Uploaded image for project: 'Couchbase Gateway'
  1. Couchbase Gateway
  2. CBG-1362

Fix cacert-only handling for DCP connection

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Major
    • 2.8.3
    • 2.8.0
    • SyncGateway
    • Security Level: Public
    • CBG Sprint 84
    • 2

    Description

      The cacert-only support for DCP added with CBG-738 hits a limitation in the go-couchbase TLS implementation.  go-couchbase only supports setting a cacert when x.509 authentication is being used, and throws an error if cacert alone is set.

      Until we move to gocb's DCP client in Lithium, we should avoid attempting to use cacert only for DCP.  There's still value in supporting cacert-only for Sync Gateway in general, as it's used for the kv/memcached connection, and properly validates the cert on that path.  In the case where cacert is set without keypath/certpath, use the SDK connection to verify the server's TLS certificate, and skip verification for the DCP feed.

      Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          People

            isaac.lambat Isaac Lambat
            adamf Adam Fraser
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                There are no open Gerrit changes

                PagerDuty