SSL client certificates

[Jens Alfke]

I’ve been adding support for SSL client certificates to Couchbase Lite/iOS (#82, just closed.) This is going to be very useful for P2P since it lets both the peers in a connection identify each other using public keys.

SSL client certs are also sometimes used in client/server connections as a more-secure alternative to passwords. But it’s not very common, and I’m not very familiar with how it’s set up on the server side. As a result I’m unsure what kind of extensibility to add in Sync Gateway to authenticate client certs. A couple of options:

• Let some middleware like nginx do the work — a proxy that acts as the SSL endpoint, authenticates the client cert, then passes the requests to Sync Gateway. It would need to pass on the auth info, maybe by looking up user info and adding an “Authorization” header to the request.
• Let the SG config file point to a CA certificate file; any client cert signed by this CA will be accepted. (But then how are client certs mapped to usernames?)
• Let the SG config file point to a directory of certificate files, any of which will be accepted. (But again, how to map to usernames? Maybe the filename is the username?)

If anyone’s got experience with this, or would like to use it, I’d like to hear from you.

—Jens

[Jens Alfke]

I just realized there wasn’t an issue in Sync Gateway covering this, so I filed #964.

—Jens