[jira] Commented: (COUCHDB-665) Replication not possible via IPv6
[ https://issues.apache.org/jira/browse/COUCHDB-665?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13007593#comment-13007593 ] Michael Stapelberg commented on COUCHDB-665: You *do* have easy access to an IPv6 environment, just install miredo and you’ll automatically have a working IPv6 tunnel within seconds (provided you’re not behind some very restrictive firewall). An alternative would be to configure the IPv6 addresses statically between two computers (or between to instances of CouchDB running on different IPs), chosen from the unique local addresses prefix or some example prefix. > Replication not possible via IPv6 > -- > > Key: COUCHDB-665 > URL: https://issues.apache.org/jira/browse/COUCHDB-665 > Project: CouchDB > Issue Type: Bug > Components: Database Core, Replication >Affects Versions: 0.10.1 > Environment: Linux x200 2.6.32-2 #2 SMP Wed Feb 17 01:00:03 CET 2010 > x86_64 GNU/Linux >Reporter: Michael Stapelberg >Priority: Blocker > Labels: ipv6 > Attachments: couchdb-ipv6.patch, patch > > Original Estimate: 0.25h > Remaining Estimate: 0.25h > > I have a host which is only reachable via IPv6. While I can connect to a > CouchDB running on this host just fine, I cannot replicate my database to it. > This is due to the inet6-option missing from the gen_tcp.connect() call. I > will attach a patch which fixes the issue. > To test it, you can use a host which only has an record in the DNS. > CouchDB will immediately return 404 if you want to replicate to it unless you > add the inet6 option. -- This message is automatically generated by JIRA. For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Updated: (COUCHDB-665) Replication not possible via IPv6
[ https://issues.apache.org/jira/browse/COUCHDB-665?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Michael Stapelberg updated COUCHDB-665: --- Attachment: couchdb-ipv6.patch The new version of the patch does not always add the inet6 option (which only works on systems where /proc/sys/net/ipv6/bindv6only == 0) but checks which kind of hostname this is. > Replication not possible via IPv6 > -- > > Key: COUCHDB-665 > URL: https://issues.apache.org/jira/browse/COUCHDB-665 > Project: CouchDB > Issue Type: Bug > Components: Database Core, Replication >Affects Versions: 0.10.1 > Environment: Linux x200 2.6.32-2 #2 SMP Wed Feb 17 01:00:03 CET 2010 > x86_64 GNU/Linux >Reporter: Michael Stapelberg >Priority: Blocker > Attachments: couchdb-ipv6.patch, patch > > Original Estimate: 0.25h > Remaining Estimate: 0.25h > > I have a host which is only reachable via IPv6. While I can connect to a > CouchDB running on this host just fine, I cannot replicate my database to it. > This is due to the inet6-option missing from the gen_tcp.connect() call. I > will attach a patch which fixes the issue. > To test it, you can use a host which only has an record in the DNS. > CouchDB will immediately return 404 if you want to replicate to it unless you > add the inet6 option. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Created: (COUCHDB-879) [PATCH] Replication fails due to {stream_to, {self(), once}} parameter
[PATCH] Replication fails due to {stream_to, {self(), once}} parameter -- Key: COUCHDB-879 URL: https://issues.apache.org/jira/browse/COUCHDB-879 Project: CouchDB Issue Type: Bug Components: Replication Affects Versions: 1.0.1 Environment: Linux midna 2.6.32.8-midna-2 #2 SMP Tue Feb 16 20:27:34 CET 2010 x86_64 GNU/Linux Reporter: Michael Stapelberg Attachments: couchdb-replication.patch When testing replication (with SSL and apache's mod_proxy, so you might need the patch from #878) I noticed that erlang's ssl sometimes needs to send multiple messages. However, due to the {stream_to, {self(), once}} option when calling ibrowse, only the first message gets delivered (which includes only the first chunk). When modifying the option to {stream_to, self()}, replication works fine. Please thoroughly check the attached patch for side-effects (I'm not sure why {self(), once} was used in the first place). -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Updated: (COUCHDB-879) [PATCH] Replication fails due to {stream_to, {self(), once}} parameter
