From c8a7b5f8af77aad56c5c41d1b2a89440a0fbfa5e Mon Sep 17 00:00:00 2001
From: Klaus Trainer <klaus_trainer@apache.org>
Date: Mon, 12 May 2014 01:43:05 +0200
Subject: [PATCH] Support `fail_if_no_peer_cert` ssl option

---
 etc/couchdb/local.ini         |  2 ++
 share/doc/src/config/http.rst | 11 +++++++++++
 src/couchdb/couch_httpd.erl   |  5 +++++
 3 files changed, 18 insertions(+)

diff --git a/etc/couchdb/local.ini b/etc/couchdb/local.ini
index b102881846c..fef250877b7 100644
--- a/etc/couchdb/local.ini
+++ b/etc/couchdb/local.ini
@@ -66,6 +66,8 @@
 ;password = somepassword
 ; set to true to validate peer certificates
 verify_ssl_certificates = false
+; Set to true to fail if the client does not send a certificate. Only used if verify_ssl_certificates is true.
+fail_if_no_peer_cert = false
 ; Path to file containing PEM encoded CA certificates (trusted
 ; certificates used for verifying a peer certificate). May be omitted if
 ; you do not want to verify the peer.
diff --git a/share/doc/src/config/http.rst b/share/doc/src/config/http.rst
index dfe8d5a6c24..f4fade1e9e8 100644
--- a/share/doc/src/config/http.rst
+++ b/share/doc/src/config/http.rst
@@ -387,6 +387,17 @@ Secure Socket Level Options
       [ssl]
       verify_ssl_certificates = false
 
+  .. config:option:: fail_if_no_peer_cert :: Require presence of client certificate if certificate verification is enabled
+
+    Set to `true` to terminate the TLS/SSL handshake with a
+    `handshake_failure` alert message if the client does not send a
+    certificate. Only used if `verify_ssl_certificates` is `true`. If
+    set to `false` it will only fail if the client sends an invalid
+    certificate (an empty certificate is considered valid)::
+
+      [ssl]
+      fail_if_no_peer_cert = false
+
   .. config:option:: secure_renegotiate :: Enable secure renegotiation
 
     Set to `true` to reject renegotiation attempt that does not live up to RFC 5746::
diff --git a/src/couchdb/couch_httpd.erl b/src/couchdb/couch_httpd.erl
index cc5c3d3851a..78962523fd8 100644
--- a/src/couchdb/couch_httpd.erl
+++ b/src/couchdb/couch_httpd.erl
@@ -66,8 +66,13 @@ start_link(https) ->
         "false" ->
             [];
         "true" ->
+            FailIfNoPeerCert = case couch_config:get("ssl", "fail_if_no_peer_cert", "false") of
+            "false" -> false;
+            "true" -> true
+            end,
             [{depth, list_to_integer(couch_config:get("ssl",
                 "ssl_certificate_max_depth", "1"))},
+             {fail_if_no_peer_cert, FailIfNoPeerCert},
              {verify, verify_peer}] ++
             case couch_config:get("ssl", "verify_fun", nil) of
                 nil -> [];