You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@couchdb.apache.org by "iilyak (via GitHub)" <gi...@apache.org> on 2023/05/16 17:36:37 UTC

[GitHub] [couchdb] iilyak commented on a diff in pull request #4575: Suppress warnings about TLS distribution

iilyak commented on code in PR #4575:
URL: https://github.com/apache/couchdb/pull/4575#discussion_r1195492402


##########
configure:
##########
@@ -73,17 +73,43 @@ EOF
 # This is not an endorsement of specific expiration limits, key sizes, or algorithms.
 generate_tls_dev_cert() {
     if [ ! -e "${rootdir}/dev/erlserver.pem" ]; then
-        openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem
-        cat key.pem cert.pem > dev/erlserver.pem && rm key.pem cert.pem
+        openssl genrsa 2048 > ca-key.pem
+        openssl req -new -x509 -nodes -days 3650 -key ca-key.pem -out ca-cert.pem
+        openssl req -newkey rsa:2048 -nodes -days 3650 -keyout key.pem -out req.pem
+        openssl x509 -req -days 3650 -set_serial 01 -in req.pem -out cert.pem -CA ca-cert.pem -CAkey ca-key.pem
+        openssl verify -CAfile ca-cert.pem ca-cert.pem cert.pem
+        cat key.pem cert.pem > dev/erlserver.pem && mv ca-cert.pem dev/ && rm ca-key.pem key.pem cert.pem req.pem
     fi
 
     if [ ! -e "${rootdir}/dev/couch_ssl_dist.conf" ]; then
         cat > "${rootdir}/dev/couch_ssl_dist.conf" << EOF
-[{server,
-  [{certfile, "${rootdir}/dev/erlserver.pem"},
-   {secure_renegotiate, true}]},
- {client,
-  [{secure_renegotiate, true}]}].
+[{server, [
+    {certfile, "${rootdir}/dev/erlserver.pem"},
+    {secure_renegotiate, true}
+  ]},
+  {client, [
+    {secure_renegotiate, true},
+    {verify, verify_peer},
+    {cacertfile, "${rootdir}/dev/ca-cert.pem"},
+    {fail_if_no_peer_cert, true},
+    {verify_fun, {

Review Comment:
   Can you also take a look into customize_hostname_check. I don't know when it was introduced. But it seems to be a better way.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org