://github.com/apache/couchdb/pull/4575#discussion_r1202645855
##########
dev/run:
##########
@@ -264,6 +278,10 @@ def setup_context(opts, args):
"auto_ports": opts.auto_ports,
"locald_configs": opts.locald_configs,
"with_nouveau": opts.with_nouveau,
+ "enable_tls": opts.enable_tls,
+ "tcp_node": opts.tcp_node,
+ "hostname": socket.gethostname() if opts.enable_tls else "127.0.0.1",
+ "bind_address": "0.0.0.0" if opts.enable_tls else "127.0.0.1",
Review Comment:
OTP 26, `127.0.0.1` works fine because I can specify `server_name_indication` in conf file.
However in OTP 25, if the IP is `127.0.0.1`, I tried different hostnames (CN), and the verify process always returns `hostname_check_failed`. If I set local.ini bind_address to `0.0.0.0`, using my hostname as CN, no errors.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] nickva commented on a diff in pull request #4575: TLS: add {verify, verify_peer} to enable verification for OTP 26
Posted by "nickva (via GitHub)" <gi...@apache.org>.
nickva commented on code in PR #4575:
URL: https://github.com/apache/couchdb/pull/4575#discussion_r1198604139
##########
configure:
##########
@@ -69,22 +69,58 @@ Options:
EOF
}
-# This is just an example to generate a certfile for TLS distribution.
-# This is not an endorsement of specific expiration limits, key sizes, or algorithms.
+# Just an example to generate certificates for TLS distribution.
+# It's not an endorsement of specific expiration limits, key sizes, or algorithms.
generate_tls_dev_cert() {
- if [ ! -e "${rootdir}/dev/erlserver.pem" ]; then
- openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem
- cat key.pem cert.pem > dev/erlserver.pem && rm key.pem cert.pem
- fi
+ if [ "$ERLANG_VER" -lt 26 ]; then
+ if [ ! -e "${rootdir}/dev/erlserver.pem" ]; then
+ openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem
+ cat key.pem cert.pem > dev/erlserver.pem && rm key.pem cert.pem
+ fi
- if [ ! -e "${rootdir}/dev/couch_ssl_dist.conf" ]; then
- cat > "${rootdir}/dev/couch_ssl_dist.conf" << EOF
-[{server,
- [{certfile, "${rootdir}/dev/erlserver.pem"},
- {secure_renegotiate, true}]},
- {client,
- [{secure_renegotiate, true}]}].
+ if [ ! -e "${rootdir}/dev/couch_ssl_dist.conf" ]; then
+ cat >"${rootdir}/dev/couch_ssl_dist.conf" <<EOF
+[{server, [
+ {certfile, "${rootdir}/dev/erlserver.pem"},
+ {secure_renegotiate, true}
+ ]},
+ {client, [
+ {secure_renegotiate, true}
+ ]}
+].
EOF
+ fi
+ else
+ if [ ! -e "${rootdir}/dev/erlserver.pem" ]; then
+ echo "Make sure to use different values for the Common Name (FQDN) in CA certificate and certificate."
+ read -p "Common Name (CA certificate): " fqdn_ca
+ read -p "Common Name (certificate): " fqdn
+
+ echo "Generate CA certificate:"
+ openssl genrsa 2048 >ca-key.pem
+ openssl req -new -x509 -nodes -days 3650 -key ca-key.pem -out ca-cert.pem -subj "/CN=$fqdn_ca"
+ echo "Generate certificate:"
+ openssl req -newkey rsa:2048 -nodes -days 3650 -keyout key.pem -out req.pem -subj "/CN=$fqdn"
+ openssl x509 -req -days 3650 -set_serial 01 -in req.pem -out cert.pem -CA ca-cert.pem -CAkey ca-key.pem
+ openssl verify -CAfile ca-cert.pem ca-cert.pem cert.pem
+ cat key.pem cert.pem >dev/erlserver.pem && mv ca-cert.pem dev/ && rm ca-key.pem key.pem cert.pem req.pem
+ fi
+
+ if [ ! -e "${rootdir}/dev/couch_ssl_dist.conf" ]; then
+ cat >"${rootdir}/dev/couch_ssl_dist.conf" <<EOF
+[{server, [
+ {certfile, "${rootdir}/dev/erlserver.pem"},
+ {secure_renegotiate, true}
+ ]},
+ {client, [
+ {secure_renegotiate, true},
+ {verify, verify_peer},
+ {cacertfile, "${rootdir}/dev/ca-cert.pem"},
+ {server_name_indication, "$fqdn"}
+ ]}
+].
Review Comment:
Wonder if it makes sense to use `{fail_if_no_peer_cert, true}` as well. Just guessing that users would go for a mTLS (mutual TLS) setup of some sort. Maybe something like this could work?
```
[{server, [
{certfile, ".../erlserver.pem"},
{cacertfile, ".../ca-cert.pem"},
{verify, verify_peer},
{secure_renegotiate, true},
{fail_if_no_peer_cert, true}
]},
{client, [
{cacertfile, ".../ca-cert.pem"},
{certfile, ".../erlserver.pem"},
{verify, verify_peer},
{secure_renegotiate, true},
{server_name_indication, "localhost"}
]}
].
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] rnewson commented on a diff in pull request #4575: TLS: add `{verify, verify_peer}` to enable verification
Posted by "rnewson (via GitHub)" <gi...@apache.org>.
rnewson commented on code in PR #4575:
URL: https://github.com/apache/couchdb/pull/4575#discussion_r1207356315
##########
dev/remsh-tls:
##########
@@ -24,6 +24,6 @@ if [ -z $HOST ]; then
fi
NAME="remsh$$@$HOST"
Review Comment:
So
```
commit 5586959ed008c09141689f1e8865476150e48519
Author: Raimo Niskanen <ra...@erlang.org>
Date: Thu Apr 26 09:37:24 2018 +0200
Allow check for node name
```
I think introduced the ability to check the node names from the data in the certificate
and
```
commit 794df8cbba8d7942dcb3bf2cbdfa526b04d41dd3
Author: Raimo Niskanen <ra...@erlang.org>
Date: Fri Jun 8 15:49:06 2018 +0200
Use public_key to verify client hostname
```
removed it (and used the net_kernel:allow list to restrict node names instead).
they just left the cert_nodes function in but it's unreachable?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] rnewson commented on a diff in pull request #4575: TLS: add {verify, verify_peer} to enable verification for OTP 26
Posted by "rnewson (via GitHub)" <gi...@apache.org>.
rnewson commented on code in PR #4575:
URL: https://github.com/apache/couchdb/pull/4575#discussion_r1205420110
##########
dev/run:
##########
@@ -264,6 +278,10 @@ def setup_context(opts, args):
"auto_ports": opts.auto_ports,
"locald_configs": opts.locald_configs,
"with_nouveau": opts.with_nouveau,
+ "enable_tls": opts.enable_tls,
+ "tcp_node": opts.tcp_node,
+ "hostname": socket.gethostname() if opts.enable_tls else "127.0.0.1",
+ "bind_address": "0.0.0.0" if opts.enable_tls else "127.0.0.1",
Review Comment:
standalone demo;
start_ssl.rel
```
{release, {"OTP APN 181 01","R15A"}, {erts, "10.7"},
[{kernel,"8.3.2.3"},
{stdlib,"3.17.2.2"},
{crypto, "5.0.6.3"},
{public_key, "1.12.0.1"},
{sasl, "4.1.2"},
{asn1, "5.0.18.1"},
{ssl, "10.7.3.6"}
]}.
```
```
> systools:make_script("start_ssl",[]).
ok
```
couchdb.sh
```
#!/bin/sh
mkdir -p out
./certs self-signed \
--out-cert out/ca-cert.pem --out-key out/ca-key.pem \
--template root-ca \
--subject '/CN=CouchDB Root CA'
for NODE in $@; do
./certs create-cert \
--issuer-cert out/ca-cert.pem --issuer-key out/ca-key.pem \
--out-cert "out/${NODE}-cert.pem" --out-key "out/${NODE}-key.pem" \
--template node \
--subject '/OU=CouchDB' \
--host 127.0.0.1 \
--node "${NODE}"
cat <<EOF > out/$NODE-dist.conf
[
{server, [
{cacertfile, "$(pwd)/out/ca-cert.pem"},
{certfile, "$(pwd)/out/${NODE}-cert.pem"},
{keyfile, "$(pwd)/out/${NODE}-key.pem"},
{secure_renegotiate, true},
{verify, verify_peer},
{fail_if_no_peer_cert, true}
]},
{client, [
{cacertfile, "$(pwd)/out/ca-cert.pem"},
{certfile, "$(pwd)/out/${NODE}-cert.pem"},
{keyfile, "$(pwd)/out/${NODE}-key.pem"},
{secure_renegotiate, true},
{verify, verify_peer},
{fail_if_no_peer_cert, true}
]}
].
EOF
done
```
```
./couchdb.sh node1 node2 node3
```
then start up two nodes;
```
erl -boot ./start_ssl -proto_dist inet_tls -ssl_dist_optfile out/node1-dist.conf -name node1@127.0.0.1
```
```
erl -boot ./start_ssl -proto_dist inet_tls -ssl_dist_optfile out/node2-dist.conf -name node2@127.0.0.1
```
then ping
```
Eshell V12.3.2.9 (abort with ^G)
(node2@127.0.0.1)1> net_adm:ping('node1@127.0.0.1').
pong
(node2@127.0.0.1)2>
```
no `Authenticity is not established by certificate path validation` warning, yay!
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] jiahuili430 commented on a diff in pull request #4575: Fix warnings about TLS distribution
Posted by "jiahuili430 (via GitHub)" <gi...@apache.org>.
jiahuili430 commented on code in PR #4575:
URL: https://github.com/apache/couchdb/pull/4575#discussion_r1186734984
##########
rel/overlay/etc/vm.args:
##########
@@ -82,7 +82,8 @@
## [{certfile, "</path/to/erlserver.pem>"},
## {secure_renegotiate, true}]},
## {client,
-## [{secure_renegotiate, true}]}].
+## [{secure_renegotiate, true},
+## {verify, verify_none}]}].
Review Comment:
I tried to use `{verify, verify_peer}`, but get errors about bad certificates, or just hang with `*** ERROR: Shell process terminated!`. So add `{verify, verify_none}` to suppress the warning.
```
*** ERROR: Shell process terminated! (^G to start new job) ***
=NOTICE REPORT==== 6-May-2023::13:58:20.360922 ===
TLS client: In state certify at ssl_handshake.erl:2080 generated CLIENT ALERT: Fatal - Bad Certificate
```
I'll read more and try to figure out how to use `verify_peer`.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] jiahuili430 commented on a diff in pull request #4575: TLS: add `{verify, verify_peer}` to enable verification
Posted by "jiahuili430 (via GitHub)" <gi...@apache.org>.
jiahuili430 commented on code in PR #4575:
URL: https://github.com/apache/couchdb/pull/4575#discussion_r1207018192
##########
dev/run:
##########
@@ -524,6 +544,20 @@ def hack_local_ini(ctx, contents):
return contents + "\n\n[chttpd_auth]\nsecret = %s\n" % COMMON_SALT
+def hack_vm_args(ctx, node, contents):
+ contents += f"""
+-proto_dist couch
+-couch_dist no_tls '"clouseau@127.0.0.1"'
Review Comment:
Changed, thanks for the review!
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] rnewson commented on a diff in pull request #4575: TLS: add {verify, verify_peer} to enable verification for OTP 26
Posted by "rnewson (via GitHub)" <gi...@apache.org>.
rnewson commented on code in PR #4575:
URL: https://github.com/apache/couchdb/pull/4575#discussion_r1204723351
##########
dev/run:
##########
@@ -264,6 +278,10 @@ def setup_context(opts, args):
"auto_ports": opts.auto_ports,
"locald_configs": opts.locald_configs,
"with_nouveau": opts.with_nouveau,
+ "enable_tls": opts.enable_tls,
+ "tcp_node": opts.tcp_node,
+ "hostname": socket.gethostname() if opts.enable_tls else "127.0.0.1",
+ "bind_address": "0.0.0.0" if opts.enable_tls else "127.0.0.1",
Review Comment:
what we'd actually need;
```
...
{'Extension',{2,5,29,17},false,[{dNSName,"127.0.0.1"}]},
{'Extension',{2,5,29,17},
false,
[{directoryName,{rdnSequence,[[{'AttributeTypeAndValue',{2,5,4,3},
{utf8String,<<"node1">>}}]]}}]}]},
...
5> inet_tls_dist:cert_nodes(OTPCert).
["node1@127.0.0.1"]
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] nickva commented on a diff in pull request #4575: Suppress warnings about TLS distribution
Posted by "nickva (via GitHub)" <gi...@apache.org>.
nickva commented on code in PR #4575:
URL: https://github.com/apache/couchdb/pull/4575#discussion_r1197058061
##########
rel/overlay/etc/vm.args:
##########
@@ -108,9 +109,10 @@
## By default that would be "clouseau@127.0.0.1".
## Don't forget to override the paths to point to your certificate(s) and key(s)!
##
-#-proto_dist couch
-#-couch_dist no_tls '"clouseau@127.0.0.1"'
-#-ssl_dist_optfile <path/to/couch_ssl_dist.conf>
+-proto_dist couch
+-couch_dist no_tls '"clouseau@127.0.0.1"'
+-couch_dist no_tls '"node2@127.0.0.1"'
+-ssl_dist_optfile /Users/jiahuili/src/a/dev/couch_ssl_dist.conf
Review Comment:
These are for testing mostly, we don't want to enable this by default?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] jiahuili430 commented on a diff in pull request #4575: TLS: add `{verify, verify_peer}` to enable verification
Posted by "jiahuili430 (via GitHub)" <gi...@apache.org>.
jiahuili430 commented on code in PR #4575:
URL: https://github.com/apache/couchdb/pull/4575#discussion_r1207357373
##########
dev/remsh-tls:
##########
@@ -24,6 +24,6 @@ if [ -z $HOST ]; then
fi
NAME="remsh$$@$HOST"
Review Comment:
May I keep your `elixir-certs` fork in this demo, as it might be used for a `real` cluster setup?
