You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@couchdb.apache.org by terinjokes <gi...@git.apache.org> on 2014/04/19 06:02:34 UTC
[GitHub] couchdb pull request: Initial support for user configurable SSL ci...
GitHub user terinjokes opened a pull request:
https://github.com/apache/couchdb/pull/213
Initial support for user configurable SSL ciphers
Adds user configuration for the following Erlang SSL settings:
* secure_renegotiate (default = false)
* ciphers (default = whatever that version of Erlang decides)
This is useful immediately because Erlang less than R16B03-1 has incorrectly implements handshaking with elliptic curves, causing hard to debug SSL errors in recent versions of Chrome, Safari, Firefox, curl and go (in a very incomplete list).
It also allow administrators to change the priorities of ciphers for their installation or remove ciphers in the wake of attacks.
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/terinjokes/couchdb httpd_ssl
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/couchdb/pull/213.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #213
----
commit c61212fb044f86d881c6b3ae47eb0e502b3ecefc
Author: Terin Stock <te...@gmail.com>
Date: 2014-04-19T03:48:46Z
Initial support for user configurable SSL ciphers
----
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] couchdb pull request: User configurable SSL settings
Posted by rnewson <gi...@git.apache.org>.
Github user rnewson commented on a diff in the pull request:
https://github.com/apache/couchdb/pull/213#discussion_r11796026
--- Diff: src/couchdb/couch_httpd.erl ---
@@ -39,11 +39,16 @@ start_link(http) ->
start_link(?MODULE, [{port, Port}]);
start_link(https) ->
Port = couch_config:get("ssl", "port", "6984"),
+ {ok, Ciphers} = couch_util:parse_term(couch_config:get("ssl", "ciphers", "[]")),
--- End diff --
replace "[]" with "nil".
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] couchdb pull request: User configurable SSL settings
Posted by terinjokes <gi...@git.apache.org>.
Github user terinjokes commented on a diff in the pull request:
https://github.com/apache/couchdb/pull/213#discussion_r11796367
--- Diff: src/couchdb/couch_httpd.erl ---
@@ -39,11 +39,16 @@ start_link(http) ->
start_link(?MODULE, [{port, Port}]);
start_link(https) ->
Port = couch_config:get("ssl", "port", "6984"),
+ {ok, Ciphers} = couch_util:parse_term(couch_config:get("ssl", "ciphers", "[]")),
--- End diff --
while ssl is happy with nil inputs, couch_util:parse_term is not. I can try to come up with something to handle it, if need be.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] couchdb pull request: User configurable SSL settings
Posted by rnewson <gi...@git.apache.org>.
Github user rnewson commented on a diff in the pull request:
https://github.com/apache/couchdb/pull/213#discussion_r11796028
--- Diff: src/couchdb/couch_httpd.erl ---
@@ -39,11 +39,16 @@ start_link(http) ->
start_link(?MODULE, [{port, Port}]);
start_link(https) ->
Port = couch_config:get("ssl", "port", "6984"),
+ {ok, Ciphers} = couch_util:parse_term(couch_config:get("ssl", "ciphers", "[]")),
+ {ok, Versions} = couch_util:parse_term(couch_config:get("ssl", "tls_versions", "[]")),
ServerOpts0 =
[{cacertfile, couch_config:get("ssl", "cacert_file", nil)},
{keyfile, couch_config:get("ssl", "key_file", nil)},
{certfile, couch_config:get("ssl", "cert_file", nil)},
- {password, couch_config:get("ssl", "password", nil)}],
+ {password, couch_config:get("ssl", "password", nil)},
+ {secure_renegotiate, couch_config:get("ssl", "secure_renegotiate", false)},
--- End diff --
replace false with nil
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] couchdb pull request: User configurable SSL settings
Posted by rnewson <gi...@git.apache.org>.
Github user rnewson commented on the pull request:
https://github.com/apache/couchdb/pull/213#issuecomment-40892724
https://git-wip-us.apache.org/repos/asf?p=couchdb.git;a=commit;h=fdb2188afa4ed6b9b9aac1e4d3a989e73f0454ce
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] couchdb pull request: User configurable SSL settings
Posted by terinjokes <gi...@git.apache.org>.
Github user terinjokes closed the pull request at:
https://github.com/apache/couchdb/pull/213
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] couchdb pull request: User configurable SSL settings
Posted by rnewson <gi...@git.apache.org>.
Github user rnewson commented on the pull request:
https://github.com/apache/couchdb/pull/213#issuecomment-40882633
I'll merge this once you update for default behavior as noted (and please squash those into the appropriate commit).
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] couchdb pull request: User configurable SSL settings
Posted by rnewson <gi...@git.apache.org>.
Github user rnewson commented on the pull request:
https://github.com/apache/couchdb/pull/213#issuecomment-40882611
All http/ssl options pass through this piece of code;
ServerOpts = [Opt || {_, V}=Opt <- ServerOpts0, V /= nil],
so set all these new properties to evaluate to nil by default, and they'll be cleanly omitted from the configuration.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] couchdb pull request: User configurable SSL settings
Posted by rnewson <gi...@git.apache.org>.
Github user rnewson commented on the pull request:
https://github.com/apache/couchdb/pull/213#issuecomment-40892697
Merged, please close the PR (limitation of our GH integration). I tested every parameter and made some (minor) bug fixes. I also updated the http.rst documentation to match.
Nice work, thanks!
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---