Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Adding SSL certificate validation options to make replication over HT…
…TPS work properly.
  • Loading branch information
fdmanana committed Sep 13, 2010
1 parent d00770a commit 49eb401
Show file tree
Hide file tree
Showing 4 changed files with 54 additions and 3 deletions.
8 changes: 7 additions & 1 deletion couchdb-1.0.1/etc/couchdb/default.ini.tpl.in
Expand Up @@ -121,4 +121,10 @@ compressible_types = text/*, application/javascript, application/json, applicat

[replicator]
max_http_sessions = 10
max_http_pipeline_size = 10
max_http_pipeline_size = 10
; set to true to validate peer certificates
verify_ssl_certificates = true
; file containing a list of peer trusted certificates
ssl_trusted_certificates = /etc/ssl/certs/ca-certificates.crt
; maximum peer certificate validation depth
ssl_certificate_max_depth = 2
5 changes: 4 additions & 1 deletion couchdb-1.0.1/src/couchdb/couch_rep.erl
Expand Up @@ -533,7 +533,10 @@ open_db({Props}, _UserCtx, ProxyParams, CreateTarget) ->
auth = AuthProps,
headers = lists:ukeymerge(1, Headers, DefaultHeaders)
},
Db = Db1#http_db{options = Db1#http_db.options ++ ProxyParams},
Db = Db1#http_db{
options = Db1#http_db.options ++ ProxyParams ++
couch_rep_httpc:ssl_options(Db1)
},
couch_rep_httpc:db_exists(Db, CreateTarget);
open_db(<<"http://",_/binary>>=Url, _, ProxyParams, CreateTarget) ->
open_db({[{<<"url">>,Url}]}, [], ProxyParams, CreateTarget);
Expand Down
3 changes: 2 additions & 1 deletion couchdb-1.0.1/src/couchdb/couch_rep_changes_feed.erl
Expand Up @@ -83,7 +83,8 @@ init([_Parent, #http_db{}=Source, Since, PostProps] = Args) ->
resource = "_changes",
qs = QS,
conn = Pid,
options = [{stream_to, {self(), once}}, {response_format, binary}],
options = [{stream_to, {self(), once}}] ++
lists:keydelete(inactivity_timeout, 1, Source#http_db.options),
headers = Source#http_db.headers -- [{"Accept-Encoding", "gzip"}]
},
{ibrowse_req_id, ReqId} = couch_rep_httpc:request(Req),
Expand Down
41 changes: 41 additions & 0 deletions couchdb-1.0.1/src/couchdb/couch_rep_httpc.erl
Expand Up @@ -16,6 +16,7 @@

-export([db_exists/1, db_exists/2, full_url/1, request/1, redirected_request/2,
spawn_worker_process/1, spawn_link_worker_process/1]).
-export([ssl_options/1]).

request(#http_db{} = Req) ->
do_request(Req).
Expand Down Expand Up @@ -243,3 +244,43 @@ oauth_header(Url, QS, Action, Props) ->
Params = oauth:signed_params(Method, Url, QSL, Consumer, Token, TokenSecret)
-- QSL,
{"Authorization", "OAuth " ++ oauth_uri:params_to_header_string(Params)}.

ssl_options(#http_db{url = Url}) ->
case ibrowse_lib:parse_url(Url) of
#url{protocol = https} ->
start_ssl(),
Opts = case couch_config:get("replicator", "verify_ssl_certificates") of
"true" ->
CAFile = couch_config:get("replicator", "ssl_trusted_certificates"),
Depth = list_to_integer(
couch_config:get("replicator", "ssl_certificate_max_depth", "2")
),
[{cacertfile, CAFile}, {depth, Depth} | ssl_verify_options(true)];
_ ->
ssl_verify_options(false)
end,
[{is_ssl, true}, {ssl_options, Opts}];
http ->
[]
end.

start_ssl() ->
start_ssl(erlang:system_info(otp_release)).

start_ssl(OTPVersion) when OTPVersion < "R14A" ->
application:start(ssl);
start_ssl(_OTPVersion) ->
application:start(public_key),
application:start(ssl).

ssl_verify_options(Value) ->
ssl_verify_options(Value, erlang:system_info(otp_release)).

ssl_verify_options(true, OTPVersion) when OTPVersion < "R14A"->
[{verify, 2}];
ssl_verify_options(false, OTPVersion) when OTPVersion < "R14A"->
[{verify, 0}];
ssl_verify_options(true, _OTPVersion) ->
[{verify, verify_peer}, {fail_if_no_peer_cert, true}];
ssl_verify_options(false, _OTPVersion) ->
[{verify, verify_none}, {fail_if_no_peer_cert, false}].

0 comments on commit 49eb401

Please sign in to comment.