I can modify the `gen_cert` script to use the `server` template and point to one conf and certificate.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] jiahuili430 commented on a diff in pull request #4575: TLS: add `{verify, verify_peer}` to enable verification
Posted by "jiahuili430 (via GitHub)" <gi...@apache.org>.
jiahuili430 commented on code in PR #4575:
URL: https://github.com/apache/couchdb/pull/4575#discussion_r1211075368
##########
src/couch_dist/README.md:
##########
@@ -0,0 +1,160 @@
+# couch_dist
+
+`couch_dist` implements a custom distribution protocol -- `couch`, which allows
+nodes to connect using different protocols, such as Transport Layer Security
+(TLS) and Transmission Control Protocol (TCP).
+
+`TLS` can provide extra verification and security, but requires proper
+certificates and configuration to set up the environment.
+
+## Set up a custom Erlang distribution
+
+1. Specify the distribution protocol in `vm.args`
+2. Specify different distribution protocols for different nodes in `vm.args`
+3. Generate certificates using `certs`
+4. Specify security and other SSL options in `couch_dist.conf`
+
+Examples:
+
+1. `vm.args`:
+
+ ```vm.args
+ -proto_dist couch
+ -couch_dist no_tls '"clouseau@127.0.0.1"'
+ -ssl_dist_optfile </absolute/path/to/couch_dist.conf>
+ ```
+
+2. `couch_dist.conf`:
+
+ - `erlserver.pem`: contains the certificate and its private key.
+ - `{verify, verify_peer}`: you can specify the hostname with `{server_name_indication, <hostname>}`.
+ - `{fail_if_no_peer_cert, true}`: should be used on the server side only,
+ see [OTP 26 Highlights](https://www.erlang.org/blog/otp-26-highlights/#ssl-improved-checking-of-options).
+
+ ```couch_dist.conf
+ [
+ {server, [
+ {cacertfile, "</absolute/path/to/ca-cert.pem>"},
+ {certfile, "</absolute/path/to/erlserver.pem>"},
+ {secure_renegotiate, true},
+ {verify, verify_peer},
+ {fail_if_no_peer_cert, true}
+ ]},
+ {client, [
+ {cacertfile, "</absolute/path/to/ca-cert.pem>"},
+ {certfile, "</absolute/path/to/cert.pem>"},
+ {keyfile, "</absolute/path/to/key.pem>"},
+ {secure_renegotiate, true},
+ {verify, verify_peer},
+ {server_name_indication, "<hostname>"}
+ ]}
+ ].
+ ```
+
+## Generate Certificate
+
+This is an example of using `elixir-certs` to generate certificates, but it is
+not an endorsement of a specific expiration limit, key size or algorithm.
+
+```bash
+cd src/couch_dist/certs
+
+# Generate CA certificate and key
+./certs self-signed \
+ --out-cert ca-cert.pem --out-key ca-key.pem \
+ --template root-ca \
+ --subject "/CN=CouchDB Root CA"
+
+# Generate node certificate and key
+./certs create-cert \
+ --issuer-cert ca-cert.pem --issuer-key ca-key.pem \
+ --out-cert cert.pem --out-key key.pem \
+ --template server \
+ --subject "/CN=127.0.0.1"
+
+# Generate `erlserver.pem`
+cat key.pem cert.pem >erlserver.pem
+
+# Parse certificate to verify:
+# {server_name_indication, "<hostname>"}
Review Comment:
removed
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] jiahuili430 commented on a diff in pull request #4575: Suppress warnings about TLS distribution
Posted by "jiahuili430 (via GitHub)" <gi...@apache.org>.
jiahuili430 commented on code in PR #4575:
URL: https://github.com/apache/couchdb/pull/4575#discussion_r1196824522
##########
configure:
##########
@@ -73,17 +73,43 @@ EOF
# This is not an endorsement of specific expiration limits, key sizes, or algorithms.
generate_tls_dev_cert() {
if [ ! -e "${rootdir}/dev/erlserver.pem" ]; then
- openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem
- cat key.pem cert.pem > dev/erlserver.pem && rm key.pem cert.pem
+ openssl genrsa 2048 > ca-key.pem
+ openssl req -new -x509 -nodes -days 3650 -key ca-key.pem -out ca-cert.pem
+ openssl req -newkey rsa:2048 -nodes -days 3650 -keyout key.pem -out req.pem
+ openssl x509 -req -days 3650 -set_serial 01 -in req.pem -out cert.pem -CA ca-cert.pem -CAkey ca-key.pem
+ openssl verify -CAfile ca-cert.pem ca-cert.pem cert.pem
+ cat key.pem cert.pem > dev/erlserver.pem && mv ca-cert.pem dev/ && rm ca-key.pem key.pem cert.pem req.pem
fi
if [ ! -e "${rootdir}/dev/couch_ssl_dist.conf" ]; then
cat > "${rootdir}/dev/couch_ssl_dist.conf" << EOF
-[{server,
- [{certfile, "${rootdir}/dev/erlserver.pem"},
- {secure_renegotiate, true}]},
- {client,
- [{secure_renegotiate, true}]}].
+[{server, [
+ {certfile, "${rootdir}/dev/erlserver.pem"},
+ {secure_renegotiate, true}
+ ]},
+ {client, [
+ {secure_renegotiate, true},
+ {verify, verify_peer},
+ {cacertfile, "${rootdir}/dev/ca-cert.pem"},
+ {fail_if_no_peer_cert, true},
+ {verify_fun, {
Review Comment:
The problem with this approach is the TLS distribution starts earlier than other modules, even earlier than the standard io drivers. If we use custom module function in conf file, it will throw error about `undefined function`.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] rnewson commented on a diff in pull request #4575: TLS: add `{verify, verify_peer}` to enable verification
Posted by "rnewson (via GitHub)" <gi...@apache.org>.
rnewson commented on code in PR #4575:
URL: https://github.com/apache/couchdb/pull/4575#discussion_r1212303687
##########
src/couch_dist/README.md:
##########
@@ -0,0 +1,160 @@
+# couch_dist
+
+`couch_dist` implements a custom distribution protocol -- `couch`, which allows
+nodes to connect using different protocols, such as Transport Layer Security
+(TLS) and Transmission Control Protocol (TCP).
+
+`TLS` can provide extra verification and security, but requires proper
+certificates and configuration to set up the environment.
+
+## Set up a custom Erlang distribution
+
+1. Specify the distribution protocol in `vm.args`
+2. Specify different distribution protocols for different nodes in `vm.args`
+3. Generate certificates using `certs`
+4. Specify security and other SSL options in `couch_dist.conf`
+
+Examples:
+
+1. `vm.args`:
+
+ ```vm.args
+ -proto_dist couch
+ -couch_dist no_tls '"clouseau@127.0.0.1"'
+ -ssl_dist_optfile </absolute/path/to/couch_dist.conf>
+ ```
+
+2. `couch_dist.conf`:
+
+ - `erlserver.pem`: contains the certificate and its private key.
+ - `{verify, verify_peer}`: you can specify the hostname with `{server_name_indication, <hostname>}`.
+ - `{fail_if_no_peer_cert, true}`: should be used on the server side only,
Review Comment:
thank you. I re-read https://www.erlang.org/doc/apps/ssl/ssl_distribution.html and I think you are right. no need for `{fail_if_no_peer_cert, true}` on the client config side.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] jiahuili430 commented on a diff in pull request #4575: TLS: add `{verify, verify_peer}` to enable verification
Posted by "jiahuili430 (via GitHub)" <gi...@apache.org>.
jiahuili430 commented on code in PR #4575:
URL: https://github.com/apache/couchdb/pull/4575#discussion_r1211074602
##########
src/couch_dist/README.md:
##########
@@ -0,0 +1,160 @@
+# couch_dist
+
+`couch_dist` implements a custom distribution protocol -- `couch`, which allows
+nodes to connect using different protocols, such as Transport Layer Security
+(TLS) and Transmission Control Protocol (TCP).
+
+`TLS` can provide extra verification and security, but requires proper
+certificates and configuration to set up the environment.
+
+## Set up a custom Erlang distribution
+
+1. Specify the distribution protocol in `vm.args`
+2. Specify different distribution protocols for different nodes in `vm.args`
+3. Generate certificates using `certs`
+4. Specify security and other SSL options in `couch_dist.conf`
+
+Examples:
+
+1. `vm.args`:
+
+ ```vm.args
+ -proto_dist couch
+ -couch_dist no_tls '"clouseau@127.0.0.1"'
+ -ssl_dist_optfile </absolute/path/to/couch_dist.conf>
+ ```
+
+2. `couch_dist.conf`:
+
+ - `erlserver.pem`: contains the certificate and its private key.
+ - `{verify, verify_peer}`: you can specify the hostname with `{server_name_indication, <hostname>}`.
+ - `{fail_if_no_peer_cert, true}`: should be used on the server side only,
Review Comment:
The connection succeeds on OTP 24 and 25 but fails on OTP 26.
`./dev/remsh-tls` fails to connect to node1 if `{fail_if_no_peer_cert, true}` is present on the client side.
See https://www.erlang.org/blog/otp-26-highlights/#ssl-improved-checking-of-options
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] jiahuili430 commented on a diff in pull request #4575: TLS: add `{verify, verify_peer}` to enable verification
Posted by "jiahuili430 (via GitHub)" <gi...@apache.org>.
jiahuili430 commented on code in PR #4575:
URL: https://github.com/apache/couchdb/pull/4575#discussion_r1211075868
##########
src/couch_dist/gen_certs:
##########
@@ -0,0 +1,45 @@
+#!/bin/sh
+set -e
+
+cur_dir="$(cd "${0%/*}" 2>/dev/null; echo "${PWD}")"
+certs_dir="${cur_dir}/certs"
+cd "${certs_dir}"
+mkdir -p "${certs_dir}/out"
+
+if [ ! -e "${certs_dir}/out/ca-cert.pem" ]; then
+ ./certs self-signed \
+ --out-cert out/ca-cert.pem --out-key out/ca-key.pem \
+ --template root-ca \
+ --subject "/CN=CouchDB Root CA"
+fi
+
+if [ ! -e "${certs_dir}/out/cert.pem" ]; then
+ ./certs create-cert \
+ --issuer-cert out/ca-cert.pem --issuer-key out/ca-key.pem \
+ --out-cert out/cert.pem --out-key out/key.pem \
+ --template server \
+ --subject "/CN=127.0.0.1"
+fi
+
+if [ ! -e "${certs_dir}/out/couch_dist.conf" ]; then
+ cat <<EOF >"${certs_dir}/out/couch_dist.conf"
+[
+ {server, [
+ {cacertfile, "$(pwd)/out/ca-cert.pem"},
+ {certfile, "$(pwd)/out/cert.pem"},
+ {keyfile, "$(pwd)/out/key.pem"},
+ {secure_renegotiate, true},
+ {verify, verify_peer},
+ {fail_if_no_peer_cert, true}
+ ]},
+ {client, [
+ {cacertfile, "$(pwd)/out/ca-cert.pem"},
+ {certfile, "$(pwd)/out/cert.pem"},
+ {keyfile, "$(pwd)/out/key.pem"},
+ {secure_renegotiate, true},
+ {verify, verify_peer},
+ {server_name_indication, "127.0.0.1"}
Review Comment:
removed
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] rnewson commented on a diff in pull request #4575: TLS: add `{verify, verify_peer}` to enable verification
Posted by "rnewson (via GitHub)" <gi...@apache.org>.
rnewson commented on code in PR #4575:
URL: https://github.com/apache/couchdb/pull/4575#discussion_r1207138606
##########
dev/remsh-tls:
##########
@@ -24,6 +24,6 @@ if [ -z $HOST ]; then
fi
NAME="remsh$$@$HOST"
Review Comment:
will we need to generate a remsh certificate dynamically now?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] jiahuili430 commented on a diff in pull request #4575: Fix warnings about TLS distribution
Posted by "jiahuili430 (via GitHub)" <gi...@apache.org>.
jiahuili430 commented on code in PR #4575:
URL: https://github.com/apache/couchdb/pull/4575#discussion_r1186735302
##########
src/docs/src/cluster/tls_erlang_distribution.rst:
##########
@@ -36,10 +36,11 @@ the ``certificate`` and its ``private key``.
.. code-block:: text
[{server,
- [{certfile, "</path/to/erlserver.pem>"},
+ [{certfile, "<absolute_path/to/erlserver.pem>"},
Review Comment:
Add leading `/`, thanks for your review.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] rnewson commented on a diff in pull request #4575: TLS: add {verify, verify_peer} to enable verification for OTP 26
Posted by "rnewson (via GitHub)" <gi...@apache.org>.
rnewson commented on code in PR #4575:
URL: https://github.com/apache/couchdb/pull/4575#discussion_r1204408235
##########
dev/run:
##########
@@ -264,6 +278,10 @@ def setup_context(opts, args):
"auto_ports": opts.auto_ports,
"locald_configs": opts.locald_configs,
"with_nouveau": opts.with_nouveau,
+ "enable_tls": opts.enable_tls,
+ "tcp_node": opts.tcp_node,
+ "hostname": socket.gethostname() if opts.enable_tls else "127.0.0.1",
+ "bind_address": "0.0.0.0" if opts.enable_tls else "127.0.0.1",
Review Comment:
it's more complicated than that. reading `inet_tls_dist.erl` makes it clear that they expect the host name part in the SAN field and the node name in a utf8string as a commonName under a directoryName. I have not yet persuaded openssl to generate a certificate that `inet_tls_dist:cert_nodes/1` is happy with. I think the author(s) of `inet_tls_dist` has made a cryptic choice;
```
%% Look in Extensions, in all subjectAltName:s
%% to find node names in this certificate.
