Skip to content

allow further TLS configuration of clustered port #5212

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
rnewson merged 1 commit into from
Sep 3, 2024
Merged

allow further TLS configuration of clustered port #5212

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 5 additions & 1 deletion src/chttpd/src/chttpd.erl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -105,6 +105,8 @@ start_link(https) ->
Port = config:get("ssl", "port", "6984"),
{ok, Ciphers} = couch_util:parse_term(config:get("ssl", "ciphers", "undefined")),
{ok, Versions} = couch_util:parse_term(config:get("ssl", "tls_versions", "undefined")),
{ok, SignatureAlgs} = couch_util:parse_term(config:get("ssl", "signature_algs", "undefined")),
{ok, NamedCurves} = couch_util:parse_term(config:get("ssl", "ecc_curves", "undefined")),
{ok, SecureRenegotiate} = couch_util:parse_term(
config:get("ssl", "secure_renegotiate", "undefined")
),
Expand All @@ -116,7 +118,9 @@ start_link(https) ->
{password, config:get("ssl", "password", undefined)},
{secure_renegotiate, SecureRenegotiate},
{versions, Versions},
{ciphers, Ciphers}
{ciphers, Ciphers},
{signature_algs, SignatureAlgs},
{eccs, NamedCurves}
],

case
Expand Down
28 changes: 21 additions & 7 deletions src/docs/src/config/http.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -326,12 +326,12 @@ HTTP Server Options

.. _config/ssl:

HTTPS (SSL/TLS) Options
HTTPS (TLS) Options
=======================

.. config:section:: ssl :: HTTPS (SSL/TLS) Options
.. config:section:: ssl :: HTTPS (TLS) Options

CouchDB supports TLS/SSL natively, without the use of a proxy server.
CouchDB supports TLS natively, without the use of a proxy server.

HTTPS setup can be tricky, but the configuration in CouchDB was designed to
be as easy as possible. All you need is two files; a certificate and a
Expand Down Expand Up @@ -471,7 +471,7 @@ HTTPS (SSL/TLS) Options

.. config:option:: fail_if_no_peer_cert :: Require presence of client certificate if certificate verification is enabled

Set to ``true`` to terminate the TLS/SSL handshake with a
Set to ``true`` to terminate the TLS handshake with a
``handshake_failure`` alert message if the client does not send a
certificate. Only used if ``verify_ssl_certificates`` is ``true``. If set
to ``false`` it will only fail if the client sends an invalid certificate
Expand All @@ -497,12 +497,26 @@ HTTPS (SSL/TLS) Options
[ssl]
ciphers = ["ECDHE-ECDSA-AES128-SHA256", "ECDHE-ECDSA-AES128-SHA"]

.. config:option:: tls_versions :: Specify permitted server SSL/TLS protocol versions
.. config:option:: tls_versions :: Specify permitted server TLS protocol versions

Set to a list of permitted SSL/TLS protocol versions::
Set to a list of permitted TLS protocol versions::

[ssl]
tls_versions = [tlsv1 | 'tlsv1.1' | 'tlsv1.2']
tls_versions = ['tlsv1.2']

.. config:option:: signature_algs :: Specify signature algorithms

Set to a list of permitted TLS signature algorithms::

[ssl]
signature_algs = [{sha512,ecdsa}]

.. config:option:: ecc_curves :: Specify permitted ECC curves

Set to a list of permitted ECC curves::

[ssl]
ecc_curves = [x25519]

.. _cors:
.. _config/cors:
Expand Down