You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@couchdb.apache.org by dc...@apache.org on 2014/08/14 01:25:54 UTC
[06/50] couchdb commit: updated refs/heads/1.6.x to eeb31cb
Support `fail_if_no_peer_cert` ssl option
Project: http://git-wip-us.apache.org/repos/asf/couchdb/repo
Commit: http://git-wip-us.apache.org/repos/asf/couchdb/commit/7f9f66e8
Tree: http://git-wip-us.apache.org/repos/asf/couchdb/tree/7f9f66e8
Diff: http://git-wip-us.apache.org/repos/asf/couchdb/diff/7f9f66e8
Branch: refs/heads/1.6.x
Commit: 7f9f66e8be6ce00ee87d2ed23f8ae0ce453b0f12
Parents: ad8e28c
Author: Klaus Trainer <kl...@apache.org>
Authored: Mon May 12 01:43:05 2014 +0200
Committer: Klaus Trainer <kl...@apache.org>
Committed: Wed May 14 16:32:59 2014 +0200
----------------------------------------------------------------------
etc/couchdb/local.ini | 2 ++
share/doc/src/config/http.rst | 11 +++++++++++
src/couchdb/couch_httpd.erl | 5 +++++
3 files changed, 18 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/couchdb/blob/7f9f66e8/etc/couchdb/local.ini
----------------------------------------------------------------------
diff --git a/etc/couchdb/local.ini b/etc/couchdb/local.ini
index b102881..fef2508 100644
--- a/etc/couchdb/local.ini
+++ b/etc/couchdb/local.ini
@@ -66,6 +66,8 @@
;password = somepassword
; set to true to validate peer certificates
verify_ssl_certificates = false
+; Set to true to fail if the client does not send a certificate. Only used if verify_ssl_certificates is true.
+fail_if_no_peer_cert = false
; Path to file containing PEM encoded CA certificates (trusted
; certificates used for verifying a peer certificate). May be omitted if
; you do not want to verify the peer.
http://git-wip-us.apache.org/repos/asf/couchdb/blob/7f9f66e8/share/doc/src/config/http.rst
----------------------------------------------------------------------
diff --git a/share/doc/src/config/http.rst b/share/doc/src/config/http.rst
index dfe8d5a..f4fade1 100644
--- a/share/doc/src/config/http.rst
+++ b/share/doc/src/config/http.rst
@@ -387,6 +387,17 @@ Secure Socket Level Options
[ssl]
verify_ssl_certificates = false
+ .. config:option:: fail_if_no_peer_cert :: Require presence of client certificate if certificate verification is enabled
+
+ Set to `true` to terminate the TLS/SSL handshake with a
+ `handshake_failure` alert message if the client does not send a
+ certificate. Only used if `verify_ssl_certificates` is `true`. If
+ set to `false` it will only fail if the client sends an invalid
+ certificate (an empty certificate is considered valid)::
+
+ [ssl]
+ fail_if_no_peer_cert = false
+
.. config:option:: secure_renegotiate :: Enable secure renegotiation
Set to `true` to reject renegotiation attempt that does not live up to RFC 5746::
http://git-wip-us.apache.org/repos/asf/couchdb/blob/7f9f66e8/src/couchdb/couch_httpd.erl
----------------------------------------------------------------------
diff --git a/src/couchdb/couch_httpd.erl b/src/couchdb/couch_httpd.erl
index cc5c3d3..7896252 100644
--- a/src/couchdb/couch_httpd.erl
+++ b/src/couchdb/couch_httpd.erl
@@ -66,8 +66,13 @@ start_link(https) ->
"false" ->
[];
"true" ->
+ FailIfNoPeerCert = case couch_config:get("ssl", "fail_if_no_peer_cert", "false") of
+ "false" -> false;
+ "true" -> true
+ end,
[{depth, list_to_integer(couch_config:get("ssl",
"ssl_certificate_max_depth", "1"))},
+ {fail_if_no_peer_cert, FailIfNoPeerCert},
{verify, verify_peer}] ++
case couch_config:get("ssl", "verify_fun", nil) of
nil -> [];