Skip to content

allow further TLS configuration of clustered port #5212

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
rnewson merged 1 commit into from
Sep 3, 2024
Merged

allow further TLS configuration of clustered port #5212

rnewson merged 1 commit into from
Sep 3, 2024

Conversation

@rnewson
Copy link
Member

@rnewson rnewson commented Sep 2, 2024

Overview

Allow configuration of signature algorithms and allowed ECC curves

Testing recommendations

Related Issues or Pull Requests

closes #5211

Checklist

  • Code is written and works correctly
  • Changes are covered by tests
  • Any new configurable parameters are documented in rel/overlay/etc/default.ini
  • Documentation changes were made in the src/docs folder
  • Documentation changes were backported (separated PR) to affected branches

big-r81
big-r81 approved these changes Sep 2, 2024
View reviewed changes
Copy link
Contributor

@big-r81 big-r81 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice!

+1

@big-r81
Copy link
Contributor

big-r81 commented Sep 2, 2024

@rnewson Should we add some sensitive and safe defaults in default.ini?

@rnewson
Copy link
Member Author

rnewson commented Sep 2, 2024

No, I think let erlang/OTP version + mochiweb determine the default, and then a simple override.

We could submit a PR to mochiweb though, its defaults and notion of what is currently "safe" or not "broken" is quite out of date: https://github.com/mochi/mochiweb/blob/611254eb941e502227f221667389b98fd8e72d6f/src/mochiweb_socket.erl#L58

@rnewson rnewson merged commit 63c9113 into main Sep 3, 2024
@rnewson rnewson deleted the tls-server-options branch September 3, 2024 15:36
@nsthakur7
Copy link

nsthakur7 commented Sep 3, 2024
edited
Loading

Thank you, Robert for actioning the fix so quickly. Any clue, when this fix will be released and which version(s) of couchDB have this fix?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nickva nickva nickva approved these changes

@big-r81 big-r81 big-r81 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

QID-38863 | Weak SSL/TLS Key Exchange - can't find a way to specify strong TLS/SSL exchange key - ECC curves

4 participants

@rnewson @big-r81 @nsthakur7 @nickva