You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@couchdb.apache.org by "Camilo Vieira da Silva (JIRA)" <ji...@apache.org> on 2013/04/09 01:00:16 UTC
[jira] [Commented] (COUCHDB-1448) Client Certificate Validation
Nonfunctional
[ https://issues.apache.org/jira/browse/COUCHDB-1448?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13625942#comment-13625942 ]
Camilo Vieira da Silva commented on COUCHDB-1448:
-------------------------------------------------
Hi, I have been trying to fix this error for a long time. Does the couchdb 1.0.2 work if SSL signed by CA?
Thanks
> Client Certificate Validation Nonfunctional
> -------------------------------------------
>
> Key: COUCHDB-1448
> URL: https://issues.apache.org/jira/browse/COUCHDB-1448
> Project: CouchDB
> Issue Type: Bug
> Components: HTTP Interface
> Affects Versions: 1.2
> Environment: OSX 10.7/Ubuntu 11.10, Erlang R15B/R14B4
> Reporter: Brendan O'Connor
> Labels: certificate, client, ssl
>
> CouchDB commit: 4cd60f3d1683a3445c3248f48ae064fb573db2a1 (from build-couchdb) on both platforms (OSX / R14B4, and Ubuntu / R15B).
> Attempting to use client SSL certificate validation. In local.ini, if I specify cert_file and key_file, *server* SSL certificate functionality works as expected. If I also specify a cacert_file and set verify_ssl_certificates = true, I get the following crash:
> ============
> [info] [<0.31.0>] Apache CouchDB has started on https://127.0.0.1:6984/
> [error] [<0.165.0>] SSL: hello: ssl_handshake.erl:249:Fatal error: internal error
> =ERROR REPORT==== 23-Mar-2012::17:12:03 ===
> SSL: hello: ssl_handshake.erl:249:Fatal error: internal error
> [error] [<0.164.0>] SSL: hello: ssl_handshake.erl:249:Fatal error: internal error
> =ERROR REPORT==== 23-Mar-2012::17:12:03 ===
> SSL: hello: ssl_handshake.erl:249:Fatal error: internal error
> [error] [<0.166.0>] SSL: hello: ssl_handshake.erl:249:Fatal error: internal error
> =ERROR REPORT==== 23-Mar-2012::17:12:03 ===
> SSL: hello: ssl_handshake.erl:249:Fatal error: internal error
> [error] [<0.145.0>] {error_report,<0.30.0>,
> {<0.145.0>,std_error,
> [{application,mochiweb},
> "Accept failed error",
> "{error,\"internal error\"}"]}}
> =ERROR REPORT==== 23-Mar-2012::17:12:03 ===
> application: mochiweb
> "Accept failed error"
> "{error,\"internal error\"}"
> [error] [<0.144.0>] {error_report,<0.30.0>,
> {<0.144.0>,std_error,
> [{application,mochiweb},
> "Accept failed error",
> "{error,\"internal error\"}"]}}
> =ERROR REPORT==== 23-Mar-2012::17:12:03 ===
> application: mochiweb
> "Accept failed error"
> "{error,\"internal error\"}"
> [error] [<0.145.0>] {error_report,<0.30.0>,
> {<0.145.0>,crash_report,
> [[{initial_call,
> {mochiweb_acceptor,init,
> ['Argument__1','Argument__2','Argument__3']}},
> {pid,<0.145.0>},
> {registered_name,[]},
> {error_info,
> {exit,
> {error,accept_failed},
> [{mochiweb_acceptor,init,3,
> [{file,
> "/Users/ussjoin/Desktop/build-couchdb/dependencies/couchdb/src/mochiweb/mochiweb_acceptor.erl"},
> {line,33}]},
> {proc_lib,init_p_do_apply,3,
> [{file,"proc_lib.erl"},{line,227}]}]}},
> {ancestors,
> [https,couch_secondary_services,couch_server_sup,
> <0.31.0>]},
> {messages,[]},
> {links,[<0.142.0>]},
> {dictionary,[]},
> {trap_exit,false},
> {status,running},
> {heap_size,2584},
> {stack_size,24},
> {reductions,912}],
> []]}}
> =CRASH REPORT==== 23-Mar-2012::17:12:03 ===
> crasher:
> initial call: mochiweb_acceptor:init/3
> pid: <0.145.0>
> registered_name: []
> exception exit: {error,accept_failed}
> in function mochiweb_acceptor:init/3 (/Users/ussjoin/Desktop/build-couchdb/dependencies/couchdb/src/mochiweb/mochiweb_acceptor.erl, line 33)
> ancestors: [https,couch_secondary_services,couch_server_sup,<0.31.0>]
> messages: []
> links: [<0.142.0>]
> dictionary: []
> trap_exit: false
> status: running
> heap_size: 2584
> stack_size: 24
> reductions: 912
> neighbours:
> [error] [<0.142.0>] {error_report,<0.30.0>,
> {<0.142.0>,std_error,
> {mochiweb_socket_server,310,
> {acceptor_error,{error,accept_failed}}}}}
> ============
> From the browser side, the browser was never even asked by CouchDB to submit a client certificate; it crashes before it gets to that point.
> Similar result when specifying ssl_trusted_certificates_file and verify_ssl_certificates=true in the replicator section of default.ini; a crash and nothing happens on replication attempts.
> Tried increasing ssl_certificate_max_depth to 2 and 3 on both the local.ini[ssl] side and the default.ini[replicator] side, with no apparent effect.
> Workaround:
> In replicator, specify cert_file and key_file, but leave verify_ssl_certificates = false. Use nginx to verify the client certificates (and serve server SSL if you wish). Replication proceeds with client+server SSL as expected, without having to use a proxy on the sending side. (The downside is that you have to use nginx-- if this feature worked as expected, the use case could be solved in CouchDB alone.)
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira