[GitHub] [couchdb] rnewson commented on a diff in pull request #4575: Fix warnings about TLS distribution

["rnewson (via GitHub)" <gi...@apache.org>]

rnewson commented on code in PR #4575:
URL: https://github.com/apache/couchdb/pull/4575#discussion_r1185517058


##########
rel/overlay/etc/vm.args:
##########
@@ -82,7 +82,8 @@
 ##      [{certfile, "</path/to/erlserver.pem>"},
 ##       {secure_renegotiate, true}]},
 ##     {client,
-##      [{secure_renegotiate, true}]}].
+##      [{secure_renegotiate, true},
+##       {verify, verify_none}]}].

Review Comment:
   I'm very uncomfortable deliberating disabling security if this gets into the release tarball.



##########
rel/overlay/etc/vm.args:
##########
@@ -91,14 +92,15 @@
 ##      -couch_dist no_tls false
 ## 3. Specify which node to use TCP, such as:
 ##      -couch_dist no_tls \"*@127.0.0.1\"
+##      -couch_dist no_tls '"node1@127.0.0.1"'

Review Comment:
   changing this from `*` to `node1` is significant and I think unintentional?



##########
src/docs/src/cluster/tls_erlang_distribution.rst:
##########
@@ -36,10 +36,11 @@ the ``certificate`` and its ``private key``.
     .. code-block:: text
 
         [{server,
-          [{certfile, "</path/to/erlserver.pem>"},
+          [{certfile, "<absolute_path/to/erlserver.pem>"},

Review Comment:
   removing the leading `/` makes it a relative path, even if the name is clearer.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org