Hi, > 1) The replicator allows ssl connections to hosts with self-signed > certificates by default, obviating the security of the protocol. Since > this is the OTP default (seriously), we probably want to get a patch > upstream as well.
There is a patch for this here: https://issues.apache.org/jira/browse/COUCHDB-878 I have a local patch which folds this verification function with the added ability for SSL replication sessions to be be authenticated by a key / cert pair; I haven't had a chance to test it though (waiting on our authenticating front-end to be set up) so haven't submitted the patch. If somebody is willing to test it, I can open up a ticket with the patch. As essentially the patch builds SSL parameters for the http_db objects which get passed around the replicator, it made sense to factor the verification and SSL certification stuff into one 'get_ssl_parameters' function. Regards, James.
