couch_replicator_utils.erl

fdmanana Tue, 30 Nov 2010 04:24:28 -0800

Author: fdmanana
Date: Tue Nov 30 12:22:47 2010
New Revision: 1040490

URL: http://svn.apache.org/viewvc?rev=1040490&view=rev
Log:
Backport COUCHDB-491 into the new replicator (replicator SSL options).


Modified:
    couchdb/branches/new_replicator/etc/couchdb/default.ini.tpl.in
    couchdb/branches/new_replicator/src/couchdb/couch_api_wrap.hrl
    couchdb/branches/new_replicator/src/couchdb/couch_api_wrap_httpc.erl
    couchdb/branches/new_replicator/src/couchdb/couch_replicator_utils.erl

Modified: couchdb/branches/new_replicator/etc/couchdb/default.ini.tpl.in
URL: 
http://svn.apache.org/viewvc/couchdb/branches/new_replicator/etc/couchdb/default.ini.tpl.in?rev=1040490&r1=1040489&r2=1040490&view=diff
==============================================================================
--- couchdb/branches/new_replicator/etc/couchdb/default.ini.tpl.in (original)
+++ couchdb/branches/new_replicator/etc/couchdb/default.ini.tpl.in Tue Nov 30 
12:22:47 2010
@@ -119,4 +119,10 @@ compressible_types = text/*, application
 ; should be at least 2
 worker_processes = 10
 ; the maximum number of TCP connections to use against a single server
-max_connections_per_server = 100
\ No newline at end of file
+max_connections_per_server = 100
+; set to true to validate peer certificates
+verify_ssl_certificates = false
+; file containing a list of peer trusted certificates (PEM format)
+; ssl_trusted_certificates_file = /etc/ssl/certs/ca-certificates.crt
+; maximum peer certificate depth (must be set even if certificate validation 
is off)
+ssl_certificate_max_depth = 3
\ No newline at end of file

Modified: couchdb/branches/new_replicator/src/couchdb/couch_api_wrap.hrl
URL: 
http://svn.apache.org/viewvc/couchdb/branches/new_replicator/src/couchdb/couch_api_wrap.hrl?rev=1040490&r1=1040489&r2=1040490&view=diff
==============================================================================
--- couchdb/branches/new_replicator/src/couchdb/couch_api_wrap.hrl (original)
+++ couchdb/branches/new_replicator/src/couchdb/couch_api_wrap.hrl Tue Nov 30 
12:22:47 2010
@@ -18,6 +18,7 @@
     headers = [],
     timeout = 30000,    % milliseconds
     proxy_options = [],
+    ssl_options = [],
     retries = 10,
     wait = 250          % milliseconds
 }).

Modified: couchdb/branches/new_replicator/src/couchdb/couch_api_wrap_httpc.erl
URL: 
http://svn.apache.org/viewvc/couchdb/branches/new_replicator/src/couchdb/couch_api_wrap_httpc.erl?rev=1040490&r1=1040489&r2=1040490&view=diff
==============================================================================
--- couchdb/branches/new_replicator/src/couchdb/couch_api_wrap_httpc.erl 
(original)
+++ couchdb/branches/new_replicator/src/couchdb/couch_api_wrap_httpc.erl Tue 
Nov 30 12:22:47 2010
@@ -56,7 +56,8 @@ send_req(#httpdb{headers = BaseHeaders} 
     IbrowseOptions = [
         {response_format, binary}, {inactivity_timeout, HttpDb#httpdb.timeout},
         {socket_options, [{reuseaddr, true}, {keepalive, true}]}
-        | get_value(ibrowse_options, Params, []) ++ HttpDb#httpdb.proxy_options
+        | HttpDb#httpdb.proxy_options ++ HttpDb#httpdb.ssl_options ++
+            get_value(ibrowse_options, Params, [])
     ],
     Headers2 = oauth_header(HttpDb, Params) ++ Headers1,
     Url = full_url(HttpDb, Params),

Modified: couchdb/branches/new_replicator/src/couchdb/couch_replicator_utils.erl
URL: 
http://svn.apache.org/viewvc/couchdb/branches/new_replicator/src/couchdb/couch_replicator_utils.erl?rev=1040490&r1=1040489&r2=1040490&view=diff
==============================================================================
--- couchdb/branches/new_replicator/src/couchdb/couch_replicator_utils.erl 
(original)
+++ couchdb/branches/new_replicator/src/couchdb/couch_replicator_utils.erl Tue 
Nov 30 12:22:47 2010
@@ -128,7 +128,8 @@ parse_rep_db({Props}, ProxyParams) ->
         url = Url,
         oauth = OAuth,
         headers = Headers,
-        proxy_options = ProxyParams
+        proxy_options = ProxyParams,
+        ssl_options = ssl_params(Url)
     };
 parse_rep_db(<<"http://";, _/binary>> = Url, ProxyParams) ->
     parse_rep_db({[{<<"url">>, Url}]}, ProxyParams);
@@ -189,3 +190,30 @@ parse_proxy_params(ProxyUrl) ->
             [{proxy_user, User}, {proxy_password, Passwd}]
         end.
 
+
+ssl_params(Url) ->
+    case ibrowse_lib:parse_url(Url) of
+    #url{protocol = https} ->
+        Depth = list_to_integer(
+            couch_config:get("replicator", "ssl_certificate_max_depth", "3")
+        ),
+        VerifyCerts = couch_config:get("replicator", 
"verify_ssl_certificates"),
+        SslOpts = [{depth, Depth} | ssl_verify_options(VerifyCerts =:= 
"true")],
+        [{is_ssl, true}, {ssl_options, SslOpts}];
+    #url{protocol = http} ->
+        []
+    end.
+
+ssl_verify_options(Value) ->
+    ssl_verify_options(Value, erlang:system_info(otp_release)).
+
+ssl_verify_options(true, OTPVersion) when OTPVersion >= "R14" ->
+    CAFile = couch_config:get("replicator", "ssl_trusted_certificates_file"),
+    [{verify, verify_peer}, {cacertfile, CAFile}];
+ssl_verify_options(false, OTPVersion) when OTPVersion >= "R14" ->
+    [{verify, verify_none}];
+ssl_verify_options(true, _OTPVersion) ->
+    CAFile = couch_config:get("replicator", "ssl_trusted_certificates_file"),
+    [{verify, 2}, {cacertfile, CAFile}];
+ssl_verify_options(false, _OTPVersion) ->
+    [{verify, 0}].

svn commit: r1040490 - in /couchdb/branches/new_replicator: etc/couchdb/default.ini.tpl.in src/couchdb/couch_api_wrap.hrl src/couchdb/couch_api_wrap_httpc.erl src/couchdb/couch_replicator_utils.erl

Reply via email to