[ https://issues.apache.org/jira/browse/COUCHDB-879?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Michael Stapelberg updated COUCHDB-879: --- Attachment: couchdb-replication.patch > [PATCH] Replication fails due to {stream_to, {self(), once}} parameter > -- > > Key: COUCHDB-879 > URL: https://issues.apache.org/jira/browse/COUCHDB-879 > Project: CouchDB > Issue Type: Bug > Components: Replication >Affects Versions: 1.0.1 > Environment: Linux midna 2.6.32.8-midna-2 #2 SMP Tue Feb 16 20:27:34 > CET 2010 x86_64 GNU/Linux >Reporter: Michael Stapelberg > Attachments: couchdb-replication.patch > > Original Estimate: 0.5h > Remaining Estimate: 0.5h > > When testing replication (with SSL and apache's mod_proxy, so you might need > the patch from #878) I noticed that erlang's ssl sometimes needs to send > multiple messages. However, due to the {stream_to, {self(), once}} option > when calling ibrowse, only the first message gets delivered (which includes > only the first chunk). When modifying the option to {stream_to, self()}, > replication works fine. > Please thoroughly check the attached patch for side-effects (I'm not sure why > {self(), once} was used in the first place). -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Updated: (COUCHDB-878) [PATCH] Verify SSL Certificate Chain when doing SSL replication
[ https://issues.apache.org/jira/browse/COUCHDB-878?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Michael Stapelberg updated COUCHDB-878: --- Attachment: couchdb-ssl-verify-chain.patch > [PATCH] Verify SSL Certificate Chain when doing SSL replication > --- > > Key: COUCHDB-878 > URL: https://issues.apache.org/jira/browse/COUCHDB-878 > Project: CouchDB > Issue Type: Improvement > Components: Replication >Affects Versions: 1.0.1 > Reporter: Michael Stapelberg > Attachments: couchdb-ssl-verify-chain.patch > > > When doing an SSL replication, CouchDB does not check the certificate chain. > This renders the SSL support absolutely useless since an attacker who is in > the position of doing man-in-the-middle attacks can send an invalid > certificate and gets all my data (push replication). > The attached patch passes a verify_fun in ssl_options to ibrowse in order to > validate the certificate path. Two new configuration options are introduced: > ssl.verify (bool) and ssl.cacertfile (string). Set the latter to a PEM file > containing the root CA for your certificate. > Documentation updates are not included in the patch. Also, error handling is > not included (only io:fwrite is used). -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Created: (COUCHDB-878) [PATCH] Verify SSL Certificate Chain when doing SSL replication
[PATCH] Verify SSL Certificate Chain when doing SSL replication --- Key: COUCHDB-878 URL: https://issues.apache.org/jira/browse/COUCHDB-878 Project: CouchDB Issue Type: Improvement Components: Replication Affects Versions: 1.0.1 Reporter: Michael Stapelberg When doing an SSL replication, CouchDB does not check the certificate chain. This renders the SSL support absolutely useless since an attacker who is in the position of doing man-in-the-middle attacks can send an invalid certificate and gets all my data (push replication). The attached patch passes a verify_fun in ssl_options to ibrowse in order to validate the certificate path. Two new configuration options are introduced: ssl.verify (bool) and ssl.cacertfile (string). Set the latter to a PEM file containing the root CA for your certificate. Documentation updates are not included in the patch. Also, error handling is not included (only io:fwrite is used). -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
Please fix #665 for CouchDB 1.0
Hi! Before the release of CouchDB 1.0, it would be great if you could fix #665. The patch is very simple, as it is just the missing 'inet6' option which prevents replication to work via IPv6. Merging/testing the patch is also very simple and should not take longer than 15 minutes. If you have any questions, please just ask (and please CC me, as I am not on this list). Best regards, Michael