%% Host names are picked up as a subjectAltName containing
%% a dNSName, and the first subjectAltName containing
%% a commonName is the node name.
%%
```
The nearest I can get so far is;
```
[{'Extension',{2,5,29,17},
false,
[{dNSName,"127.0.0.1"},
{directoryName,{rdnSequence,[[{'AttributeTypeAndValue',{2,5, 4,3},
<<12,7,99,111,117,99,104,100,98>>}]]}}]},
```
`cert_nodes` finds the hostname but because the `<<12,7,99,111,117,99,104,100,98>>` is not a `utf8String` tuple it doesn't find the node name.
This is the (bizarre) way I have managed to add the dirName to the certificate. all other methods have failed (like the invitingly simple `-addext`).
```
printf "[SAN]\nsubjectAltName=DNS:127.0.0.1,dirName:dir_ext\n[dir_ext]\nCN=couchdb\n" > ext.cnf
openssl x509 -req -days 3650 -set_serial 01 -in node-req.pem -out node-cert.pem -CA ca-cert.pem -CAkey ca-key.pem -extfile ext.cnf -extensions SAN
```
Thus far I think the openssl cli is mediocre and you can't actually do everything there that openssl is capable of. It seems you _must_ use openssl conf files to do anything interesting.
This has, so far, been frustrating and illuminating.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] rnewson commented on a diff in pull request #4575: TLS: add `{verify, verify_peer}` to enable verification
Posted by "rnewson (via GitHub)" <gi...@apache.org>.
rnewson commented on code in PR #4575:
URL: https://github.com/apache/couchdb/pull/4575#discussion_r1207356315
##########
dev/remsh-tls:
##########
@@ -24,6 +24,6 @@ if [ -z $HOST ]; then
fi
NAME="remsh$$@$HOST"
Review Comment:
So
```
commit 5586959ed008c09141689f1e8865476150e48519
Author: Raimo Niskanen <ra...@erlang.org>
Date: Thu Apr 26 09:37:24 2018 +0200
Allow check for node name
```
I think introduced the ability to check the node names also, from the data in the certificate
and
```
commit 794df8cbba8d7942dcb3bf2cbdfa526b04d41dd3
Author: Raimo Niskanen <ra...@erlang.org>
Date: Fri Jun 8 15:49:06 2018 +0200
Use public_key to verify client hostname
```
removed it (and used the net_kernel:allow list to restrict node names instead).
they just left the cert_nodes function in but it's unreachable?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] jiahuili430 commented on a diff in pull request #4575: TLS: add `{verify, verify_peer}` to enable verification
Posted by "jiahuili430 (via GitHub)" <gi...@apache.org>.
jiahuili430 commented on code in PR #4575:
URL: https://github.com/apache/couchdb/pull/4575#discussion_r1207357373
##########
dev/remsh-tls:
##########
@@ -24,6 +24,6 @@ if [ -z $HOST ]; then
fi
NAME="remsh$$@$HOST"
Review Comment:
May I keep your `elixir-certs` fork in this demo, as it might be used for a `real` cluster setup or maybe in the future?
I can modify the `gen_cert` script to use the `server` template and point to one conf and certificate.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] jiahuili430 commented on a diff in pull request #4575: TLS: add `{verify, verify_peer}` to enable verification
Posted by "jiahuili430 (via GitHub)" <gi...@apache.org>.
jiahuili430 commented on code in PR #4575:
URL: https://github.com/apache/couchdb/pull/4575#discussion_r1211075651
##########
src/docs/src/cluster/tls_erlang_distribution.rst:
##########
@@ -29,28 +29,55 @@ Reference: `Using TLS for Erlang Distribution`_
Generate Certificate
====================
-For TLS to work properly, at least one public key and one certificate must be
-specified. In the following example (couch_ssl_dist.conf), the PEM file contains
-the ``certificate`` and its ``private key``.
+To distribute using TLS, appropriate certificates need to be provided.
+In the following example (couch_dist.conf), the cert.pem certificate must be
+trusted by a root certificate known to the server, and the erlserver.pem file
+contains the "certificate" and its "private key".
.. code-block:: text
[{server,
- [{certfile, "</path/to/erlserver.pem>"},
- {secure_renegotiate, true}]},
+ [{cacertfile, "</absolute_path/to/ca-cert.pem>"},
+ {certfile, "</absolute_path/to/erlserver.pem>"},
+ {secure_renegotiate, true},
+ {verify, verify_peer},
+ {fail_if_no_peer_cert, true}]},
{client,
- [{secure_renegotiate, true}]}].
+ [{cacertfile, "</absolute_path/to/ca-cert.pem>"},
+ {keyfile, "</absolute_path/to/key.pem>"},
+ {certfile, "</absolute_path/to/cert.pem>"},
+ {secure_renegotiate, true},
+ {verify, verify_peer},
+ {server_name_indication, "<hostname>"}]}].
-The following command is an example of generating a certificate (PEM) file.
+You can use ``{verify, verify_peer}`` to enable verification,
+but it requires appropriate certificates to verify.
+
+This is an example of generating certificates.
.. code-block:: bash
- $ openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem
- $ cat key.pem cert.pem > erlserver.pem && rm key.pem cert.pem
+ $ git clone https://github.com/rnewson/elixir-certs
+ $ cd elixir-certs
+ $ ./certs self-signed \
+ --out-cert ca-cert.pem --out-key ca-key.pem \
+ --template root-ca \
+ --subject '/CN=CouchDB Root CA'
+ $./certs create-cert \
+ --issuer-cert ca-cert.pem --issuer-key ca-key.pem \
+ --out-cert cert.pem --out-key key.pem \
+ --template node \
+ --subject '/OU=CouchDB' \
+ --host hostname \
Review Comment:
Change back to `server` template, thanks for reviewing!
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] rnewson commented on a diff in pull request #4575: TLS: add `{verify, verify_peer}` to enable verification
Posted by "rnewson (via GitHub)" <gi...@apache.org>.
rnewson commented on code in PR #4575:
URL: https://github.com/apache/couchdb/pull/4575#discussion_r1211651389
##########
src/couch_dist/README.md:
##########
@@ -0,0 +1,160 @@
+# couch_dist
+
+`couch_dist` implements a custom distribution protocol -- `couch`, which allows
+nodes to connect using different protocols, such as Transport Layer Security
+(TLS) and Transmission Control Protocol (TCP).
+
+`TLS` can provide extra verification and security, but requires proper
+certificates and configuration to set up the environment.
+
+## Set up a custom Erlang distribution
+
+1. Specify the distribution protocol in `vm.args`
+2. Specify different distribution protocols for different nodes in `vm.args`
+3. Generate certificates using `certs`
+4. Specify security and other SSL options in `couch_dist.conf`
+
+Examples:
+
+1. `vm.args`:
+
+ ```vm.args
+ -proto_dist couch
+ -couch_dist no_tls '"clouseau@127.0.0.1"'
+ -ssl_dist_optfile </absolute/path/to/couch_dist.conf>
+ ```
+
+2. `couch_dist.conf`:
+
+ - `erlserver.pem`: contains the certificate and its private key.
+ - `{verify, verify_peer}`: you can specify the hostname with `{server_name_indication, <hostname>}`.
+ - `{fail_if_no_peer_cert, true}`: should be used on the server side only,
Review Comment:
I think that tells us remsh-tls is not right. It needs to present a valid certificate too. It wouldn't be very secure if you could choose not to present a certificate to join the cluster.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] jiahuili430 commented on a diff in pull request #4575: TLS: add `{verify, verify_peer}` to enable verification
Posted by "jiahuili430 (via GitHub)" <gi...@apache.org>.
jiahuili430 commented on code in PR #4575:
URL: https://github.com/apache/couchdb/pull/4575#discussion_r1212571411
##########
src/couch_dist/README.md:
##########
@@ -0,0 +1,160 @@
+# couch_dist
+
+`couch_dist` implements a custom distribution protocol -- `couch`, which allows
+nodes to connect using different protocols, such as Transport Layer Security
+(TLS) and Transmission Control Protocol (TCP).
+
+`TLS` can provide extra verification and security, but requires proper
+certificates and configuration to set up the environment.
+
+## Set up a custom Erlang distribution
+
+1. Specify the distribution protocol in `vm.args`
+2. Specify different distribution protocols for different nodes in `vm.args`
+3. Generate certificates using `certs`
+4. Specify security and other SSL options in `couch_dist.conf`
+
+Examples:
+
+1. `vm.args`:
+
+ ```vm.args
+ -proto_dist couch
+ -couch_dist no_tls '"clouseau@127.0.0.1"'
+ -ssl_dist_optfile </absolute/path/to/couch_dist.conf>
+ ```
+
+2. `couch_dist.conf`:
+
+ - `erlserver.pem`: contains the certificate and its private key.
+ - `{verify, verify_peer}`: you can specify the hostname with `{server_name_indication, <hostname>}`.
+ - `{fail_if_no_peer_cert, true}`: should be used on the server side only,
Review Comment:
Revert `gen_cert` script back, so `{fail_if_no_peer_cert, true}` would only appear on server config side.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] iilyak commented on a diff in pull request #4575: Suppress warnings about TLS distribution
Posted by "iilyak (via GitHub)" <gi...@apache.org>.
iilyak commented on code in PR #4575:
URL: https://github.com/apache/couchdb/pull/4575#discussion_r1195492402
##########
configure:
##########
@@ -73,17 +73,43 @@ EOF
# This is not an endorsement of specific expiration limits, key sizes, or algorithms.
generate_tls_dev_cert() {
if [ ! -e "${rootdir}/dev/erlserver.pem" ]; then
- openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem
- cat key.pem cert.pem > dev/erlserver.pem && rm key.pem cert.pem
+ openssl genrsa 2048 > ca-key.pem
+ openssl req -new -x509 -nodes -days 3650 -key ca-key.pem -out ca-cert.pem
+ openssl req -newkey rsa:2048 -nodes -days 3650 -keyout key.pem -out req.pem
+ openssl x509 -req -days 3650 -set_serial 01 -in req.pem -out cert.pem -CA ca-cert.pem -CAkey ca-key.pem
+ openssl verify -CAfile ca-cert.pem ca-cert.pem cert.pem
+ cat key.pem cert.pem > dev/erlserver.pem && mv ca-cert.pem dev/ && rm ca-key.pem key.pem cert.pem req.pem
fi
if [ ! -e "${rootdir}/dev/couch_ssl_dist.conf" ]; then
cat > "${rootdir}/dev/couch_ssl_dist.conf" << EOF
-[{server,
- [{certfile, "${rootdir}/dev/erlserver.pem"},
- {secure_renegotiate, true}]},
- {client,
- [{secure_renegotiate, true}]}].
+[{server, [
+ {certfile, "${rootdir}/dev/erlserver.pem"},
+ {secure_renegotiate, true}
+ ]},
+ {client, [
+ {secure_renegotiate, true},
+ {verify, verify_peer},
+ {cacertfile, "${rootdir}/dev/ca-cert.pem"},
+ {fail_if_no_peer_cert, true},
+ {verify_fun, {
Review Comment:
Can you also take a look into customize_hostname_check. I don't know when it was introduced. But it seems to be a better way.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] jiahuili430 commented on a diff in pull request #4575: TLS: add {verify, verify_peer} to enable verification for OTP 26
Posted by "jiahuili430 (via GitHub)" <gi...@apache.org>.
jiahuili430 commented on code in PR #4575:
URL: https://github.com/apache/couchdb/pull/4575#discussion_r1202645855
##########
dev/run:
##########
@@ -264,6 +278,10 @@ def setup_context(opts, args):
"auto_ports": opts.auto_ports,
"locald_configs": opts.locald_configs,
"with_nouveau": opts.with_nouveau,
+ "enable_tls": opts.enable_tls,
+ "tcp_node": opts.tcp_node,
+ "hostname": socket.gethostname() if opts.enable_tls else "127.0.0.1",
+ "bind_address": "0.0.0.0" if opts.enable_tls else "127.0.0.1",
Review Comment:
OTP 26, `127.0.0.1` works fine, since I can specify `server_name_indication` in conf file.
However in OTP 25, if the IP is `127.0.0.1`, I tried different hostnames (CN), and the verify process always returns `hostname_check_failed`. If I set local.ini bind_address to `0.0.0.0`, using my hostname as CN, no errors.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] jiahuili430 commented on a diff in pull request #4575: TLS: add {verify, verify_peer} to enable verification for OTP 26
Posted by "jiahuili430 (via GitHub)" <gi...@apache.org>.
jiahuili430 commented on code in PR #4575:
URL: https://github.com/apache/couchdb/pull/4575#discussion_r1198937030
##########
configure:
##########
@@ -69,22 +69,58 @@ Options:
EOF
}
-# This is just an example to generate a certfile for TLS distribution.
-# This is not an endorsement of specific expiration limits, key sizes, or algorithms.
+# Just an example to generate certificates for TLS distribution.
+# It's not an endorsement of specific expiration limits, key sizes, or algorithms.
generate_tls_dev_cert() {
- if [ ! -e "${rootdir}/dev/erlserver.pem" ]; then
- openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem
- cat key.pem cert.pem > dev/erlserver.pem && rm key.pem cert.pem
- fi
+ if [ "$ERLANG_VER" -lt 26 ]; then
+ if [ ! -e "${rootdir}/dev/erlserver.pem" ]; then
+ openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem
+ cat key.pem cert.pem > dev/erlserver.pem && rm key.pem cert.pem
+ fi
- if [ ! -e "${rootdir}/dev/couch_ssl_dist.conf" ]; then
- cat > "${rootdir}/dev/couch_ssl_dist.conf" << EOF
-[{server,
- [{certfile, "${rootdir}/dev/erlserver.pem"},
- {secure_renegotiate, true}]},
- {client,
- [{secure_renegotiate, true}]}].
