You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It's probably for a good reason, Erlang < 25 doesn't even have a good way to load OS provided CAs. Only starting in Erlang 25 we have public_key:cacerts_get(). The certificates are loaded and cached in a permanent literal term and then it can be easily used as:
The enhancement would be to make TLS peer verification a bit more ergonomic making it easy to use OS provided CAs. We could backport Erlang 25 cert loading code unto a compat couch_util function until we can have Erlang 25+ only required OTP version.
Another option is to use certify, but that's another dependency to bring in and since Erlang already plans on providing the feature might as well use the OTP solution.
As for how to configure it, perhaps we could have have a special ssl_trusted_certificates_file value indicating we want to load the OS provided CAs, or a separate config option like ssl_use_os_certificates = true | false. Maybe even allow appending user's CA trusted certificated to the OS ones?
The text was updated successfully, but these errors were encountered:
By default replicator TLS connections do not verify the TLS peer certificates
couchdb/src/couch_replicator/src/couch_replicator_parse.erl
Lines 474 to 478 in f8d489f
It's probably for a good reason, Erlang < 25 doesn't even have a good way to load OS provided CAs. Only starting in Erlang 25 we have
public_key:cacerts_get()
. The certificates are loaded and cached in a permanent literal term and then it can be easily used as:The enhancement would be to make TLS peer verification a bit more ergonomic making it easy to use OS provided CAs. We could backport Erlang 25 cert loading code unto a compat
couch_util
function until we can have Erlang 25+ only required OTP version.Another option is to use certify, but that's another dependency to bring in and since Erlang already plans on providing the feature might as well use the OTP solution.
As for how to configure it, perhaps we could have have a special
ssl_trusted_certificates_file
value indicating we want to load the OS provided CAs, or a separate config option likessl_use_os_certificates = true | false
. Maybe even allow appending user's CA trusted certificated to the OS ones?The text was updated successfully, but these errors were encountered: