CouchDB failed to replicate over TLS due to outdated Erlang SSL version in package #86
Description
Expected Behavior
A CouchDB installed via the apache repo can connect to https://replicate.npmjs.com/registry during replication
Current Behavior
CouchDB fails with Bad Record MAC due to bug in ssl module in Erlang < 21.2
We highly suspect this is the same bug as https://www.erlang.org/patches/otp-21.2.1#ssl-9.1.1
The bug in ssl module is fixed in Erlang OTP 21.2.1 and ssl-9.1.1.
But the packages erlang in this repo is still 20.3.8.25-1 with ssl-8.2.6.4
https://github.com/apache/couchdb-pkg/blob/main/.travis.yml#L15
Possible Solution
Update the packaged version of Erlang to 21+ or find a way to bump only the SSL module version.
Steps to Reproduce (for bugs)
- Run couchdb via docker
docker run -p 5984:5984 -e COUCHDB_USER=admin -e COUCHDB_PASSWORD=password -ti --rm couchdb:3.2.1
- Create registry db
curl -XPUT http://admin:password@localhost:5984/registry
- Setup replication from npm
curl -XPUT http://admin:password@localhost:5984/_replicator/npm-mirror -d '{"source":"https://replicate.npmjs.com/registry", "target":"http://admin:password@localhost:5984/registry", "continuous":true, "create_target": true, "user_ctx": {"name": "admin", "roles": ["_admin"]}}' -H "Content-Type: application/json"
- Observe log
TLS client: In state cipher received SERVER ALERT: Fatal - Bad Record MAC
Context
We are using CouchDB Docker image from https://github.com/apache/couchdb-docker to setup an npm registry mirror for internal use.