+ if [ ! -e "${rootdir}/dev/couch_ssl_dist.conf" ]; then
+ cat >"${rootdir}/dev/couch_ssl_dist.conf" <<EOF
+[{server, [
+ {certfile, "${rootdir}/dev/erlserver.pem"},
+ {secure_renegotiate, true}
+ ]},
+ {client, [
+ {secure_renegotiate, true}
+ ]}
+].
EOF
+ fi
+ else
+ if [ ! -e "${rootdir}/dev/erlserver.pem" ]; then
+ echo "Make sure to use different values for the Common Name (FQDN) in CA certificate and certificate."
+ read -p "Common Name (CA certificate): " fqdn_ca
+ read -p "Common Name (certificate): " fqdn
+
+ echo "Generate CA certificate:"
+ openssl genrsa 2048 >ca-key.pem
+ openssl req -new -x509 -nodes -days 3650 -key ca-key.pem -out ca-cert.pem -subj "/CN=$fqdn_ca"
+ echo "Generate certificate:"
+ openssl req -newkey rsa:2048 -nodes -days 3650 -keyout key.pem -out req.pem -subj "/CN=$fqdn"
+ openssl x509 -req -days 3650 -set_serial 01 -in req.pem -out cert.pem -CA ca-cert.pem -CAkey ca-key.pem
+ openssl verify -CAfile ca-cert.pem ca-cert.pem cert.pem
+ cat key.pem cert.pem >dev/erlserver.pem && mv ca-cert.pem dev/ && rm ca-key.pem key.pem cert.pem req.pem
+ fi
+
+ if [ ! -e "${rootdir}/dev/couch_ssl_dist.conf" ]; then
+ cat >"${rootdir}/dev/couch_ssl_dist.conf" <<EOF
+[{server, [
+ {certfile, "${rootdir}/dev/erlserver.pem"},
+ {secure_renegotiate, true}
+ ]},
+ {client, [
+ {secure_renegotiate, true},
+ {verify, verify_peer},
+ {cacertfile, "${rootdir}/dev/ca-cert.pem"},
+ {server_name_indication, "$fqdn"}
+ ]}
+].
Review Comment:
I'll keep trying, thanks for the suggestion.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] rnewson commented on a diff in pull request #4575: TLS: add {verify, verify_peer} to enable verification for OTP 26
Posted by "rnewson (via GitHub)" <gi...@apache.org>.
rnewson commented on code in PR #4575:
URL: https://github.com/apache/couchdb/pull/4575#discussion_r1202725929
##########
dev/run:
##########
@@ -264,6 +278,10 @@ def setup_context(opts, args):
"auto_ports": opts.auto_ports,
"locald_configs": opts.locald_configs,
"with_nouveau": opts.with_nouveau,
+ "enable_tls": opts.enable_tls,
+ "tcp_node": opts.tcp_node,
+ "hostname": socket.gethostname() if opts.enable_tls else "127.0.0.1",
+ "bind_address": "0.0.0.0" if opts.enable_tls else "127.0.0.1",
Review Comment:
Do you need to override server_name_indication? I thought the CN once set to the erlang node name would be the right value. did that not work? (`"/CN=node1@127.0.0.1"`, I mean.)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] rnewson commented on a diff in pull request #4575: TLS: add `{verify, verify_peer}` to enable verification
Posted by "rnewson (via GitHub)" <gi...@apache.org>.
rnewson commented on code in PR #4575:
URL: https://github.com/apache/couchdb/pull/4575#discussion_r1206520528
##########
dev/run:
##########
@@ -524,6 +544,20 @@ def hack_local_ini(ctx, contents):
return contents + "\n\n[chttpd_auth]\nsecret = %s\n" % COMMON_SALT
+def hack_vm_args(ctx, node, contents):
+ contents += f"""
+-proto_dist couch
+-couch_dist no_tls '"clouseau@127.0.0.1"'
Review Comment:
each node will talk to a different clouseau (clouseau1 for node1, clouseau2 for node2, etc)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] jiahuili430 commented on a diff in pull request #4575: TLS: add {verify, verify_peer} to enable verification for OTP 26
Posted by "jiahuili430 (via GitHub)" <gi...@apache.org>.
jiahuili430 commented on code in PR #4575:
URL: https://github.com/apache/couchdb/pull/4575#discussion_r1204497495
##########
dev/run:
##########
@@ -264,6 +278,10 @@ def setup_context(opts, args):
"auto_ports": opts.auto_ports,
"locald_configs": opts.locald_configs,
"with_nouveau": opts.with_nouveau,
+ "enable_tls": opts.enable_tls,
+ "tcp_node": opts.tcp_node,
+ "hostname": socket.gethostname() if opts.enable_tls else "127.0.0.1",
+ "bind_address": "0.0.0.0" if opts.enable_tls else "127.0.0.1",
Review Comment:
Thank you, Bob.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] rnewson commented on a diff in pull request #4575: TLS: add `{verify, verify_peer}` to enable verification
Posted by "rnewson (via GitHub)" <gi...@apache.org>.
rnewson commented on code in PR #4575:
URL: https://github.com/apache/couchdb/pull/4575#discussion_r1207269671
##########
dev/remsh-tls:
##########
@@ -24,6 +24,6 @@ if [ -z $HOST ]; then
fi
NAME="remsh$$@$HOST"
Review Comment:
despite the code in `inet_tls_dist.erl` that looks for the dirname entry (and parses it out in cert_nodes/1), it appears to be ignored.
It suffices to have a subjectAltName of the hostname. My elixir-certs fork is unnecessary and should not be used.
The cert resulting from
```
./certs create-cert --issuer-cert out/ca-cert.pem --issuer-key out/ca-key.pem --out-cert out/node-cert.pem --out-key out/node-key.pem --template server --subject '/CN=127.0.0.1'```
is sufficient and can be used as the client and server cert of all nodes with the same hostname, which is all of the dev nodes.
Obviously a 'real' cluster would have distinct ip's or hostnames for each node, though.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] nickva commented on a diff in pull request #4575: TLS: add `{verify, verify_peer}` to enable verification
Posted by "nickva (via GitHub)" <gi...@apache.org>.
nickva commented on code in PR #4575:
URL: https://github.com/apache/couchdb/pull/4575#discussion_r1207081053
##########
dev/run:
##########
@@ -264,6 +278,10 @@ def setup_context(opts, args):
"auto_ports": opts.auto_ports,
"locald_configs": opts.locald_configs,
"with_nouveau": opts.with_nouveau,
+ "enable_tls": opts.enable_tls,
+ "tcp_node": opts.tcp_node,
+ "hostname": socket.gethostname() if opts.enable_tls else "127.0.0.1",
+ "bind_address": "0.0.0.0" if opts.enable_tls else "127.0.0.1",
Review Comment:
This is great, thank you, @rnewson, for figuring it out. This would a nice resource for users to start with and get a decent setup without too much of a headache.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] jiahuili430 commented on a diff in pull request #4575: TLS: add `{verify, verify_peer}` to enable verification
Posted by "jiahuili430 (via GitHub)" <gi...@apache.org>.
jiahuili430 commented on code in PR #4575:
URL: https://github.com/apache/couchdb/pull/4575#discussion_r1207177289
##########
dev/remsh-tls:
##########
@@ -24,6 +24,6 @@ if [ -z $HOST ]; then
fi
NAME="remsh$$@$HOST"
Review Comment:
`erl -name $NAME -remsh "$NODE@$HOST" -hidden -proto_dist inet_tls -ssl_dist_optfile "src/couch_dist/certs/out/${NODE}-dist.conf"`
Maybe not, since we're using a dynamic `${NODE}-dist.conf` and certificates.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] jiahuili430 commented on a diff in pull request #4575: Suppress warnings about TLS distribution
Posted by "jiahuili430 (via GitHub)" <gi...@apache.org>.
jiahuili430 commented on code in PR #4575:
URL: https://github.com/apache/couchdb/pull/4575#discussion_r1195747539
##########
configure:
##########
@@ -73,17 +73,43 @@ EOF
# This is not an endorsement of specific expiration limits, key sizes, or algorithms.
generate_tls_dev_cert() {
if [ ! -e "${rootdir}/dev/erlserver.pem" ]; then
- openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem
- cat key.pem cert.pem > dev/erlserver.pem && rm key.pem cert.pem
+ openssl genrsa 2048 > ca-key.pem
+ openssl req -new -x509 -nodes -days 3650 -key ca-key.pem -out ca-cert.pem
+ openssl req -newkey rsa:2048 -nodes -days 3650 -keyout key.pem -out req.pem
+ openssl x509 -req -days 3650 -set_serial 01 -in req.pem -out cert.pem -CA ca-cert.pem -CAkey ca-key.pem
+ openssl verify -CAfile ca-cert.pem ca-cert.pem cert.pem
+ cat key.pem cert.pem > dev/erlserver.pem && mv ca-cert.pem dev/ && rm ca-key.pem key.pem cert.pem req.pem
fi
if [ ! -e "${rootdir}/dev/couch_ssl_dist.conf" ]; then
cat > "${rootdir}/dev/couch_ssl_dist.conf" << EOF
-[{server,
- [{certfile, "${rootdir}/dev/erlserver.pem"},
- {secure_renegotiate, true}]},
- {client,
- [{secure_renegotiate, true}]}].
+[{server, [
+ {certfile, "${rootdir}/dev/erlserver.pem"},
+ {secure_renegotiate, true}
+ ]},
+ {client, [
+ {secure_renegotiate, true},
+ {verify, verify_peer},
+ {cacertfile, "${rootdir}/dev/ca-cert.pem"},
+ {fail_if_no_peer_cert, true},
+ {verify_fun, {
Review Comment:
I tried `{customize_hostname_check, [{match_fun, public_key:pkix_verify_hostname_match_fun(https)}]}` but it didn't work.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] rnewson commented on a diff in pull request #4575: TLS: add {verify, verify_peer} to enable verification for OTP 26
Posted by "rnewson (via GitHub)" <gi...@apache.org>.
rnewson commented on code in PR #4575:
URL: https://github.com/apache/couchdb/pull/4575#discussion_r1204821893
##########
dev/run:
##########
@@ -264,6 +278,10 @@ def setup_context(opts, args):
"auto_ports": opts.auto_ports,
"locald_configs": opts.locald_configs,
"with_nouveau": opts.with_nouveau,
+ "enable_tls": opts.enable_tls,
+ "tcp_node": opts.tcp_node,
+ "hostname": socket.gethostname() if opts.enable_tls else "127.0.0.1",
+ "bind_address": "0.0.0.0" if opts.enable_tls else "127.0.0.1",
Review Comment:
forked the elixir-certs repo and added options to generate these things: https://github.com/rnewson/elixir-certs/
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] jiahuili430 commented on a diff in pull request #4575: TLS: add `{verify, verify_peer}` to enable verification
Posted by "jiahuili430 (via GitHub)" <gi...@apache.org>.
jiahuili430 commented on code in PR #4575:
URL: https://github.com/apache/couchdb/pull/4575#discussion_r1207177289
##########
dev/remsh-tls:
##########
@@ -24,6 +24,6 @@ if [ -z $HOST ]; then
fi
NAME="remsh$$@$HOST"
Review Comment:
`erl -name $NAME -remsh "$NODE@$HOST" -hidden -proto_dist inet_tls -ssl_dist_optfile "src/couch_dist/certs/out/${NODE}-dist.conf"`
Maybe not, since we're using a dynamic "${NODE}-dist.conf" and pointing to the relevant certificates.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] jiahuili430 commented on a diff in pull request #4575: TLS: add {verify, verify_peer} to enable verification for OTP 26
Posted by "jiahuili430 (via GitHub)" <gi...@apache.org>.
jiahuili430 commented on code in PR #4575:
URL: https://github.com/apache/couchdb/pull/4575#discussion_r1198937030
##########
configure:
##########
@@ -69,22 +69,58 @@ Options:
EOF
}
-# This is just an example to generate a certfile for TLS distribution.
-# This is not an endorsement of specific expiration limits, key sizes, or algorithms.
+# Just an example to generate certificates for TLS distribution.
+# It's not an endorsement of specific expiration limits, key sizes, or algorithms.
generate_tls_dev_cert() {
- if [ ! -e "${rootdir}/dev/erlserver.pem" ]; then
- openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem
- cat key.pem cert.pem > dev/erlserver.pem && rm key.pem cert.pem
- fi
+ if [ "$ERLANG_VER" -lt 26 ]; then
+ if [ ! -e "${rootdir}/dev/erlserver.pem" ]; then
+ openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem
+ cat key.pem cert.pem > dev/erlserver.pem && rm key.pem cert.pem
+ fi
- if [ ! -e "${rootdir}/dev/couch_ssl_dist.conf" ]; then
- cat > "${rootdir}/dev/couch_ssl_dist.conf" << EOF
-[{server,
- [{certfile, "${rootdir}/dev/erlserver.pem"},
- {secure_renegotiate, true}]},
- {client,
- [{secure_renegotiate, true}]}].
+ if [ ! -e "${rootdir}/dev/couch_ssl_dist.conf" ]; then
+ cat >"${rootdir}/dev/couch_ssl_dist.conf" <<EOF
+[{server, [
+ {certfile, "${rootdir}/dev/erlserver.pem"},
+ {secure_renegotiate, true}
+ ]},
+ {client, [
+ {secure_renegotiate, true}
+ ]}
+].
EOF
+ fi
+ else
+ if [ ! -e "${rootdir}/dev/erlserver.pem" ]; then
+ echo "Make sure to use different values for the Common Name (FQDN) in CA certificate and certificate."
