Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Changes:

- Revert back to "old" SSL implementation on OTP < R14 since it's more stable than the new SSL implementation;
- SSL certificate validation is not enabled by default.
  • Loading branch information...
commit 01cd58ac22e3a34f997d76e2f945747f0a905832 1 parent 197de88
@fdmanana authored
View
9 couchdb-1.0.1/etc/couchdb/default.ini.tpl.in
@@ -123,8 +123,9 @@ compressible_types = text/*, application/javascript, application/json, applicat
max_http_sessions = 10
max_http_pipeline_size = 10
; set to true to validate peer certificates
-verify_ssl_certificates = true
-; file containing a list of peer trusted certificates
-ssl_trusted_certificates = /etc/ssl/certs/ca-certificates.crt
+verify_ssl_certificates = false
+; file containing a list of peer trusted certificates (PEM format)
+; ssl_trusted_certificates_file = /etc/ssl/certs/ca-certificates.crt
; maximum peer certificate depth (must be set even if certificate validation is off)
-ssl_certificate_max_depth = 3
+ssl_certificate_max_depth = 3
+
View
29 couchdb-1.0.1/src/couchdb/couch_rep_httpc.erl
@@ -250,17 +250,16 @@ ssl_options(#http_db{url = Url}) ->
#url{protocol = https} ->
start_ssl(),
Depth = list_to_integer(
- couch_config:get("replicator", "ssl_certificate_max_depth", "3")),
- SslOptions = [{depth, Depth}] ++
+ couch_config:get("replicator", "ssl_certificate_max_depth", "3")
+ ),
+ SslOpts = [ {depth, Depth} |
case couch_config:get("replicator", "verify_ssl_certificates") of
"true" ->
- CAFile = couch_config:get("replicator", "ssl_trusted_certificates"),
- [{cacertfile, CAFile}, {verify, verify_peer}];
+ ssl_verify_options(true);
_ ->
- [{verify, verify_none}]
- end,
- % new SSL implementation more efficient (available since OTP R12)
- [{is_ssl, true}, {ssl_options, [{ssl_imp, new} | SslOptions]}];
+ ssl_verify_options(false)
+ end ],
+ [{is_ssl, true}, {ssl_options, SslOpts}];
#url{protocol = http} ->
[]
end.
@@ -274,3 +273,17 @@ start_ssl(_OTPVersion) ->
application:start(crypto),
application:start(public_key),
application:start(ssl).
+
+ssl_verify_options(Value) ->
+ ssl_verify_options(Value, erlang:system_info(otp_release)).
+
+ssl_verify_options(true, OTPVersion) when OTPVersion < "R14A"->
+ CAFile = couch_config:get("replicator", "ssl_trusted_certificates_file"),
+ [{verify, 2}, {cacertfile, CAFile}];
+ssl_verify_options(false, OTPVersion) when OTPVersion < "R14A"->
+ [{verify, 0}];
+ssl_verify_options(true, _OTPVersion) ->
+ CAFile = couch_config:get("replicator", "ssl_trusted_certificates_file"),
+ [{verify, verify_peer}, {cacertfile, CAFile}];
+ssl_verify_options(false, _OTPVersion) ->
+ [{verify, verify_none}].
Please sign in to comment.
Something went wrong with that request. Please try again.