You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@couchdb.apache.org by rn...@apache.org on 2016/04/30 00:13:01 UTC

couchdb commit: updated refs/heads/encrypted-rpc to c08961e

Repository: couchdb
Updated Branches:
  refs/heads/encrypted-rpc [created] c08961e35


Configure CouchDB for encrypted traffic all over


Project: http://git-wip-us.apache.org/repos/asf/couchdb/repo
Commit: http://git-wip-us.apache.org/repos/asf/couchdb/commit/c08961e3
Tree: http://git-wip-us.apache.org/repos/asf/couchdb/tree/c08961e3
Diff: http://git-wip-us.apache.org/repos/asf/couchdb/diff/c08961e3

Branch: refs/heads/encrypted-rpc
Commit: c08961e3540f3ecf4ec2e6f99089b8d2133114df
Parents: 9f4103f
Author: Robert Newson <rn...@apache.org>
Authored: Fri Apr 29 22:57:01 2016 +0100
Committer: Robert Newson <rn...@apache.org>
Committed: Fri Apr 29 23:12:07 2016 +0100

----------------------------------------------------------------------
 .gitignore              |  2 ++
 Makefile                | 14 +++++++++++++-
 rel/overlay/etc/vm.args |  6 ++++++
 3 files changed, 21 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/couchdb/blob/c08961e3/.gitignore
----------------------------------------------------------------------
diff --git a/.gitignore b/.gitignore
index 77ae520..0c901ef 100644
--- a/.gitignore
+++ b/.gitignore
@@ -31,3 +31,5 @@ src/couch/priv/couchspawnkillable
 .rebar
 bin/
 apache-couchdb-*/
+
+*.pem

http://git-wip-us.apache.org/repos/asf/couchdb/blob/c08961e3/Makefile
----------------------------------------------------------------------
diff --git a/Makefile b/Makefile
index cefc5da..40399ae 100644
--- a/Makefile
+++ b/Makefile
@@ -63,7 +63,7 @@ help:
 
 .PHONY: couch
 # target: couch - Build CouchDB core
-couch: config.erl
+couch: certs config.erl
 	@COUCHDB_VERSION=$(COUCHDB_VERSION) $(REBAR) compile
 	@cp src/couch/priv/couchjs bin/
 
@@ -299,6 +299,7 @@ clean:
 	@rm -f src/couch/priv/couchspawnkillable
 	@rm -f src/couch/priv/couch_js/config.h
 	@rm -f dev/boot_node.beam dev/pbkdf2.pyc log/crash.log
+	@rm -r *.pem
 
 
 .PHONY: distclean
@@ -362,3 +363,14 @@ ifeq ($(with_fauxton), 1)
 	@echo "Building Fauxton"
 	@cd src/fauxton && npm install --production && ./node_modules/grunt-cli/bin/grunt couchdb
 endif
+
+certs: ecc_cert.pem
+
+%_cert.pem: %_key.pem %_csr.pem
+	@openssl req -x509 -days 99999 -key $*_key.pem -in $*_csr.pem -out $@
+
+%_csr.pem: %_key.pem
+	@openssl req -new -key $< -out $@ -subj "/O=Apache Software Foundation/OU=Apache CouchDB"
+
+ecc_key.pem:
+	@openssl ecparam -genkey -name prime256v1 -out ecc_key.pem

http://git-wip-us.apache.org/repos/asf/couchdb/blob/c08961e3/rel/overlay/etc/vm.args
----------------------------------------------------------------------
diff --git a/rel/overlay/etc/vm.args b/rel/overlay/etc/vm.args
index b69ad82..462195e 100644
--- a/rel/overlay/etc/vm.args
+++ b/rel/overlay/etc/vm.args
@@ -31,5 +31,11 @@
 # Start a pool of asynchronous IO threads
 +A 16
 
+# Encrypt the RPC traffic
+-proto_dist inet_tls
+-ssl_dist_opt server_certfile "ecc_cert.pem"
+-ssl_dist_opt server_keyfile  "ecc_key.pem"
+-ssl_dist_opt server_secure_renegotiate true client_secure_renegotiate true
+
 # Comment this line out to enable the interactive Erlang shell on startup
 +Bd -noinput