+ read -p "Common Name (CA certificate): " fqdn_ca
+ read -p "Common Name (certificate): " fqdn
+
+ echo "Generate CA certificate:"
+ openssl genrsa 2048 >ca-key.pem
+ openssl req -new -x509 -nodes -days 3650 -key ca-key.pem -out ca-cert.pem -subj "/CN=$fqdn_ca"
+ echo "Generate certificate:"
+ openssl req -newkey rsa:2048 -nodes -days 3650 -keyout key.pem -out req.pem -subj "/CN=$fqdn"
+ openssl x509 -req -days 3650 -set_serial 01 -in req.pem -out cert.pem -CA ca-cert.pem -CAkey ca-key.pem
+ openssl verify -CAfile ca-cert.pem ca-cert.pem cert.pem
+ cat key.pem cert.pem >dev/erlserver.pem && mv ca-cert.pem dev/ && rm ca-key.pem key.pem cert.pem req.pem
+ fi
+
+ if [ ! -e "${rootdir}/dev/couch_ssl_dist.conf" ]; then
+ cat >"${rootdir}/dev/couch_ssl_dist.conf" <<EOF
+[{server, [
+ {certfile, "${rootdir}/dev/erlserver.pem"},
+ {secure_renegotiate, true}
+ ]},
+ {client, [
+ {secure_renegotiate, true},
+ {verify, verify_peer},
+ {cacertfile, "${rootdir}/dev/ca-cert.pem"},
+ {server_name_indication, "$fqdn"}
+ ]}
+].
Review Comment:
Used the same conf and certificates, OTP 26 passed, but OTP 24/25 failed with `{bad_cert,hostname_check_failed}`.
I'll keep trying, thanks for your suggestion.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] rnewson commented on pull request #4575: TLS: add {verify, verify_peer} to enable verification for OTP 26
Posted by "rnewson (via GitHub)" <gi...@apache.org>.
rnewson commented on PR #4575:
URL: https://github.com/apache/couchdb/pull/4575#issuecomment-1554197964
I agree with nick. The value of `--generate-tls-dev-cert` is to demonstrate how to correctly set up a couchdb cluster with TLS for the erlang distribution protocol as much as possible. So the nodes should mutually authenticate each other. The nodes will need a certificate each (with their erlang node name as the Common Name attribute), etc. The only difference between what we do here and a real setup should be the node certificates and the CA that signed them.
I've also suggested elsewhere to move the logic from configure to dev/run as we only know the number of nodes at dev/run time. With that done it will be possible to automatically add the correct arguments to `vm.args` for each node, like we currently do to add the individual node names.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] jiahuili430 commented on a diff in pull request #4575: TLS: add `{verify, verify_peer}` to enable verification
Posted by "jiahuili430 (via GitHub)" <gi...@apache.org>.
jiahuili430 commented on code in PR #4575:
URL: https://github.com/apache/couchdb/pull/4575#discussion_r1211072144
##########
dev/run:
##########
@@ -234,6 +234,20 @@ def get_args_parser():
action="store_true",
help="Start Nouveau server",
)
+ parser.add_option(
+ "-t",
+ "--enable-tls",
+ dest="enable_tls",
+ default=False,
+ action="store_true",
+ help="Enable custom TLS distribution (couch)",
+ )
+ parser.add_option(
+ "--tcp-node",
Review Comment:
Changed to `--no-tls`
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] rnewson commented on a diff in pull request #4575: TLS: add {verify, verify_peer} to enable verification for OTP 26
Posted by "rnewson (via GitHub)" <gi...@apache.org>.
rnewson commented on code in PR #4575:
URL: https://github.com/apache/couchdb/pull/4575#discussion_r1202462414
##########
dev/gen_certs.sh:
##########
@@ -0,0 +1,57 @@
+#!/bin/bash
+set -e
+
+devdir="$(
+ cd "${0%/*}" 2>/dev/null
+ echo "$PWD"
+)"
+mkdir -p ${devdir}/certs
+
+if [ ! -z "$1" ]; then
+ HOST=$1
+else
+ HOST=$(hostname -f)
+fi
+
+if [ ! -e "${devdir}/certs/ca-cert.pem" ]; then
+ cd ${devdir}/certs
+ echo "Make sure to use different values for the Common Name (FQDN) in CA certificate and certificate."
+
+ echo "Generate CA Certificate:"
+ openssl genrsa 2048 >ca-key.pem
+ openssl req -new -x509 -nodes -days 3650 -key ca-key.pem -out ca-cert.pem -subj "/CN=couch"
+
+ echo "Generate Server Certificate:"
+ openssl req -newkey rsa:2048 -nodes -days 3650 -keyout s-key.pem -out s-req.pem -subj "/CN=$HOST"
+ openssl x509 -req -days 3650 -set_serial 01 -in s-req.pem -out s-cert.pem -CA ca-cert.pem -CAkey ca-key.pem
Review Comment:
If these are the per-node certificates I think we only need one certificate (the node is a client and a server depending on viewpoint) with CN of erlang node name
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] rnewson commented on a diff in pull request #4575: TLS: add {verify, verify_peer} to enable verification for OTP 26
Posted by "rnewson (via GitHub)" <gi...@apache.org>.
rnewson commented on code in PR #4575:
URL: https://github.com/apache/couchdb/pull/4575#discussion_r1205184804
##########
dev/run:
##########
@@ -264,6 +278,10 @@ def setup_context(opts, args):
"auto_ports": opts.auto_ports,
"locald_configs": opts.locald_configs,
"with_nouveau": opts.with_nouveau,
+ "enable_tls": opts.enable_tls,
+ "tcp_node": opts.tcp_node,
+ "hostname": socket.gethostname() if opts.enable_tls else "127.0.0.1",
+ "bind_address": "0.0.0.0" if opts.enable_tls else "127.0.0.1",
Review Comment:
```#!/bin/sh
mkdir -p out
./certs self-signed \
--out-cert out/ca-cert.pem --out-key out/ca-key.pem \
--template root-ca \
--subject '/CN=CouchDB Root CA'
for NODE in $@; do
./certs create-cert \
--issuer-cert out/ca-cert.pem --issuer-key out/ca-key.pem \
--out-cert "out/${NODE}-cert.pem" --out-key "out/${NODE}-key.pem" \
--template node \
--subject '/OU=CouchDB' \
--host 127.0.0.1 \
--node "${NODE}"
done```
```
1> Parse = fun(File) ->
1> {ok, PemBin} = file:read_file(File),
1> [{_, DerCert, _}] = public_key:pem_decode(PemBin),
1> OTPCert = public_key:pkix_decode_cert(DerCert,otp),
1> inet_tls_dist:cert_nodes(OTPCert) end.
#Fun<erl_eval.44.65746770>
2>
2> Parse("node1-cert.pem").
["node1@127.0.0.1"]
3> Parse("node2-cert.pem").
["node2@127.0.0.1"]
4> Parse("node3-cert.pem").
["node3@127.0.0.1"]
5>
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] jiahuili430 commented on a diff in pull request #4575: Suppress warnings about TLS distribution
Posted by "jiahuili430 (via GitHub)" <gi...@apache.org>.
jiahuili430 commented on code in PR #4575:
URL: https://github.com/apache/couchdb/pull/4575#discussion_r1197060945
##########
rel/overlay/etc/vm.args:
##########
@@ -108,9 +109,10 @@
## By default that would be "clouseau@127.0.0.1".
## Don't forget to override the paths to point to your certificate(s) and key(s)!
##
-#-proto_dist couch
-#-couch_dist no_tls '"clouseau@127.0.0.1"'
-#-ssl_dist_optfile <path/to/couch_ssl_dist.conf>
+-proto_dist couch
+-couch_dist no_tls '"clouseau@127.0.0.1"'
+-couch_dist no_tls '"node2@127.0.0.1"'
+-ssl_dist_optfile /Users/jiahuili/src/a/dev/couch_ssl_dist.conf
Review Comment:
yes, just for testing.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] rnewson commented on a diff in pull request #4575: Fix warnings about TLS distribution
Posted by "rnewson (via GitHub)" <gi...@apache.org>.
rnewson commented on code in PR #4575:
URL: https://github.com/apache/couchdb/pull/4575#discussion_r1185517058
##########
rel/overlay/etc/vm.args:
##########
@@ -82,7 +82,8 @@
## [{certfile, "</path/to/erlserver.pem>"},
## {secure_renegotiate, true}]},
## {client,
-## [{secure_renegotiate, true}]}].
+## [{secure_renegotiate, true},
+## {verify, verify_none}]}].
Review Comment:
I'm very uncomfortable deliberating disabling security if this gets into the release tarball.
##########
rel/overlay/etc/vm.args:
##########
@@ -91,14 +92,15 @@
## -couch_dist no_tls false
## 3. Specify which node to use TCP, such as:
## -couch_dist no_tls \"*@127.0.0.1\"
+## -couch_dist no_tls '"node1@127.0.0.1"'
Review Comment:
changing this from `*` to `node1` is significant and I think unintentional?
##########
src/docs/src/cluster/tls_erlang_distribution.rst:
##########
@@ -36,10 +36,11 @@ the ``certificate`` and its ``private key``.
.. code-block:: text
[{server,
- [{certfile, "</path/to/erlserver.pem>"},
+ [{certfile, "<absolute_path/to/erlserver.pem>"},
Review Comment:
removing the leading `/` makes it a relative path, even if the name is clearer.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] jiahuili430 commented on a diff in pull request #4575: TLS: add {verify, verify_peer} to enable verification for OTP 26
Posted by "jiahuili430 (via GitHub)" <gi...@apache.org>.
jiahuili430 commented on code in PR #4575:
URL: https://github.com/apache/couchdb/pull/4575#discussion_r1202891401
##########
dev/run:
##########
@@ -264,6 +278,10 @@ def setup_context(opts, args):
"auto_ports": opts.auto_ports,
"locald_configs": opts.locald_configs,
"with_nouveau": opts.with_nouveau,
+ "enable_tls": opts.enable_tls,
+ "tcp_node": opts.tcp_node,
+ "hostname": socket.gethostname() if opts.enable_tls else "127.0.0.1",
+ "bind_address": "0.0.0.0" if opts.enable_tls else "127.0.0.1",
Review Comment:
np, `node1@127.0.0.1` does not work. CN needs to be equal to the `hostname`.
e.g.: If the node name is `ssl_test@localhost`, CN needs to equal `localhost`.
I've tried different CNs, such as 127.0.0.1, {127,0,0,1}, 127.0.1.1, localhost, localhost.local, `$hostname -s/-f`, etc. If the node name contains 127.0.0.1, they just return `hostname_check_failed` in OTP 25.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] rnewson commented on a diff in pull request #4575: TLS: add {verify, verify_peer} to enable verification for OTP 26
Posted by "rnewson (via GitHub)" <gi...@apache.org>.
rnewson commented on code in PR #4575:
URL: https://github.com/apache/couchdb/pull/4575#discussion_r1204408235
##########
dev/run:
##########
@@ -264,6 +278,10 @@ def setup_context(opts, args):
"auto_ports": opts.auto_ports,
"locald_configs": opts.locald_configs,
"with_nouveau": opts.with_nouveau,
+ "enable_tls": opts.enable_tls,
+ "tcp_node": opts.tcp_node,
+ "hostname": socket.gethostname() if opts.enable_tls else "127.0.0.1",
+ "bind_address": "0.0.0.0" if opts.enable_tls else "127.0.0.1",
Review Comment:
it's more complicated than that. reading `inet_tls_dist.erl` makes it clear that they expect the host name part in the SAN field and the node name in a utf8string as a commonName under a directoryName. I have not yet persuaded openssl to generate a certificate that `inet_tls_dist:cert_nodes/1` is happy with. I think the author(s) of `inet_tls_dist` has made a cryptic choice;
```
%% Look in Extensions, in all subjectAltName:s
%% to find node names in this certificate.
%% Host names are picked up as a subjectAltName containing
%% a dNSName, and the first subjectAltName containing
%% a commonName is the node name.
%%
```
The nearest I can get so far is;
```
[{'Extension',{2,5,29,17},
false,
[{dNSName,"127.0.0.1"},
{directoryName,{rdnSequence,[[{'AttributeTypeAndValue',{2,5,
4,3},
<<12,7,99,111,117,99,104,100,98>>}]]}}]},
```
`cert_nodes` finds the hostname but because the `<<12,7,99,111,117,99,104,100,98>>` is not a `utf8String` tuple it doesn't find the node name.
This is the (bizarre) way I have managed to add the dirName to the certificate. all other methods have failed (like the invitingly simple `-addext`).
```
printf "[SAN]\nsubjectAltName=DNS:127.0.0.1,dirName:dir_ext\n[dir_ext]\nCN=couchdb\n" > ext.cnf
openssl x509 -req -days 3650 -set_serial 01 -in node-req.pem -out node-cert.pem -CA ca-cert.pem -CAkey ca-key.pem -extfile ext.cnf -extensions SAN
```
Thus far I think the openssl cli is mediocre and you can't actually do everything there that openssl is capable of. It seems you _must_ use openssl conf files to do anything interesting.
This has, so far, been frustrating and illuminating.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] rnewson commented on a diff in pull request #4575: TLS: add {verify, verify_peer} to enable verification for OTP 26
Posted by "rnewson (via GitHub)" <gi...@apache.org>.
rnewson commented on code in PR #4575:
URL: https://github.com/apache/couchdb/pull/4575#discussion_r1204418484
##########
dev/run:
##########
@@ -264,6 +278,10 @@ def setup_context(opts, args):
"auto_ports": opts.auto_ports,
"locald_configs": opts.locald_configs,
"with_nouveau": opts.with_nouveau,
+ "enable_tls": opts.enable_tls,
+ "tcp_node": opts.tcp_node,
+ "hostname": socket.gethostname() if opts.enable_tls else "127.0.0.1",
+ "bind_address": "0.0.0.0" if opts.enable_tls else "127.0.0.1",
Review Comment:
https://github.com/rlipscombe/elixir-certs/blob/main/certs.exs looks helpful...
