Configure CouchDB for encrypted traffic all over

3 files changed, 21 insertions, 1 deletions

diff --git a/.gitignore b/.gitignore
index 77ae5209f..0c901efa6 100644
--- a/.gitignore
+++ b/.gitignore
@@ -31,3 +31,5 @@ src/couch/priv/couchspawnkillable
 .rebar
 bin/
 apache-couchdb-*/
+
+*.pem
diff --git a/Makefile b/Makefile
index cefc5daff..40399ae46 100644
--- a/Makefile
+++ b/Makefile
@@ -63,7 +63,7 @@ help:
 
 .PHONY: couch
 # target: couch - Build CouchDB core
-couch: config.erl
+couch: certs config.erl
 	@COUCHDB_VERSION=$(COUCHDB_VERSION) $(REBAR) compile
 	@cp src/couch/priv/couchjs bin/
 
@@ -299,6 +299,7 @@ clean:
 	@rm -f src/couch/priv/couchspawnkillable
 	@rm -f src/couch/priv/couch_js/config.h
 	@rm -f dev/boot_node.beam dev/pbkdf2.pyc log/crash.log
+	@rm -r *.pem
 
 
 .PHONY: distclean
@@ -362,3 +363,14 @@ ifeq ($(with_fauxton), 1)
 	@echo "Building Fauxton"
 	@cd src/fauxton && npm install --production && ./node_modules/grunt-cli/bin/grunt couchdb
 endif
+
+certs: ecc_cert.pem
+
+%_cert.pem: %_key.pem %_csr.pem
+	@openssl req -x509 -days 99999 -key $*_key.pem -in $*_csr.pem -out $@
+
+%_csr.pem: %_key.pem
+	@openssl req -new -key $< -out $@ -subj "/O=Apache Software Foundation/OU=Apache CouchDB"
+
+ecc_key.pem:
+	@openssl ecparam -genkey -name prime256v1 -out ecc_key.pem
diff --git a/rel/overlay/etc/vm.args b/rel/overlay/etc/vm.args
index b69ad829b..462195e3a 100644
--- a/rel/overlay/etc/vm.args
+++ b/rel/overlay/etc/vm.args
@@ -31,5 +31,11 @@
 # Start a pool of asynchronous IO threads
 +A 16
 
+# Encrypt the RPC traffic
+-proto_dist inet_tls
+-ssl_dist_opt server_certfile "ecc_cert.pem"
+-ssl_dist_opt server_keyfile  "ecc_key.pem"
+-ssl_dist_opt server_secure_renegotiate true client_secure_renegotiate true
+
 # Comment this line out to enable the interactive Erlang shell on startup
 +Bd -noinput