Description
CBQ needs to support CA server certificates for encrypting client-server communication in watson
CBQ needs to verify CA-signed certificates received from cbq-engine. In 4.0 and 4.1, CBQ does no cert verification; it is explicitly configured to skip verification (https://github.com/couchbase/query/blob/master/shell/cbq/shell.go#L43)
The PRD for CA signed certs (https://goo.gl/tftXbs) is requesting for CBQ to validate the cert received from cbq-engine when it is a CA signed cert (section 3 "Enabling CA authentication"). To implement, CBQ must revert to the default behaviour (basically, don't skip verification when initializing tls). If the cert is installed in the local system root it will be picked up by the Go tls library (see "RootCAs" in https://golang.org/pkg/crypto/tls/). Alternatively, CBQ can be explicitly passed or configured with the path to the CA cert; examples of this:
https://gist.github.com/michaljemala/d6f4e01c4834bf47a9c4 - note verification of client by server is not required
http://stackoverflow.com/questions/21562269/golang-how-to-specify-certificate-in-tls-config-for-http-client
https://github.com/hydrogen18/test-tls
To summarize:
1) Self-signed server cert - no cert verification required (CBQ behaves per 4.0/4.1)
2) CA-signed server cert - CBQ should verify the cert received from cbq-engine
Dependency:
Implementation of CA-signed certs in Couchbase Server
Background:
https://luxsci.com/blog/ssl-versus-tls-whats-the-difference.html
https://golang.org/pkg/crypto/tls/
http://www.hydrogen18.com/blog/your-own-pki-tls-golang.html
https://coreos.com/etcd/docs/0.4.7/etcd-security/
Attachments
For Gerrit Dashboard: MB-16363 | ||||||
---|---|---|---|---|---|---|
# | Subject | Branch | Project | Status | CR | V |
63492,4 | MB-16363 Add method to control/skip verification for secure connections | master | go-couchbase | Status: MERGED | +2 | +1 |
63493,6 | MB-16363 Add method to control/skip verification for secure connections | master | godbc | Status: MERGED | +2 | +1 |
63494,4 | MB-16363 Add method to control/skip verification for secure connections in cbq using -no-ssl-verify flag | master | query | Status: MERGED | +2 | +1 |