Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Won't Fix
-
1.2
-
None
-
OSX 10.7/Ubuntu 11.10, Erlang R15B/R14B4
Description
CouchDB commit: 4cd60f3d1683a3445c3248f48ae064fb573db2a1 (from build-couchdb) on both platforms (OSX / R14B4, and Ubuntu / R15B).
Attempting to use client SSL certificate validation. In local.ini, if I specify cert_file and key_file, server SSL certificate functionality works as expected. If I also specify a cacert_file and set verify_ssl_certificates = true, I get the following crash:
============
[info] [<0.31.0>] Apache CouchDB has started on https://127.0.0.1:6984/
[error] [<0.165.0>] SSL: hello: ssl_handshake.erl:249:Fatal error: internal error
=ERROR REPORT==== 23-Mar-2012::17:12:03 ===
SSL: hello: ssl_handshake.erl:249:Fatal error: internal error
[error] [<0.164.0>] SSL: hello: ssl_handshake.erl:249:Fatal error: internal error
=ERROR REPORT==== 23-Mar-2012::17:12:03 ===
SSL: hello: ssl_handshake.erl:249:Fatal error: internal error
[error] [<0.166.0>] SSL: hello: ssl_handshake.erl:249:Fatal error: internal error
=ERROR REPORT==== 23-Mar-2012::17:12:03 ===
SSL: hello: ssl_handshake.erl:249:Fatal error: internal error
[error] [<0.145.0>] {error_report,<0.30.0>,
{<0.145.0>,std_error,
[
"Accept failed error",
"{error,\"internal error\"}"]}}
=ERROR REPORT==== 23-Mar-2012::17:12:03 ===
application: mochiweb
"Accept failed error"
"{error,"internal error"}"
[error] [<0.144.0>] {error_report,<0.30.0>,
{<0.144.0>,std_error,
[{application,mochiweb}
,
"Accept failed error",
"
=ERROR REPORT==== 23-Mar-2012::17:12:03 ===
application: mochiweb
"Accept failed error"
"{error,"internal error"}
"
[error] [<0.145.0>] {error_report,<0.30.0>,
{<0.145.0>,crash_report,
[[{initial_call,
{mochiweb_acceptor,init,
['Argument__1','Argument__2','Argument__3']}},
,
,
{error_info,
{exit,
[{mochiweb_acceptor,init,3,
[{file, "/Users/ussjoin/Desktop/build-couchdb/dependencies/couchdb/src/mochiweb/mochiweb_acceptor.erl"},
{line,33}]},
{proc_lib,init_p_do_apply,3,
[{file,"proc_lib.erl"},{line,227}]}]}},
{ancestors, [https,couch_secondary_services,couch_server_sup, <0.31.0>]},
{messages,[]},
{links,[<0.142.0>]},
{dictionary,[]},
{trap_exit,false},
{status,running},
{heap_size,2584},
{stack_size,24},
{reductions,912}],
[]]}}
=CRASH REPORT==== 23-Mar-2012::17:12:03 ===
crasher:
initial call: mochiweb_acceptor:init/3
pid: <0.145.0>
registered_name: []
exception exit: {error,accept_failed}
in function mochiweb_acceptor:init/3 (/Users/ussjoin/Desktop/build-couchdb/dependencies/couchdb/src/mochiweb/mochiweb_acceptor.erl, line 33)
ancestors: [https,couch_secondary_services,couch_server_sup,<0.31.0>]
messages: []
links: [<0.142.0>]
dictionary: []
trap_exit: false
status: running
heap_size: 2584
stack_size: 24
reductions: 912
neighbours:
[error] [<0.142.0>] {error_report,<0.30.0>,
{<0.142.0>,std_error,
{mochiweb_socket_server,310,
{acceptor_error,
}}}}
============
From the browser side, the browser was never even asked by CouchDB to submit a client certificate; it crashes before it gets to that point.
Similar result when specifying ssl_trusted_certificates_file and verify_ssl_certificates=true in the replicator section of default.ini; a crash and nothing happens on replication attempts.
Tried increasing ssl_certificate_max_depth to 2 and 3 on both the local.ini[ssl] side and the default.ini[replicator] side, with no apparent effect.
Workaround:
In replicator, specify cert_file and key_file, but leave verify_ssl_certificates = false. Use nginx to verify the client certificates (and serve server SSL if you wish). Replication proceeds with client+server SSL as expected, without having to use a proxy on the sending side. (The downside is that you have to use nginx-- if this feature worked as expected, the use case could be solved in CouchDB alone.)