diff options
| author | Klaus Trainer <klaus_trainer@apache.org> | 2014-05-12 01:43:05 +0200 |
|---|---|---|
| committer | Klaus Trainer <klaus_trainer@apache.org> | 2014-05-14 16:32:59 +0200 |
| commit | 7f9f66e8be6ce00ee87d2ed23f8ae0ce453b0f12 (patch) | |
| tree | 0cd57405131cb9a1158293c1973dfc1b25864a66 | |
| parent | ad8e28c8037416d56d2c527045063cb7cd927869 (diff) | |
| download | couchdb-7f9f66e8be6ce00ee87d2ed23f8ae0ce453b0f12.tar.gz | |
Support `fail_if_no_peer_cert` ssl option
| -rw-r--r-- | etc/couchdb/local.ini | 2 | ||||
| -rw-r--r-- | share/doc/src/config/http.rst | 11 | ||||
| -rw-r--r-- | src/couchdb/couch_httpd.erl | 5 |
3 files changed, 18 insertions, 0 deletions
diff --git a/etc/couchdb/local.ini b/etc/couchdb/local.ini index b10288184..fef250877 100644 --- a/etc/couchdb/local.ini +++ b/etc/couchdb/local.ini @@ -66,6 +66,8 @@ ;password = somepassword ; set to true to validate peer certificates verify_ssl_certificates = false +; Set to true to fail if the client does not send a certificate. Only used if verify_ssl_certificates is true. +fail_if_no_peer_cert = false ; Path to file containing PEM encoded CA certificates (trusted ; certificates used for verifying a peer certificate). May be omitted if ; you do not want to verify the peer. diff --git a/share/doc/src/config/http.rst b/share/doc/src/config/http.rst index dfe8d5a6c..f4fade1e9 100644 --- a/share/doc/src/config/http.rst +++ b/share/doc/src/config/http.rst @@ -387,6 +387,17 @@ Secure Socket Level Options [ssl] verify_ssl_certificates = false + .. config:option:: fail_if_no_peer_cert :: Require presence of client certificate if certificate verification is enabled + + Set to `true` to terminate the TLS/SSL handshake with a + `handshake_failure` alert message if the client does not send a + certificate. Only used if `verify_ssl_certificates` is `true`. If + set to `false` it will only fail if the client sends an invalid + certificate (an empty certificate is considered valid):: + + [ssl] + fail_if_no_peer_cert = false + .. config:option:: secure_renegotiate :: Enable secure renegotiation Set to `true` to reject renegotiation attempt that does not live up to RFC 5746:: diff --git a/src/couchdb/couch_httpd.erl b/src/couchdb/couch_httpd.erl index cc5c3d385..78962523f 100644 --- a/src/couchdb/couch_httpd.erl +++ b/src/couchdb/couch_httpd.erl @@ -66,8 +66,13 @@ start_link(https) -> "false" -> []; "true" -> + FailIfNoPeerCert = case couch_config:get("ssl", "fail_if_no_peer_cert", "false") of + "false" -> false; + "true" -> true + end, [{depth, list_to_integer(couch_config:get("ssl", "ssl_certificate_max_depth", "1"))}, + {fail_if_no_peer_cert, FailIfNoPeerCert}, {verify, verify_peer}] ++ case couch_config:get("ssl", "verify_fun", nil) of nil -> []; |