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] rnewson commented on a diff in pull request #4575: TLS: add {verify, verify_peer} to enable verification for OTP 26
Posted by "rnewson (via GitHub)" <gi...@apache.org>.
rnewson commented on code in PR #4575:
URL: https://github.com/apache/couchdb/pull/4575#discussion_r1204719763
##########
dev/run:
##########
@@ -264,6 +278,10 @@ def setup_context(opts, args):
"auto_ports": opts.auto_ports,
"locald_configs": opts.locald_configs,
"with_nouveau": opts.with_nouveau,
+ "enable_tls": opts.enable_tls,
+ "tcp_node": opts.tcp_node,
+ "hostname": socket.gethostname() if opts.enable_tls else "127.0.0.1",
+ "bind_address": "0.0.0.0" if opts.enable_tls else "127.0.0.1",
Review Comment:
This diff to https://github.com/rlipscombe/elixir-certs allows me to generate a correct certificate.
```
diff --git a/certs.exs b/certs.exs
index 86fb2d2..e52a436 100644
--- a/certs.exs
+++ b/certs.exs
@@ -78,7 +78,8 @@ defmodule Certs do
ext_key_usage: ext_key_usage([:serverAuth, :clientAuth]),
subject_key_identifier: true,
authority_key_identifier: true,
- subject_alt_name: subject_alt_name([commonName])
+ subject_alt_name: subject_alt_name([commonName]),
+ subject_alt_name: subject_alt_name([{:directoryName, X509.RDNSequence.new(subject, :otp)}])
]
}
end
```
yields a certificate that ```
5> inet_tls_dist:cert_nodes(OTPCert).
["server@server"]
```
Obviously the values are wrong, the first `server` should be `couchdb` and the second server should be `127.0.0.1` but those are just strings.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] rnewson commented on a diff in pull request #4575: TLS: add {verify, verify_peer} to enable verification for OTP 26
Posted by "rnewson (via GitHub)" <gi...@apache.org>.
rnewson commented on code in PR #4575:
URL: https://github.com/apache/couchdb/pull/4575#discussion_r1205422438
##########
dev/run:
##########
@@ -264,6 +278,10 @@ def setup_context(opts, args):
"auto_ports": opts.auto_ports,
"locald_configs": opts.locald_configs,
"with_nouveau": opts.with_nouveau,
+ "enable_tls": opts.enable_tls,
+ "tcp_node": opts.tcp_node,
+ "hostname": socket.gethostname() if opts.enable_tls else "127.0.0.1",
+ "bind_address": "0.0.0.0" if opts.enable_tls else "127.0.0.1",
Review Comment:
a remsh using inet_tls_dist but without presenting a client certificate is rejected as expected;
```
erl -boot ./start_ssl -name remsh$$@127.0.0.1 -hidden -proto_dist inet_tls -remsh node1@127.0.0.1
Erlang/OTP 24 [erts-12.3.2.9] [source] [64-bit] [smp:16:16] [ds:16:16:10] [async-threads:1] [jit]
=WARNING REPORT==== 25-May-2023::13:09:35.881585 ===
Description: "Authenticity is not established by certificate path validation"
Reason: "Option {verify, verify_peer} and cacertfile/cacerts is missing"
*** ERROR: Shell process terminated! (^G to start new job) ***
=NOTICE REPORT==== 25-May-2023::13:09:36.033411 ===
TLS client: In state cipher received SERVER ALERT: Fatal - Handshake Failure
(node1@127.0.0.1)1> =NOTICE REPORT==== 25-May-2023::13:09:36.023069 ===
TLS server: In state certify at tls_dtls_connection.erl:315 generated SERVER ALERT: Fatal - Handshake Failure
- no_client_certificate_provided
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] rnewson commented on a diff in pull request #4575: TLS: add `{verify, verify_peer}` to enable verification
Posted by "rnewson (via GitHub)" <gi...@apache.org>.
rnewson commented on code in PR #4575:
URL: https://github.com/apache/couchdb/pull/4575#discussion_r1207269671
##########
dev/remsh-tls:
##########
@@ -24,6 +24,6 @@ if [ -z $HOST ]; then
fi
NAME="remsh$$@$HOST"
Review Comment:
despite the code in `inet_tls_dist.erl` that looks for the dirname entry (and parses it out in cert_nodes/1), it appears to be ignored.
It suffices to have a subjectAltName of the hostname. My elixir-certs fork is unnecessary and should not be used.
The cert resulting from
```
./certs create-cert --issuer-cert out/ca-cert.pem --issuer-key out/ca-key.pem \
--out-cert out/node-cert.pem --out-key out/node-key.pem \
--template server --subject '/CN=127.0.0.1'
```
is sufficient and can be used as the client and server cert of all nodes with the same hostname, which is all of the dev nodes.
Obviously a 'real' cluster would have distinct ip's or hostnames for each node, though.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] rnewson commented on a diff in pull request #4575: TLS: add `{verify, verify_peer}` to enable verification
Posted by "rnewson (via GitHub)" <gi...@apache.org>.
rnewson commented on code in PR #4575:
URL: https://github.com/apache/couchdb/pull/4575#discussion_r1210826078
##########
dev/remsh-tls:
##########
@@ -26,4 +26,4 @@ fi
NAME="remsh$$@$HOST"
NODE="node$NODE@$HOST"
rootdir="$(cd "${0%/*}" 2>/dev/null; echo "$PWD")"
-erl -name $NAME -remsh $NODE -hidden -proto_dist inet_tls -ssl_dist_optfile "${rootdir}/couch_ssl_dist.conf"
+erl -name $NAME -remsh $NODE -hidden -proto_dist inet_tls -ssl_dist_optfile "${rootdir}/../src/couch_dist/certs/out/couch_dist.conf"
Review Comment:
consider passing the location in (env var, perhaps) rather than having to do `../src`.
##########
src/couch_dist/README.md:
##########
@@ -0,0 +1,160 @@
+# couch_dist
+
+`couch_dist` implements a custom distribution protocol -- `couch`, which allows
+nodes to connect using different protocols, such as Transport Layer Security
+(TLS) and Transmission Control Protocol (TCP).
+
+`TLS` can provide extra verification and security, but requires proper
+certificates and configuration to set up the environment.
+
+## Set up a custom Erlang distribution
+
+1. Specify the distribution protocol in `vm.args`
+2. Specify different distribution protocols for different nodes in `vm.args`
+3. Generate certificates using `certs`
+4. Specify security and other SSL options in `couch_dist.conf`
+
+Examples:
+
+1. `vm.args`:
+
+ ```vm.args
+ -proto_dist couch
+ -couch_dist no_tls '"clouseau@127.0.0.1"'
+ -ssl_dist_optfile </absolute/path/to/couch_dist.conf>
+ ```
+
+2. `couch_dist.conf`:
+
+ - `erlserver.pem`: contains the certificate and its private key.
+ - `{verify, verify_peer}`: you can specify the hostname with `{server_name_indication, <hostname>}`.
Review Comment:
we are showing how to generate correct certificates, so server_name_indication should not be necessary.
##########
dev/run:
##########
@@ -234,6 +234,20 @@ def get_args_parser():
action="store_true",
help="Start Nouveau server",
)
+ parser.add_option(
+ "-t",
+ "--enable-tls",
+ dest="enable_tls",
+ default=False,
+ action="store_true",
+ help="Enable custom TLS distribution (couch)",
+ )
+ parser.add_option(
+ "--tcp-node",
Review Comment:
since this is setting the 'no_tls' configuration parameter, which can match multiple nodes, I think `no_tls` is a better description than `tcp-node`. Also the TLS connections will use TCP too, so this name doesn't distinguish the two kinds of node connection.
##########
src/couch_dist/README.md:
##########
@@ -0,0 +1,160 @@
+# couch_dist
+
+`couch_dist` implements a custom distribution protocol -- `couch`, which allows
+nodes to connect using different protocols, such as Transport Layer Security
+(TLS) and Transmission Control Protocol (TCP).
+
+`TLS` can provide extra verification and security, but requires proper
+certificates and configuration to set up the environment.
+
+## Set up a custom Erlang distribution
+
+1. Specify the distribution protocol in `vm.args`
+2. Specify different distribution protocols for different nodes in `vm.args`
+3. Generate certificates using `certs`
+4. Specify security and other SSL options in `couch_dist.conf`
+
+Examples:
+
+1. `vm.args`:
+
+ ```vm.args
+ -proto_dist couch
+ -couch_dist no_tls '"clouseau@127.0.0.1"'
+ -ssl_dist_optfile </absolute/path/to/couch_dist.conf>
+ ```
+
+2. `couch_dist.conf`:
+
+ - `erlserver.pem`: contains the certificate and its private key.
+ - `{verify, verify_peer}`: you can specify the hostname with `{server_name_indication, <hostname>}`.
+ - `{fail_if_no_peer_cert, true}`: should be used on the server side only,
Review Comment:
`fail_if_no_peer_cert` should be set on client and server.
##########
src/couch_dist/README.md:
##########
@@ -0,0 +1,160 @@
+# couch_dist
+
+`couch_dist` implements a custom distribution protocol -- `couch`, which allows
+nodes to connect using different protocols, such as Transport Layer Security
+(TLS) and Transmission Control Protocol (TCP).
Review Comment:
Erlang communicates with its own protocol over TCP. It can also be configured to run its protocol over a TLS connection which itself is over TCP.
##########
src/couch_dist/README.md:
##########
@@ -0,0 +1,160 @@
+# couch_dist
+
+`couch_dist` implements a custom distribution protocol -- `couch`, which allows
+nodes to connect using different protocols, such as Transport Layer Security
+(TLS) and Transmission Control Protocol (TCP).
+
+`TLS` can provide extra verification and security, but requires proper
+certificates and configuration to set up the environment.
+
+## Set up a custom Erlang distribution
+
+1. Specify the distribution protocol in `vm.args`
+2. Specify different distribution protocols for different nodes in `vm.args`
+3. Generate certificates using `certs`
+4. Specify security and other SSL options in `couch_dist.conf`
+
+Examples:
+
+1. `vm.args`:
+
+ ```vm.args
+ -proto_dist couch
+ -couch_dist no_tls '"clouseau@127.0.0.1"'
+ -ssl_dist_optfile </absolute/path/to/couch_dist.conf>
+ ```
+
+2. `couch_dist.conf`:
+
+ - `erlserver.pem`: contains the certificate and its private key.
+ - `{verify, verify_peer}`: you can specify the hostname with `{server_name_indication, <hostname>}`.
+ - `{fail_if_no_peer_cert, true}`: should be used on the server side only,
+ see [OTP 26 Highlights](https://www.erlang.org/blog/otp-26-highlights/#ssl-improved-checking-of-options).
+
+ ```couch_dist.conf
+ [
+ {server, [
+ {cacertfile, "</absolute/path/to/ca-cert.pem>"},
+ {certfile, "</absolute/path/to/erlserver.pem>"},
+ {secure_renegotiate, true},
+ {verify, verify_peer},
+ {fail_if_no_peer_cert, true}
+ ]},
+ {client, [
+ {cacertfile, "</absolute/path/to/ca-cert.pem>"},
+ {certfile, "</absolute/path/to/cert.pem>"},
+ {keyfile, "</absolute/path/to/key.pem>"},
+ {secure_renegotiate, true},
+ {verify, verify_peer},
+ {server_name_indication, "<hostname>"}
+ ]}
+ ].
+ ```
+
+## Generate Certificate
+
+This is an example of using `elixir-certs` to generate certificates, but it is
+not an endorsement of a specific expiration limit, key size or algorithm.
+
+```bash
+cd src/couch_dist/certs
+
+# Generate CA certificate and key
+./certs self-signed \
+ --out-cert ca-cert.pem --out-key ca-key.pem \
+ --template root-ca \
+ --subject "/CN=CouchDB Root CA"
+
+# Generate node certificate and key
+./certs create-cert \
+ --issuer-cert ca-cert.pem --issuer-key ca-key.pem \
+ --out-cert cert.pem --out-key key.pem \
+ --template server \
+ --subject "/CN=127.0.0.1"
+
+# Generate `erlserver.pem`
+cat key.pem cert.pem >erlserver.pem
+
+# Parse certificate to verify:
+# {server_name_indication, "<hostname>"}
Review Comment:
server_name_indication is not needed.
##########
src/couch_dist/gen_certs:
##########
@@ -0,0 +1,45 @@
+#!/bin/sh
+set -e
+
+cur_dir="$(cd "${0%/*}" 2>/dev/null; echo "${PWD}")"
+certs_dir="${cur_dir}/certs"
+cd "${certs_dir}"
+mkdir -p "${certs_dir}/out"
+
+if [ ! -e "${certs_dir}/out/ca-cert.pem" ]; then
+ ./certs self-signed \
+ --out-cert out/ca-cert.pem --out-key out/ca-key.pem \
+ --template root-ca \
+ --subject "/CN=CouchDB Root CA"
+fi
+
+if [ ! -e "${certs_dir}/out/cert.pem" ]; then
+ ./certs create-cert \
+ --issuer-cert out/ca-cert.pem --issuer-key out/ca-key.pem \
+ --out-cert out/cert.pem --out-key out/key.pem \
+ --template server \
+ --subject "/CN=127.0.0.1"
+fi
+
+if [ ! -e "${certs_dir}/out/couch_dist.conf" ]; then
+ cat <<EOF >"${certs_dir}/out/couch_dist.conf"
+[
+ {server, [
+ {cacertfile, "$(pwd)/out/ca-cert.pem"},
+ {certfile, "$(pwd)/out/cert.pem"},
+ {keyfile, "$(pwd)/out/key.pem"},
+ {secure_renegotiate, true},
+ {verify, verify_peer},
+ {fail_if_no_peer_cert, true}
+ ]},
+ {client, [
+ {cacertfile, "$(pwd)/out/ca-cert.pem"},
+ {certfile, "$(pwd)/out/cert.pem"},
+ {keyfile, "$(pwd)/out/key.pem"},
+ {secure_renegotiate, true},
+ {verify, verify_peer},
+ {server_name_indication, "127.0.0.1"}
Review Comment:
should not be necessary
##########
src/docs/src/cluster/tls_erlang_distribution.rst:
##########
@@ -29,28 +29,55 @@ Reference: `Using TLS for Erlang Distribution`_
Generate Certificate
====================
-For TLS to work properly, at least one public key and one certificate must be
-specified. In the following example (couch_ssl_dist.conf), the PEM file contains
-the ``certificate`` and its ``private key``.
