You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@couchdb.apache.org by dc...@apache.org on 2014/08/14 01:25:54 UTC

[06/50] couchdb commit: updated refs/heads/1.6.x to eeb31cb

Support `fail_if_no_peer_cert` ssl option


Project: http://git-wip-us.apache.org/repos/asf/couchdb/repo
Commit: http://git-wip-us.apache.org/repos/asf/couchdb/commit/7f9f66e8
Tree: http://git-wip-us.apache.org/repos/asf/couchdb/tree/7f9f66e8
Diff: http://git-wip-us.apache.org/repos/asf/couchdb/diff/7f9f66e8

Branch: refs/heads/1.6.x
Commit: 7f9f66e8be6ce00ee87d2ed23f8ae0ce453b0f12
Parents: ad8e28c
Author: Klaus Trainer <kl...@apache.org>
Authored: Mon May 12 01:43:05 2014 +0200
Committer: Klaus Trainer <kl...@apache.org>
Committed: Wed May 14 16:32:59 2014 +0200

----------------------------------------------------------------------
 etc/couchdb/local.ini         |  2 ++
 share/doc/src/config/http.rst | 11 +++++++++++
 src/couchdb/couch_httpd.erl   |  5 +++++
 3 files changed, 18 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/couchdb/blob/7f9f66e8/etc/couchdb/local.ini
----------------------------------------------------------------------
diff --git a/etc/couchdb/local.ini b/etc/couchdb/local.ini
index b102881..fef2508 100644
--- a/etc/couchdb/local.ini
+++ b/etc/couchdb/local.ini
@@ -66,6 +66,8 @@
 ;password = somepassword
 ; set to true to validate peer certificates
 verify_ssl_certificates = false
+; Set to true to fail if the client does not send a certificate. Only used if verify_ssl_certificates is true.
+fail_if_no_peer_cert = false
 ; Path to file containing PEM encoded CA certificates (trusted
 ; certificates used for verifying a peer certificate). May be omitted if
 ; you do not want to verify the peer.

http://git-wip-us.apache.org/repos/asf/couchdb/blob/7f9f66e8/share/doc/src/config/http.rst
----------------------------------------------------------------------
diff --git a/share/doc/src/config/http.rst b/share/doc/src/config/http.rst
index dfe8d5a..f4fade1 100644
--- a/share/doc/src/config/http.rst
+++ b/share/doc/src/config/http.rst
@@ -387,6 +387,17 @@ Secure Socket Level Options
       [ssl]
       verify_ssl_certificates = false
 
+  .. config:option:: fail_if_no_peer_cert :: Require presence of client certificate if certificate verification is enabled
+
+    Set to `true` to terminate the TLS/SSL handshake with a
+    `handshake_failure` alert message if the client does not send a
+    certificate. Only used if `verify_ssl_certificates` is `true`. If
+    set to `false` it will only fail if the client sends an invalid
+    certificate (an empty certificate is considered valid)::
+
+      [ssl]
+      fail_if_no_peer_cert = false
+
   .. config:option:: secure_renegotiate :: Enable secure renegotiation
 
     Set to `true` to reject renegotiation attempt that does not live up to RFC 5746::

http://git-wip-us.apache.org/repos/asf/couchdb/blob/7f9f66e8/src/couchdb/couch_httpd.erl
----------------------------------------------------------------------
diff --git a/src/couchdb/couch_httpd.erl b/src/couchdb/couch_httpd.erl
index cc5c3d3..7896252 100644
--- a/src/couchdb/couch_httpd.erl
+++ b/src/couchdb/couch_httpd.erl
@@ -66,8 +66,13 @@ start_link(https) ->
         "false" ->
             [];
         "true" ->
+            FailIfNoPeerCert = case couch_config:get("ssl", "fail_if_no_peer_cert", "false") of
+            "false" -> false;
+            "true" -> true
+            end,
             [{depth, list_to_integer(couch_config:get("ssl",
                 "ssl_certificate_max_depth", "1"))},
+             {fail_if_no_peer_cert, FailIfNoPeerCert},
              {verify, verify_peer}] ++
             case couch_config:get("ssl", "verify_fun", nil) of
                 nil -> [];