Uploaded image for project: 'Couchbase Gateway'
  1. Couchbase Gateway
  2. CBG-1337

Add an option to skip SSL certificates verification while loading JavaScript from HTTPS endpoints

    XMLWordPrintable

Details

    • Improvement
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 3.0
    • 3.0
    • SyncGateway
    • Security Level: Public
    • None
    • CBG Sprint 68, CBG Sprint 69, CBG Sprint 70
    • 3

    Description

      Sync Gateway supports loading JavaScript content from external HTTP/HTTPs endpoints. In case of an HTTPS endpoint, the underlying SSL connection attempted to be made secure by using the CA certificate bundle installed on the SG node by default. This means that you may encounter an SSL verification error when you try to load JavaScript from external HTTPS endpoints with the SSL certificates that are misconfigured, expired, or self-signed. We should have a mechanism to force SG to ignore the certificate errors by specifying the remote_config_tls_skip_verify option in the database configuration. SG should ignore the SSL checks when initiating the connection by using the remote_config_tls_skip_verify option and you should be able to bypass any SSL error that any external JavaScript endpoint might have.

      Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          Build sync_gateway-3.0.0-166 contains sync_gateway commit e684798 with commit message:
          CBG-1337 Add an option to skip TLS certificates verification while loading JavaScript from HTTPS endpoints (#4977)

          build-team Couchbase Build Team added a comment - Build sync_gateway-3.0.0-166 contains sync_gateway commit e684798 with commit message: CBG-1337 Add an option to skip TLS certificates verification while loading JavaScript from HTTPS endpoints (#4977)

          Today we’ve two multiple configurations for enabling self signed certificates and introducing another option doesn’t seem to be a good approach. Need to review the feasibility of setting this option globally and override at the feature level if that’s needed. We also want to see how the same feature is handled in other applications and what the common best practices are. Checking about how to accept self signed certificates at the OS level is also useful.

          sarath.kumarsivan Sarath Kumar Sivan (Inactive) added a comment - - edited Today we’ve two multiple configurations for enabling self signed certificates and introducing another option doesn’t seem to be a good approach. Need to review the feasibility of setting this option globally and override at the feature level if that’s needed. We also want to see how the same feature is handled in other applications and what the common best practices are. Checking about how to accept self signed certificates at the OS level is also useful.

          People

            sarath.kumarsivan Sarath Kumar Sivan (Inactive)
            sarath.kumarsivan Sarath Kumar Sivan (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                There are no open Gerrit changes

                PagerDuty