+To distribute using TLS, appropriate certificates need to be provided.
+In the following example (couch_dist.conf), the cert.pem certificate must be
+trusted by a root certificate known to the server, and the erlserver.pem file
+contains the "certificate" and its "private key".
.. code-block:: text
[{server,
- [{certfile, "</path/to/erlserver.pem>"},
- {secure_renegotiate, true}]},
+ [{cacertfile, "</absolute_path/to/ca-cert.pem>"},
+ {certfile, "</absolute_path/to/erlserver.pem>"},
+ {secure_renegotiate, true},
+ {verify, verify_peer},
+ {fail_if_no_peer_cert, true}]},
{client,
- [{secure_renegotiate, true}]}].
+ [{cacertfile, "</absolute_path/to/ca-cert.pem>"},
+ {keyfile, "</absolute_path/to/key.pem>"},
+ {certfile, "</absolute_path/to/cert.pem>"},
+ {secure_renegotiate, true},
+ {verify, verify_peer},
+ {server_name_indication, "<hostname>"}]}].
-The following command is an example of generating a certificate (PEM) file.
+You can use ``{verify, verify_peer}`` to enable verification,
+but it requires appropriate certificates to verify.
+
+This is an example of generating certificates.
.. code-block:: bash
- $ openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem
- $ cat key.pem cert.pem > erlserver.pem && rm key.pem cert.pem
+ $ git clone https://github.com/rnewson/elixir-certs
+ $ cd elixir-certs
+ $ ./certs self-signed \
+ --out-cert ca-cert.pem --out-key ca-key.pem \
+ --template root-ca \
+ --subject '/CN=CouchDB Root CA'
+ $./certs create-cert \
+ --issuer-cert ca-cert.pem --issuer-key ca-key.pem \
+ --out-cert cert.pem --out-key key.pem \
+ --template node \
+ --subject '/OU=CouchDB' \
+ --host hostname \
Review Comment:
earlier we used the original 'server' template but here we use my 'node' template, which turns out not to be necessary. let's be consistent in our examples and document the use of the 'server' template here also.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] jiahuili430 commented on a diff in pull request #4575: TLS: add `{verify, verify_peer}` to enable verification
Posted by "jiahuili430 (via GitHub)" <gi...@apache.org>.
jiahuili430 commented on code in PR #4575:
URL: https://github.com/apache/couchdb/pull/4575#discussion_r1212571411
##########
src/couch_dist/README.md:
##########
@@ -0,0 +1,160 @@
+# couch_dist
+
+`couch_dist` implements a custom distribution protocol -- `couch`, which allows
+nodes to connect using different protocols, such as Transport Layer Security
+(TLS) and Transmission Control Protocol (TCP).
+
+`TLS` can provide extra verification and security, but requires proper
+certificates and configuration to set up the environment.
+
+## Set up a custom Erlang distribution
+
+1. Specify the distribution protocol in `vm.args`
+2. Specify different distribution protocols for different nodes in `vm.args`
+3. Generate certificates using `certs`
+4. Specify security and other SSL options in `couch_dist.conf`
+
+Examples:
+
+1. `vm.args`:
+
+ ```vm.args
+ -proto_dist couch
+ -couch_dist no_tls '"clouseau@127.0.0.1"'
+ -ssl_dist_optfile </absolute/path/to/couch_dist.conf>
+ ```
+
+2. `couch_dist.conf`:
+
+ - `erlserver.pem`: contains the certificate and its private key.
+ - `{verify, verify_peer}`: you can specify the hostname with `{server_name_indication, <hostname>}`.
+ - `{fail_if_no_peer_cert, true}`: should be used on the server side only,
Review Comment:
Revert `gen_cert` script back, so `{fail_if_no_peer_cert, true}` would only appear on server config side.
Also removed `couch_dist` from `couch.app.src` file, and tested it with OTP 24/25/26, worked on my end.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] jiahuili430 commented on a diff in pull request #4575: TLS: add `{verify, verify_peer}` to enable verification
Posted by "jiahuili430 (via GitHub)" <gi...@apache.org>.
jiahuili430 commented on code in PR #4575:
URL: https://github.com/apache/couchdb/pull/4575#discussion_r1211075064
##########
src/couch_dist/README.md:
##########
@@ -0,0 +1,160 @@
+# couch_dist
+
+`couch_dist` implements a custom distribution protocol -- `couch`, which allows
+nodes to connect using different protocols, such as Transport Layer Security
+(TLS) and Transmission Control Protocol (TCP).
+
+`TLS` can provide extra verification and security, but requires proper
+certificates and configuration to set up the environment.
+
+## Set up a custom Erlang distribution
+
+1. Specify the distribution protocol in `vm.args`
+2. Specify different distribution protocols for different nodes in `vm.args`
+3. Generate certificates using `certs`
+4. Specify security and other SSL options in `couch_dist.conf`
+
+Examples:
+
+1. `vm.args`:
+
+ ```vm.args
+ -proto_dist couch
+ -couch_dist no_tls '"clouseau@127.0.0.1"'
+ -ssl_dist_optfile </absolute/path/to/couch_dist.conf>
+ ```
+
+2. `couch_dist.conf`:
+
+ - `erlserver.pem`: contains the certificate and its private key.
+ - `{verify, verify_peer}`: you can specify the hostname with `{server_name_indication, <hostname>}`.
Review Comment:
Removed
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] jiahuili430 commented on a diff in pull request #4575: Fix warnings about TLS distribution
Posted by "jiahuili430 (via GitHub)" <gi...@apache.org>.
jiahuili430 commented on code in PR #4575:
URL: https://github.com/apache/couchdb/pull/4575#discussion_r1186734984
##########
rel/overlay/etc/vm.args:
##########
@@ -82,7 +82,8 @@
## [{certfile, "</path/to/erlserver.pem>"},
## {secure_renegotiate, true}]},
## {client,
-## [{secure_renegotiate, true}]}].
+## [{secure_renegotiate, true},
+## {verify, verify_none}]}].
Review Comment:
I tried to use `{verify, verify_peer}`, but get errors about bad certificates, or just hang with `*** ERROR: Shell process terminated!`. So add `{verify, verify_none}` to suppress the warning.
```
*** ERROR: Shell process terminated! (^G to start new job) ***
=NOTICE REPORT==== 6-May-2023::13:58:20.360922 ===
TLS client: In state certify at ssl_handshake.erl:2080 generated CLIENT ALERT: Fatal - Bad Certificate
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] rnewson commented on a diff in pull request #4575: TLS: add {verify, verify_peer} to enable verification for OTP 26
Posted by "rnewson (via GitHub)" <gi...@apache.org>.
rnewson commented on code in PR #4575:
URL: https://github.com/apache/couchdb/pull/4575#discussion_r1202465298
##########
dev/run:
##########
@@ -264,6 +278,10 @@ def setup_context(opts, args):
"auto_ports": opts.auto_ports,
"locald_configs": opts.locald_configs,
"with_nouveau": opts.with_nouveau,
+ "enable_tls": opts.enable_tls,
+ "tcp_node": opts.tcp_node,
+ "hostname": socket.gethostname() if opts.enable_tls else "127.0.0.1",
+ "bind_address": "0.0.0.0" if opts.enable_tls else "127.0.0.1",
Review Comment:
why is this necessary? Ideally the dev nodes remain bound only to 127.0.0.1. Is something in openssl forcing this?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] rnewson commented on a diff in pull request #4575: TLS: add {verify, verify_peer} to enable verification for OTP 26
Posted by "rnewson (via GitHub)" <gi...@apache.org>.
rnewson commented on code in PR #4575:
URL: https://github.com/apache/couchdb/pull/4575#discussion_r1204719763
##########
dev/run:
##########
@@ -264,6 +278,10 @@ def setup_context(opts, args):
"auto_ports": opts.auto_ports,
"locald_configs": opts.locald_configs,
"with_nouveau": opts.with_nouveau,
+ "enable_tls": opts.enable_tls,
+ "tcp_node": opts.tcp_node,
+ "hostname": socket.gethostname() if opts.enable_tls else "127.0.0.1",
+ "bind_address": "0.0.0.0" if opts.enable_tls else "127.0.0.1",
Review Comment:
This diff to https://github.com/rlipscombe/elixir-certs allows me to generate a correctly formed certificate (though with the wrong values).
```
diff --git a/certs.exs b/certs.exs
index 86fb2d2..e52a436 100644
--- a/certs.exs
+++ b/certs.exs
@@ -78,7 +78,8 @@ defmodule Certs do
ext_key_usage: ext_key_usage([:serverAuth, :clientAuth]),
subject_key_identifier: true,
authority_key_identifier: true,
- subject_alt_name: subject_alt_name([commonName])
+ subject_alt_name: subject_alt_name([commonName]),
+ subject_alt_name: subject_alt_name([{:directoryName, X509.RDNSequence.new(subject, :otp)}])
]
}
end
```
yields a certificate that
```
5> inet_tls_dist:cert_nodes(OTPCert).
["server@server"]
```
Obviously the values are wrong, the first `server` should be `couchdb` and the second server should be `127.0.0.1` but those are just strings.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] rnewson commented on a diff in pull request #4575: TLS: add {verify, verify_peer} to enable verification for OTP 26
Posted by "rnewson (via GitHub)" <gi...@apache.org>.
rnewson commented on code in PR #4575:
URL: https://github.com/apache/couchdb/pull/4575#discussion_r1204719763
##########
dev/run:
##########
@@ -264,6 +278,10 @@ def setup_context(opts, args):
"auto_ports": opts.auto_ports,
"locald_configs": opts.locald_configs,
"with_nouveau": opts.with_nouveau,
+ "enable_tls": opts.enable_tls,
+ "tcp_node": opts.tcp_node,
+ "hostname": socket.gethostname() if opts.enable_tls else "127.0.0.1",
+ "bind_address": "0.0.0.0" if opts.enable_tls else "127.0.0.1",
Review Comment:
This diff to https://github.com/rlipscombe/elixir-certs allows me to generate a correct certificate.
```
diff --git a/certs.exs b/certs.exs
index 86fb2d2..e52a436 100644
--- a/certs.exs
+++ b/certs.exs
@@ -78,7 +78,8 @@ defmodule Certs do
ext_key_usage: ext_key_usage([:serverAuth, :clientAuth]),
subject_key_identifier: true,
authority_key_identifier: true,
- subject_alt_name: subject_alt_name([commonName])
+ subject_alt_name: subject_alt_name([commonName]),
+ subject_alt_name: subject_alt_name([{:directoryName, X509.RDNSequence.new(subject, :otp)}])
]
}
end
```
yields a certificate that
```
5> inet_tls_dist:cert_nodes(OTPCert).
["server@server"]
```
Obviously the values are wrong, the first `server` should be `couchdb` and the second server should be `127.0.0.1` but those are just strings.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] rnewson commented on a diff in pull request #4575: TLS: add {verify, verify_peer} to enable verification for OTP 26
Posted by "rnewson (via GitHub)" <gi...@apache.org>.
rnewson commented on code in PR #4575:
URL: https://github.com/apache/couchdb/pull/4575#discussion_r1204723351
##########
dev/run:
##########
@@ -264,6 +278,10 @@ def setup_context(opts, args):
"auto_ports": opts.auto_ports,
"locald_configs": opts.locald_configs,
"with_nouveau": opts.with_nouveau,
+ "enable_tls": opts.enable_tls,
+ "tcp_node": opts.tcp_node,
+ "hostname": socket.gethostname() if opts.enable_tls else "127.0.0.1",
+ "bind_address": "0.0.0.0" if opts.enable_tls else "127.0.0.1",
Review Comment:
what we'd actually need;
```
{'Extension',{2,5,29,17},false,[{dNSName,"127.0.0.1"}]},
{'Extension',{2,5,29,17},
false,
[{directoryName,{rdnSequence,[[{'AttributeTypeAndValue',{2,
5,4,3},
{utf8String,<<"node1">>}}]]}}]}]},
{'SignatureAlgorithm',{1,2,840,10045,4,3,2},asn1_NOVALUE},
<<48,69,2,32,105,178,12,49,33,238,187,152,243,237,155,
128,86,97,241,117,150,223,147,14,210,204,126,69,46,255,
22,12,165,28,214,174,2,33,0,133,247,16,211,97,56,77,
164,21,139,198,41,184,243,254,91,25,64,39,242,67,179,
228,255,131,202,213,27,38,91,54,36>>}
ok
5>
5> inet_tls_dist:cert_nodes(OTPCert).
["node1@127.0.0.1"]
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] rnewson commented on a diff in pull request #4575: TLS: add {verify, verify_peer} to enable verification for OTP 26
Posted by "rnewson (via GitHub)" <gi...@apache.org>.
rnewson commented on code in PR #4575:
URL: https://github.com/apache/couchdb/pull/4575#discussion_r1204714171
##########
dev/run:
##########
@@ -264,6 +278,10 @@ def setup_context(opts, args):
"auto_ports": opts.auto_ports,
"locald_configs": opts.locald_configs,
"with_nouveau": opts.with_nouveau,
+ "enable_tls": opts.enable_tls,
+ "tcp_node": opts.tcp_node,
+ "hostname": socket.gethostname() if opts.enable_tls else "127.0.0.1",
+ "bind_address": "0.0.0.0" if opts.enable_tls else "127.0.0.1",
Review Comment:
Last bit of the mystery is clearing. There is a variant or extended certificate format specific to OTP. If I use that then the dirName is encoded correctly. openssl is obviously unaware of the OTP-specific `OTPCertificate` format, so it cannot be used to generate certificates for inet_tls_dist that would check both node and host name (for sample erlang node name `node@host`).
