diff options
| author | Terin Stock <terinjokes@gmail.com> | 2014-04-20 11:40:25 +0100 |
|---|---|---|
| committer | Robert Newson <rnewson@apache.org> | 2014-04-20 12:07:10 +0100 |
| commit | fdb2188afa4ed6b9b9aac1e4d3a989e73f0454ce (patch) | |
| tree | 01ed79826fb9e02edefa6f1250a27103f8db9e56 | |
| parent | 4124506e7bb1febf457b10d76aed3b9909a61280 (diff) | |
| download | couchdb-fdb2188afa4ed6b9b9aac1e4d3a989e73f0454ce.tar.gz | |
Support for user configurable SSL ciphers
| -rw-r--r-- | etc/couchdb/local.ini | 9 | ||||
| -rw-r--r-- | share/doc/src/config/http.rst | 24 | ||||
| -rw-r--r-- | src/couchdb/couch_httpd.erl | 8 |
3 files changed, 40 insertions, 1 deletions
diff --git a/etc/couchdb/local.ini b/etc/couchdb/local.ini index 8aae3315f..b10288184 100644 --- a/etc/couchdb/local.ini +++ b/etc/couchdb/local.ini @@ -75,6 +75,15 @@ verify_ssl_certificates = false ;verify_fun = {Module, VerifyFun} ; maximum peer certificate depth ssl_certificate_max_depth = 1 +; +; Reject renegotiations that do not live up to RFC 5746. +;secure_renegotiate = true +; The cipher suites that should be supported. +; Can be specified in erlang format "{ecdhe_ecdsa,aes_128_cbc,sha256}" +; or in OpenSSL format "ECDHE-ECDSA-AES128-SHA256". +;ciphers = ["ECDHE-ECDSA-AES128-SHA256", "ECDHE-ECDSA-AES128-SHA"] +; The SSL/TLS versions to support +;tls_versions = [sslv3, tlsv1, 'tlsv1.1', 'tlsv1.2'] ; To enable Virtual Hosts in CouchDB, add a vhost = path directive. All requests to ; the Virual Host will be redirected to the path. In the example below all requests diff --git a/share/doc/src/config/http.rst b/share/doc/src/config/http.rst index 1ae3abeaa..dfe8d5a6c 100644 --- a/share/doc/src/config/http.rst +++ b/share/doc/src/config/http.rst @@ -387,6 +387,30 @@ Secure Socket Level Options [ssl] verify_ssl_certificates = false + .. config:option:: secure_renegotiate :: Enable secure renegotiation + + Set to `true` to reject renegotiation attempt that does not live up to RFC 5746:: + + [ssl] + secure_renegotiate = true + + .. config:option:: ciphers :: Specify permitted server cipher list + + Set to the cipher suites that should be supported which can be + specified in erlang format "{ecdhe_ecdsa,aes_128_cbc,sha256}" or + in OpenSSL format "ECDHE-ECDSA-AES128-SHA256". + + [ssl] + ciphers = ["ECDHE-ECDSA-AES128-SHA256", "ECDHE-ECDSA-AES128-SHA"] + + .. config:option:: tls_versions :: Specify permitted server SSL/TLS + protocol versions + + Set to a list of permitted SSL/TLS protocol versions:: + + [ssl] + tls_versions = [sslv3 | tlsv1 | 'tlsv1.1' | 'tlsv1.2'] + .. _cors: .. _config/cors: diff --git a/src/couchdb/couch_httpd.erl b/src/couchdb/couch_httpd.erl index 7ee3e3acc..3eb2e3990 100644 --- a/src/couchdb/couch_httpd.erl +++ b/src/couchdb/couch_httpd.erl @@ -39,11 +39,17 @@ start_link(http) -> start_link(?MODULE, [{port, Port}]); start_link(https) -> Port = couch_config:get("ssl", "port", "6984"), + {ok, Ciphers} = couch_util:parse_term(couch_config:get("ssl", "ciphers", "nil")), + {ok, Versions} = couch_util:parse_term(couch_config:get("ssl", "tls_versions", "nil")), + {ok, SecureRenegotiate} = couch_util:parse_term(couch_config:get("ssl", "secure_renegotiate", "nil")), ServerOpts0 = [{cacertfile, couch_config:get("ssl", "cacert_file", nil)}, {keyfile, couch_config:get("ssl", "key_file", nil)}, {certfile, couch_config:get("ssl", "cert_file", nil)}, - {password, couch_config:get("ssl", "password", nil)}], + {password, couch_config:get("ssl", "password", nil)}, + {secure_renegotiate, SecureRenegotiate}, + {versions, Versions}, + {ciphers, Ciphers}], case (couch_util:get_value(keyfile, ServerOpts0) == nil orelse couch_util:get_value(certfile, ServerOpts0) == nil) of |