[GitHub] [couchdb] jiahuili430 commented on a diff in pull request #4575: TLS: add `{verify, verify_peer}` to enable verification

["jiahuili430 (via GitHub)" <gi...@apache.org>]

jiahuili430 commented on code in PR #4575:
URL: https://github.com/apache/couchdb/pull/4575#discussion_r1212571411


##########
src/couch_dist/README.md:
##########
@@ -0,0 +1,160 @@
+# couch_dist
+
+`couch_dist` implements a custom distribution protocol -- `couch`, which allows
+nodes to connect using different protocols, such as Transport Layer Security
+(TLS) and Transmission Control Protocol (TCP).
+
+`TLS` can provide extra verification and security, but requires proper
+certificates and configuration to set up the environment.
+
+## Set up a custom Erlang distribution
+
+1. Specify the distribution protocol in `vm.args`
+2. Specify different distribution protocols for different nodes in `vm.args`
+3. Generate certificates using `certs`
+4. Specify security and other SSL options in `couch_dist.conf`
+
+Examples:
+
+1. `vm.args`:
+
+      ```vm.args
+      -proto_dist couch
+      -couch_dist no_tls '"clouseau@127.0.0.1"'
+      -ssl_dist_optfile </absolute/path/to/couch_dist.conf>
+      ```
+
+2. `couch_dist.conf`:
+
+    - `erlserver.pem`: contains the certificate and its private key.
+    - `{verify, verify_peer}`: you can specify the hostname with `{server_name_indication, <hostname>}`.
+    - `{fail_if_no_peer_cert, true}`: should be used on the server side only,

Review Comment:
   Revert `gen_cert` script back, so `{fail_if_no_peer_cert, true}` would only appear on server config side.
   Also removed `couch_dist` from `couch.app.src` file, and tested it with OTP 24/25/26, worked on my end.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org