```
X509.RDNSequence.new("/CN=Bob")
{:rdnSequence,
[[{:AttributeTypeAndValue, {2, 5, 4, 3}, <<12, 3, 66, 111, 98>>}]]}
X509.RDNSequence.new("/CN=Bob", :otp)
{:rdnSequence, [[{:AttributeTypeAndValue, {2, 5, 4, 3}, {:utf8String, "Bob"}}]]}
```
The rabbit hole is deep and full of terrors.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] rnewson commented on a diff in pull request #4575: TLS: add `{verify, verify_peer}` to enable verification
Posted by "rnewson (via GitHub)" <gi...@apache.org>.
rnewson commented on code in PR #4575:
URL: https://github.com/apache/couchdb/pull/4575#discussion_r1207362274
##########
dev/remsh-tls:
##########
@@ -24,6 +24,6 @@ if [ -z $HOST ]; then
fi
NAME="remsh$$@$HOST"
Review Comment:
@RaimoNiskanen in case you might find our journey amusing ^.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] nickva merged pull request #4575: TLS: add `{verify, verify_peer}` to enable verification
Posted by "nickva (via GitHub)" <gi...@apache.org>.
nickva merged PR #4575:
URL: https://github.com/apache/couchdb/pull/4575
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] jiahuili430 commented on a diff in pull request #4575: TLS: add `{verify, verify_peer}` to enable verification
Posted by "jiahuili430 (via GitHub)" <gi...@apache.org>.
jiahuili430 commented on code in PR #4575:
URL: https://github.com/apache/couchdb/pull/4575#discussion_r1211863695
##########
src/couch_dist/README.md:
##########
@@ -0,0 +1,160 @@
+# couch_dist
+
+`couch_dist` implements a custom distribution protocol -- `couch`, which allows
+nodes to connect using different protocols, such as Transport Layer Security
+(TLS) and Transmission Control Protocol (TCP).
+
+`TLS` can provide extra verification and security, but requires proper
+certificates and configuration to set up the environment.
+
+## Set up a custom Erlang distribution
+
+1. Specify the distribution protocol in `vm.args`
+2. Specify different distribution protocols for different nodes in `vm.args`
+3. Generate certificates using `certs`
+4. Specify security and other SSL options in `couch_dist.conf`
+
+Examples:
+
+1. `vm.args`:
+
+ ```vm.args
+ -proto_dist couch
+ -couch_dist no_tls '"clouseau@127.0.0.1"'
+ -ssl_dist_optfile </absolute/path/to/couch_dist.conf>
+ ```
+
+2. `couch_dist.conf`:
+
+ - `erlserver.pem`: contains the certificate and its private key.
+ - `{verify, verify_peer}`: you can specify the hostname with `{server_name_indication, <hostname>}`.
+ - `{fail_if_no_peer_cert, true}`: should be used on the server side only,
Review Comment:
> In OTP 26, the checking of options is strengthened to return errors for incorrect options that used to be silently ignored. For example, ssl now rejects the fail_if_no_peer_cert option if used for the client:
> In OTP 25, the option would be silently ignored.
https://www.erlang.org/blog/otp-26-highlights/#ssl-improved-checking-of-options
Or just leave `{fail_if_no_peer_cert, true}` on the server side. Because when we specify `{verify, verify_peer}`, it requires us to provide cacertfile, certfile, and keyfile to connect successfully.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] jiahuili430 commented on a diff in pull request #4575: Suppress warnings about TLS distribution
Posted by "jiahuili430 (via GitHub)" <gi...@apache.org>.
jiahuili430 commented on code in PR #4575:
URL: https://github.com/apache/couchdb/pull/4575#discussion_r1195747539
##########
configure:
##########
@@ -73,17 +73,43 @@ EOF
# This is not an endorsement of specific expiration limits, key sizes, or algorithms.
generate_tls_dev_cert() {
if [ ! -e "${rootdir}/dev/erlserver.pem" ]; then
- openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem
- cat key.pem cert.pem > dev/erlserver.pem && rm key.pem cert.pem
+ openssl genrsa 2048 > ca-key.pem
+ openssl req -new -x509 -nodes -days 3650 -key ca-key.pem -out ca-cert.pem
+ openssl req -newkey rsa:2048 -nodes -days 3650 -keyout key.pem -out req.pem
+ openssl x509 -req -days 3650 -set_serial 01 -in req.pem -out cert.pem -CA ca-cert.pem -CAkey ca-key.pem
+ openssl verify -CAfile ca-cert.pem ca-cert.pem cert.pem
+ cat key.pem cert.pem > dev/erlserver.pem && mv ca-cert.pem dev/ && rm ca-key.pem key.pem cert.pem req.pem
fi
if [ ! -e "${rootdir}/dev/couch_ssl_dist.conf" ]; then
cat > "${rootdir}/dev/couch_ssl_dist.conf" << EOF
-[{server,
- [{certfile, "${rootdir}/dev/erlserver.pem"},
- {secure_renegotiate, true}]},
- {client,
- [{secure_renegotiate, true}]}].
+[{server, [
+ {certfile, "${rootdir}/dev/erlserver.pem"},
+ {secure_renegotiate, true}
+ ]},
+ {client, [
+ {secure_renegotiate, true},
+ {verify, verify_peer},
+ {cacertfile, "${rootdir}/dev/ca-cert.pem"},
+ {fail_if_no_peer_cert, true},
+ {verify_fun, {
Review Comment:
I tried `{customize_hostname_check, [{match_fun, public_key:pkix_verify_hostname_match_fun(https)}]}` but it didn't work.
I think `{server_name_indication, disable}` should do the trick, but didn't work either. https://github.com/erlang/otp/blob/maint-24/lib/ssl/src/ssl_certificate.erl#LL229C46-L229C46
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] iilyak commented on a diff in pull request #4575: Suppress warnings about TLS distribution
Posted by "iilyak (via GitHub)" <gi...@apache.org>.
iilyak commented on code in PR #4575:
URL: https://github.com/apache/couchdb/pull/4575#discussion_r1196488045
##########
configure:
##########
@@ -73,17 +73,43 @@ EOF
# This is not an endorsement of specific expiration limits, key sizes, or algorithms.
generate_tls_dev_cert() {
if [ ! -e "${rootdir}/dev/erlserver.pem" ]; then
- openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem
- cat key.pem cert.pem > dev/erlserver.pem && rm key.pem cert.pem
+ openssl genrsa 2048 > ca-key.pem
+ openssl req -new -x509 -nodes -days 3650 -key ca-key.pem -out ca-cert.pem
+ openssl req -newkey rsa:2048 -nodes -days 3650 -keyout key.pem -out req.pem
+ openssl x509 -req -days 3650 -set_serial 01 -in req.pem -out cert.pem -CA ca-cert.pem -CAkey ca-key.pem
+ openssl verify -CAfile ca-cert.pem ca-cert.pem cert.pem
+ cat key.pem cert.pem > dev/erlserver.pem && mv ca-cert.pem dev/ && rm ca-key.pem key.pem cert.pem req.pem
fi
if [ ! -e "${rootdir}/dev/couch_ssl_dist.conf" ]; then
cat > "${rootdir}/dev/couch_ssl_dist.conf" << EOF
-[{server,
- [{certfile, "${rootdir}/dev/erlserver.pem"},
- {secure_renegotiate, true}]},
- {client,
- [{secure_renegotiate, true}]}].
+[{server, [
+ {certfile, "${rootdir}/dev/erlserver.pem"},
+ {secure_renegotiate, true}
+ ]},
+ {client, [
+ {secure_renegotiate, true},
+ {verify, verify_peer},
+ {cacertfile, "${rootdir}/dev/ca-cert.pem"},
+ {fail_if_no_peer_cert, true},
+ {verify_fun, {
Review Comment:
Did you try making the match_fun always passing just to test that function is available in the OTP we are using.
define and export a function in any module
```
always_true() ->
fun(_) -> true.
```
Then add configuration `{customize_hostname_check, [{match_fun, your_module:always_true()]}`. If it works, look into how https://github.com/erlang/otp/blob/2c864f2f9ef61750006afde6af33453a11d025cd/lib/public_key/src/public_key.erl#L1296 is defined in recent OTP and compare it with the OTP version we use. Understand the difference. If new OTP version has a fix we can make a conditional based on OTP version used. For older versions we would use our own function (inspired by latest OTP). On newer versions of OTP we would use function provided by OTP.
In any case we shouldn't not disable security by keeping `match_fun, your_module:always_true()` or `{verify, verify_none}`. Our goal is to suppress the warning not to disable security.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] iilyak commented on a diff in pull request #4575: Suppress warnings about TLS distribution
Posted by "iilyak (via GitHub)" <gi...@apache.org>.
iilyak commented on code in PR #4575:
URL: https://github.com/apache/couchdb/pull/4575#discussion_r1196488045
##########
configure:
##########
@@ -73,17 +73,43 @@ EOF
# This is not an endorsement of specific expiration limits, key sizes, or algorithms.
generate_tls_dev_cert() {
if [ ! -e "${rootdir}/dev/erlserver.pem" ]; then
- openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem
- cat key.pem cert.pem > dev/erlserver.pem && rm key.pem cert.pem
+ openssl genrsa 2048 > ca-key.pem
+ openssl req -new -x509 -nodes -days 3650 -key ca-key.pem -out ca-cert.pem
+ openssl req -newkey rsa:2048 -nodes -days 3650 -keyout key.pem -out req.pem
+ openssl x509 -req -days 3650 -set_serial 01 -in req.pem -out cert.pem -CA ca-cert.pem -CAkey ca-key.pem
+ openssl verify -CAfile ca-cert.pem ca-cert.pem cert.pem
+ cat key.pem cert.pem > dev/erlserver.pem && mv ca-cert.pem dev/ && rm ca-key.pem key.pem cert.pem req.pem
fi
if [ ! -e "${rootdir}/dev/couch_ssl_dist.conf" ]; then
cat > "${rootdir}/dev/couch_ssl_dist.conf" << EOF
-[{server,
- [{certfile, "${rootdir}/dev/erlserver.pem"},
- {secure_renegotiate, true}]},
- {client,
- [{secure_renegotiate, true}]}].
+[{server, [
+ {certfile, "${rootdir}/dev/erlserver.pem"},
+ {secure_renegotiate, true}
+ ]},
+ {client, [
+ {secure_renegotiate, true},
+ {verify, verify_peer},
+ {cacertfile, "${rootdir}/dev/ca-cert.pem"},
+ {fail_if_no_peer_cert, true},
+ {verify_fun, {
Review Comment:
Did you try making the match_fun always passing just to test that function is available in the OTP we are using.
define and export a function in any module
```
always_true() ->
fun(_) -> true.
```
Then add configuration `{customize_hostname_check, [{match_fun, your_module:always_true()]}`. If it works, look into how https://github.com/erlang/otp/blob/2c864f2f9ef61750006afde6af33453a11d025cd/lib/public_key/src/public_key.erl#L1296 is defined in recent OTP and compare it with the OTP version we use. Understand the difference. If new OTP version has a fix we can make a conditional based on OTP version used. For older versions we would use our own function (inspired by latest OTP). On newer versions of OTP we would use function provided by OTP.
In any case we shouldn't disable security by keeping `match_fun, your_module:always_true()` or `{verify, verify_none}`. Our goal is to suppress the warning not to disable security.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] jiahuili430 commented on a diff in pull request #4575: Suppress warnings about TLS distribution
Posted by "jiahuili430 (via GitHub)" <gi...@apache.org>.
jiahuili430 commented on code in PR #4575:
URL: https://github.com/apache/couchdb/pull/4575#discussion_r1196824522
##########
configure:
##########
@@ -73,17 +73,43 @@ EOF
# This is not an endorsement of specific expiration limits, key sizes, or algorithms.
generate_tls_dev_cert() {
if [ ! -e "${rootdir}/dev/erlserver.pem" ]; then
- openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem
- cat key.pem cert.pem > dev/erlserver.pem && rm key.pem cert.pem
+ openssl genrsa 2048 > ca-key.pem
+ openssl req -new -x509 -nodes -days 3650 -key ca-key.pem -out ca-cert.pem
+ openssl req -newkey rsa:2048 -nodes -days 3650 -keyout key.pem -out req.pem
+ openssl x509 -req -days 3650 -set_serial 01 -in req.pem -out cert.pem -CA ca-cert.pem -CAkey ca-key.pem
+ openssl verify -CAfile ca-cert.pem ca-cert.pem cert.pem
+ cat key.pem cert.pem > dev/erlserver.pem && mv ca-cert.pem dev/ && rm ca-key.pem key.pem cert.pem req.pem
fi
if [ ! -e "${rootdir}/dev/couch_ssl_dist.conf" ]; then
cat > "${rootdir}/dev/couch_ssl_dist.conf" << EOF
-[{server,
- [{certfile, "${rootdir}/dev/erlserver.pem"},
- {secure_renegotiate, true}]},
- {client,
- [{secure_renegotiate, true}]}].
+[{server, [
+ {certfile, "${rootdir}/dev/erlserver.pem"},
+ {secure_renegotiate, true}
+ ]},
+ {client, [
+ {secure_renegotiate, true},
+ {verify, verify_peer},
+ {cacertfile, "${rootdir}/dev/ca-cert.pem"},
+ {fail_if_no_peer_cert, true},
+ {verify_fun, {
Review Comment:
The problem with this approach is that the TLS distribution starts earlier than other modules, even earlier than the standard io drivers. If we use custom module function in conf file, it will throw error about `undefined function`.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org