You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@couchdb.apache.org by "jiahuili430 (via GitHub)" <gi...@apache.org> on 2023/05/19 13:05:52 UTC

[GitHub] [couchdb] jiahuili430 commented on a diff in pull request #4575: TLS: add {verify, verify_peer} to enable verification for OTP 26

jiahuili430 commented on code in PR #4575:
URL: https://github.com/apache/couchdb/pull/4575#discussion_r1198937030


##########
configure:
##########
@@ -69,22 +69,58 @@ Options:
 EOF
 }
 
-# This is just an example to generate a certfile for TLS distribution.
-# This is not an endorsement of specific expiration limits, key sizes, or algorithms.
+# Just an example to generate certificates for TLS distribution.
+# It's not an endorsement of specific expiration limits, key sizes, or algorithms.
 generate_tls_dev_cert() {
-    if [ ! -e "${rootdir}/dev/erlserver.pem" ]; then
-        openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem
-        cat key.pem cert.pem > dev/erlserver.pem && rm key.pem cert.pem
-    fi
+    if [ "$ERLANG_VER" -lt 26 ]; then
+        if [ ! -e "${rootdir}/dev/erlserver.pem" ]; then
+            openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem
+            cat key.pem cert.pem > dev/erlserver.pem && rm key.pem cert.pem
+        fi
 
-    if [ ! -e "${rootdir}/dev/couch_ssl_dist.conf" ]; then
-        cat > "${rootdir}/dev/couch_ssl_dist.conf" << EOF
-[{server,
-  [{certfile, "${rootdir}/dev/erlserver.pem"},
-   {secure_renegotiate, true}]},
- {client,
-  [{secure_renegotiate, true}]}].
+        if [ ! -e "${rootdir}/dev/couch_ssl_dist.conf" ]; then
+            cat >"${rootdir}/dev/couch_ssl_dist.conf" <<EOF
+[{server, [
+    {certfile, "${rootdir}/dev/erlserver.pem"},
+    {secure_renegotiate, true}
+  ]},
+  {client, [
+    {secure_renegotiate, true}
+  ]}
+].
 EOF
+        fi
+    else
+        if [ ! -e "${rootdir}/dev/erlserver.pem" ]; then
+            echo "Make sure to use different values for the Common Name (FQDN) in CA certificate and certificate."
+            read -p "Common Name (CA certificate): " fqdn_ca
+            read -p "Common Name (certificate): " fqdn
+
+            echo "Generate CA certificate:"
+            openssl genrsa 2048 >ca-key.pem
+            openssl req -new -x509 -nodes -days 3650 -key ca-key.pem -out ca-cert.pem -subj "/CN=$fqdn_ca"
+            echo "Generate certificate:"
+            openssl req -newkey rsa:2048 -nodes -days 3650 -keyout key.pem -out req.pem -subj "/CN=$fqdn"
+            openssl x509 -req -days 3650 -set_serial 01 -in req.pem -out cert.pem -CA ca-cert.pem -CAkey ca-key.pem
+            openssl verify -CAfile ca-cert.pem ca-cert.pem cert.pem
+            cat key.pem cert.pem >dev/erlserver.pem && mv ca-cert.pem dev/ && rm ca-key.pem key.pem cert.pem req.pem
+        fi
+
+        if [ ! -e "${rootdir}/dev/couch_ssl_dist.conf" ]; then
+            cat >"${rootdir}/dev/couch_ssl_dist.conf" <<EOF
+[{server, [
+    {certfile, "${rootdir}/dev/erlserver.pem"},
+    {secure_renegotiate, true}
+  ]},
+  {client, [
+    {secure_renegotiate, true},
+    {verify, verify_peer},
+    {cacertfile, "${rootdir}/dev/ca-cert.pem"},
+    {server_name_indication, "$fqdn"}
+  ]}
+].

Review Comment:
   I'll keep trying, thanks for the suggestion.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org