[jira] Created: (COUCHDB-672) info-message contains invalid URL when using IPv6
info-message contains invalid URL when using IPv6 - Key: COUCHDB-672 URL: https://issues.apache.org/jira/browse/COUCHDB-672 Project: CouchDB Issue Type: Improvement Affects Versions: 0.10 Environment: Linux midna 2.6.32.8-midna-2 #2 SMP Tue Feb 16 20:27:34 CET 2010 x86_64 GNU/Linux Reporter: Michael Stapelberg When starting, CouchDB prints the following message: [info] [<0.1.0>] Apache CouchDB has started on http://:::5985/ As you can see, I am listening on ::, the equivalent to 0.0.0.0 on IPv4. However, in URLs, you got to use square brackets around the IPv6 address to make the program able to distinguish IP and port. Thus, the URL has to look like this: http://[::]:5985/ -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Commented: (COUCHDB-665) Replication not possible via IPv6
[ https://issues.apache.org/jira/browse/COUCHDB-665?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12837241#action_12837241 ] Michael Stapelberg commented on COUCHDB-665: I forgot to mention that replication works via IPv6 *and* IPv4 after this patch. > Replication not possible via IPv6 > -- > > Key: COUCHDB-665 > URL: https://issues.apache.org/jira/browse/COUCHDB-665 > Project: CouchDB > Issue Type: Bug > Components: Database Core, Replication >Affects Versions: 0.10.1 > Environment: Linux x200 2.6.32-2 #2 SMP Wed Feb 17 01:00:03 CET 2010 > x86_64 GNU/Linux >Reporter: Michael Stapelberg > Attachments: patch > > Original Estimate: 0.25h > Remaining Estimate: 0.25h > > I have a host which is only reachable via IPv6. While I can connect to a > CouchDB running on this host just fine, I cannot replicate my database to it. > This is due to the inet6-option missing from the gen_tcp.connect() call. I > will attach a patch which fixes the issue. > To test it, you can use a host which only has an record in the DNS. > CouchDB will immediately return 404 if you want to replicate to it unless you > add the inet6 option. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Updated: (COUCHDB-665) Replication not possible via IPv6
[ https://issues.apache.org/jira/browse/COUCHDB-665?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Michael Stapelberg updated COUCHDB-665: --- Attachment: patch Adds inet6 to ssl:connect() and gen_tcp:connect() to enable replication via IPv6 > Replication not possible via IPv6 > -- > > Key: COUCHDB-665 > URL: https://issues.apache.org/jira/browse/COUCHDB-665 > Project: CouchDB > Issue Type: Bug > Components: Database Core, Replication >Affects Versions: 0.10.1 > Environment: Linux x200 2.6.32-2 #2 SMP Wed Feb 17 01:00:03 CET 2010 > x86_64 GNU/Linux >Reporter: Michael Stapelberg > Attachments: patch > > Original Estimate: 0.25h > Remaining Estimate: 0.25h > > I have a host which is only reachable via IPv6. While I can connect to a > CouchDB running on this host just fine, I cannot replicate my database to it. > This is due to the inet6-option missing from the gen_tcp.connect() call. I > will attach a patch which fixes the issue. > To test it, you can use a host which only has an record in the DNS. > CouchDB will immediately return 404 if you want to replicate to it unless you > add the inet6 option. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Created: (COUCHDB-665) Replication not possible via IPv6
Replication not possible via IPv6 -- Key: COUCHDB-665 URL: https://issues.apache.org/jira/browse/COUCHDB-665 Project: CouchDB Issue Type: Bug Components: Database Core, Replication Affects Versions: 0.10.1 Environment: Linux x200 2.6.32-2 #2 SMP Wed Feb 17 01:00:03 CET 2010 x86_64 GNU/Linux Reporter: Michael Stapelberg I have a host which is only reachable via IPv6. While I can connect to a CouchDB running on this host just fine, I cannot replicate my database to it. This is due to the inet6-option missing from the gen_tcp.connect() call. I will attach a patch which fixes the issue. To test it, you can use a host which only has an record in the DNS. CouchDB will immediately return 404 if you want to replicate to it unless you add the inet6 option. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.