You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@couchdb.apache.org by kx...@apache.org on 2014/10/31 03:33:27 UTC

couchdb commit: updated refs/heads/1.x.x to f30f3dd

Repository: couchdb
Updated Branches:
  refs/heads/1.x.x 704672457 -> f30f3dd2a


Support for user configurable SSL ciphers


Project: http://git-wip-us.apache.org/repos/asf/couchdb/repo
Commit: http://git-wip-us.apache.org/repos/asf/couchdb/commit/f30f3dd2
Tree: http://git-wip-us.apache.org/repos/asf/couchdb/tree/f30f3dd2
Diff: http://git-wip-us.apache.org/repos/asf/couchdb/diff/f30f3dd2

Branch: refs/heads/1.x.x
Commit: f30f3dd2a6f9a2b063c0d00c9eff2d8b3209c24a
Parents: 7046724
Author: Terin Stock <te...@gmail.com>
Authored: Sun Apr 20 11:40:25 2014 +0100
Committer: Alexander Shorin <kx...@apache.org>
Committed: Fri Oct 31 05:32:17 2014 +0300

----------------------------------------------------------------------
 etc/couchdb/local.ini         |  9 +++++++++
 share/doc/src/config/http.rst | 24 ++++++++++++++++++++++++
 src/couchdb/couch_httpd.erl   |  8 +++++++-
 3 files changed, 40 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/couchdb/blob/f30f3dd2/etc/couchdb/local.ini
----------------------------------------------------------------------
diff --git a/etc/couchdb/local.ini b/etc/couchdb/local.ini
index 8aae331..b102881 100644
--- a/etc/couchdb/local.ini
+++ b/etc/couchdb/local.ini
@@ -75,6 +75,15 @@ verify_ssl_certificates = false
 ;verify_fun = {Module, VerifyFun}
 ; maximum peer certificate depth
 ssl_certificate_max_depth = 1
+;
+; Reject renegotiations that do not live up to RFC 5746.
+;secure_renegotiate = true
+; The cipher suites that should be supported.
+; Can be specified in erlang format "{ecdhe_ecdsa,aes_128_cbc,sha256}"
+; or in OpenSSL format "ECDHE-ECDSA-AES128-SHA256".
+;ciphers = ["ECDHE-ECDSA-AES128-SHA256", "ECDHE-ECDSA-AES128-SHA"]
+; The SSL/TLS versions to support
+;tls_versions = [sslv3, tlsv1, 'tlsv1.1', 'tlsv1.2']
 
 ; To enable Virtual Hosts in CouchDB, add a vhost = path directive. All requests to
 ; the Virual Host will be redirected to the path. In the example below all requests

http://git-wip-us.apache.org/repos/asf/couchdb/blob/f30f3dd2/share/doc/src/config/http.rst
----------------------------------------------------------------------
diff --git a/share/doc/src/config/http.rst b/share/doc/src/config/http.rst
index 4084be5..3b808e9 100644
--- a/share/doc/src/config/http.rst
+++ b/share/doc/src/config/http.rst
@@ -390,6 +390,30 @@ Secure Socket Level Options
       [ssl]
       verify_ssl_certificates = false
 
+  .. config:option:: secure_renegotiate :: Enable secure renegotiation
+
+    Set to `true` to reject renegotiation attempt that does not live up to RFC 5746::
+
+      [ssl]
+      secure_renegotiate = true
+
+  .. config:option:: ciphers :: Specify permitted server cipher list
+
+    Set to the cipher suites that should be supported which can be
+    specified in erlang format "{ecdhe_ecdsa,aes_128_cbc,sha256}" or
+    in OpenSSL format "ECDHE-ECDSA-AES128-SHA256".
+
+      [ssl]
+      ciphers = ["ECDHE-ECDSA-AES128-SHA256", "ECDHE-ECDSA-AES128-SHA"]
+
+  .. config:option:: tls_versions :: Specify permitted server SSL/TLS
+                     protocol versions
+
+    Set to a list of permitted SSL/TLS protocol versions::
+
+      [ssl]
+      tls_versions = [sslv3 | tlsv1 | 'tlsv1.1' | 'tlsv1.2']
+
 
 .. _cors:
 .. _config/cors:

http://git-wip-us.apache.org/repos/asf/couchdb/blob/f30f3dd2/src/couchdb/couch_httpd.erl
----------------------------------------------------------------------
diff --git a/src/couchdb/couch_httpd.erl b/src/couchdb/couch_httpd.erl
index 7ee3e3a..3eb2e39 100644
--- a/src/couchdb/couch_httpd.erl
+++ b/src/couchdb/couch_httpd.erl
@@ -39,11 +39,17 @@ start_link(http) ->
     start_link(?MODULE, [{port, Port}]);
 start_link(https) ->
     Port = couch_config:get("ssl", "port", "6984"),
+    {ok, Ciphers} = couch_util:parse_term(couch_config:get("ssl", "ciphers", "nil")),
+    {ok, Versions} = couch_util:parse_term(couch_config:get("ssl", "tls_versions", "nil")),
+    {ok, SecureRenegotiate} = couch_util:parse_term(couch_config:get("ssl", "secure_renegotiate", "nil")),
     ServerOpts0 =
         [{cacertfile, couch_config:get("ssl", "cacert_file", nil)},
          {keyfile, couch_config:get("ssl", "key_file", nil)},
          {certfile, couch_config:get("ssl", "cert_file", nil)},
-         {password, couch_config:get("ssl", "password", nil)}],
+         {password, couch_config:get("ssl", "password", nil)},
+         {secure_renegotiate, SecureRenegotiate},
+         {versions, Versions},
+         {ciphers, Ciphers}],
 
     case (couch_util:get_value(keyfile, ServerOpts0) == nil orelse
         couch_util:get_value(certfile, ServerOpts0) == nil) of