diff options
author | Robert Newson <rnewson@apache.org> | 2014-01-12 11:57:41 +0000 |
---|---|---|
committer | Robert Newson <rnewson@apache.org> | 2014-01-12 12:47:19 +0000 |
commit | 4925bf6bee49cf77aaf83311b8c7d361dc5b2252 (patch) | |
tree | a422128843095f81b425889265f4d80c3db09ea3 | |
parent | a749ecb25ee4b79777dfb022a40984d30f56c132 (diff) | |
download | couchdb-2028-feature-intermediate-tls-certs.tar.gz |
Allow cacertfile without verifying peers2028-feature-intermediate-tls-certs
-rw-r--r-- | src/couchdb/couch_httpd.erl | 81 |
1 files changed, 33 insertions, 48 deletions
diff --git a/src/couchdb/couch_httpd.erl b/src/couchdb/couch_httpd.erl index 465bc7a41..1372dec15 100644 --- a/src/couchdb/couch_httpd.erl +++ b/src/couchdb/couch_httpd.erl @@ -39,57 +39,42 @@ start_link(http) -> start_link(?MODULE, [{port, Port}]); start_link(https) -> Port = couch_config:get("ssl", "port", "6984"), - CertFile = couch_config:get("ssl", "cert_file", nil), - KeyFile = couch_config:get("ssl", "key_file", nil), - Options = case CertFile /= nil andalso KeyFile /= nil of + ServerOpts0 = + [{cacertfile, couch_config:get("ssl", "cacert_file", nil)}, + {keyfile, couch_config:get("ssl", "key_file", nil)}, + {certfile, couch_config:get("ssl", "cert_file", nil)}, + {password, couch_config:get("ssl", "password", nil)}], + + case (couch_util:get_value(keyfile, ServerOpts0) == nil orelse + couch_util:get_value(certfile, ServerOpts0) == nil) of true -> - SslOpts = [{certfile, CertFile}, {keyfile, KeyFile}], - - %% set password if one is needed for the cert - SslOpts1 = case couch_config:get("ssl", "password", nil) of - nil -> SslOpts; - Password -> - SslOpts ++ [{password, Password}] - end, - % do we verify certificates ? - FinalSslOpts = case couch_config:get("ssl", - "verify_ssl_certificates", "false") of - "false" -> SslOpts1; - "true" -> - case couch_config:get("ssl", - "cacert_file", nil) of - nil -> - io:format("Verify SSL certificate " - ++"enabled but file containing " - ++"PEM encoded CA certificates is " - ++"missing", []), - throw({error, missing_cacerts}); - CaCertFile -> - Depth = list_to_integer(couch_config:get("ssl", - "ssl_certificate_max_depth", - "1")), - FinalOpts = [ - {cacertfile, CaCertFile}, - {depth, Depth}, - {verify, verify_peer}], - % allows custom verify fun. - case couch_config:get("ssl", - "verify_fun", nil) of - nil -> FinalOpts; - SpecStr -> - FinalOpts - ++ [{verify_fun, make_arity_3_fun(SpecStr)}] - end - end - end, - - [{port, Port}, - {ssl, true}, - {ssl_opts, FinalSslOpts}]; - false -> io:format("SSL enabled but PEM certificates are missing.", []), - throw({error, missing_certs}) + throw({error, missing_certs}); + false -> + ok end, + + ServerOpts = [Opt || {_, V}=Opt <- ServerOpts0, V /= nil], + + ClientOpts = case couch_config:get("ssl", "verify_ssl_certificates", "false") of + "false" -> + []; + "true" -> + [{depth, list_to_integer(couch_config:get("ssl", + "ssl_certificate_max_depth", "1"))}, + {verify, verify_peer}] ++ + case couch_config:get("ssl", "verify_fun", nil) of + nil -> []; + SpecStr -> + [{verify_fun, make_arity_3_fun(SpecStr)}] + end + end, + SslOpts = ServerOpts ++ ClientOpts, + + Options = + [{port, Port}, + {ssl, true}, + {ssl_opts, SslOpts}], start_link(https, Options). start_link(Name, Options) -> % read config and register for configuration changes |