Details
-
Improvement
-
Resolution: Fixed
-
Major
-
2.8.4
-
None
-
None
-
1
Description
While evaluating the use of certificate authentication in python I noticed that the underlying libcouchbase implentation uses the same parameter (certpath) for two different purposes:
We pass it to SSL_CTX_load_verify_locations() to use as the trust store
We also pass the same file to SSL_CTX_use_certificate_file to use as the client certificate
Relevant code section:
In our environment we have our trusted CA bundle in one centrally managed file and we have the client certificate and key in their own files. I would like to see support added natively to libcouchbase (and other language bindings such as the python sdk) to have the CA bundle file be independent of the client certificate file.
This is very similar to JVMCBC-468
Right now in order to successfully perform certificate authentication from my python app I must read the client cert off disk, read the CA bundle file off disk, concatenate them and write to a temp file, and then pass this temp file in my couchbase connection string, and then clean up the temp file. So I'd like to be able to avoid this type of hacky workaround.