Details
-
Bug
-
Resolution: Fixed
-
Major
-
2.8.0
-
Security Level: Public
-
CBG Sprint 84
-
2
Description
The cacert-only support for DCP added with CBG-738 hits a limitation in the go-couchbase TLS implementation. go-couchbase only supports setting a cacert when x.509 authentication is being used, and throws an error if cacert alone is set.
Until we move to gocb's DCP client in Lithium, we should avoid attempting to use cacert only for DCP. There's still value in supporting cacert-only for Sync Gateway in general, as it's used for the kv/memcached connection, and properly validates the cert on that path. In the case where cacert is set without keypath/certpath, use the SDK connection to verify the server's TLS certificate, and skip verification for the DCP feed.