Replication Trouble with SSL-enabled CouchDB

[Aaron]

Hi there,

My app is developed, and this close to launch. I enabled SSL on my personally-hosted CouchDB server, and it seems to have caused problems with continuous replication in my app. Now, when the app attempts to sync to the remote Couch, I get these error messages:

16:40:16.840| WARNING*** : TDPusher[https://tiberiuslog.com:6984/aaron]: Unable to save remote checkpoint: Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo=0x1e9820b0 {NSErrorFailingURLStringKey=https://tiberiuslog.com:6984/aaron/_local/a9beb36d980742b9fe7d436d96eb48e8d3a5953f, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSErrorFailingURLKey=https://tiberiuslog.com:6984/aaron/_local/a9beb36d980742b9fe7d436d96eb48e8d3a5953f, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSUnderlyingError=0x1e8af490 "An SSL error has occurred and a secure connection to the server cannot be made.", NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x1d5fafd0>}

I have setup my local Couch server to replicate to the remote using this code:

NSString * username = [[NSUserDefaults standardUserDefaults] objectForKey:@"username"];

NSString * syncpoint = [NSString stringWithFormat:@"%@/%@", @"https://username:pass...@tiberiuslog.com:6984", username];

newRemoteURL = [NSURL URLWithString:syncpoint];

    

_pull = [self.database replicationFromDatabaseAtURL:newRemoteURL];

_push = [self.database replicationToDatabaseAtURL:newRemoteURL];

This worked fine with my non-secure server at port 5984. And it seems that the SSL-enabled CouchDB is working correctly — I can view it in my browser and see a good certificate (https://tiberiuslog.com:6984), and I can hit it with curl without incident. 

I'm running the latest RC7 of CouchCocoa and TouchDB. Any thoughts would be appreciated!

Cheers,

Aaron

[Sebastian]

Did you try to access the remote server with the Safari Browser? Maybe the Server Certificate is rejected by your device.

[Dave Cottlehuber]

> --
>
>

I'd recommend using stunnel (or whatever, and a dash of your favourite
HA proxy/loadbalancer sauce) for production SSL rather than what's
built into Erlang/OTP (and therefore Mochiweb/CouchDB). Based on the
rate of change & number of quirky bugs that come up each release it's
not ready to be used on its own just yet.

A+
Dave

[Aaron Vegh]

Hi Dave,
That sounds like really good advice. I'm wondering if you have any pointers to online resources to help me figure this one out?

Thanks,
Aaron.

Sent from my iPhone

> --
>
>

[Sebastian]

I would recomment nginx which can be easily configured as a reverse proxy (it's also free of charge as stunnel). It works perfectly right out of the box with the CouchDB if you configure it properly. You can find many ressources for this if you search google for 'nginx as reverse proxy'.
Another advantage is that you can evaluate SSL Client Certificates if you change the TouchDB framework a little bit (which isn't supported by CouchDB).

[Aaron Vegh]

Hi there,
Sebastian's comment was the winner! I have nginx running as a reverse proxy (this page was a good starting point: http://wiki.apache.org/couchdb/Nginx_As_a_Reverse_Proxy -- though a little help from others was needed…), and my app connects securely to nginx which now forwards all traffic locally to my CouchDB server.

Thanks all!

Aaron

On 2012-10-09, at 5:43 PM, Sebastian <fwpb...@web.de> wrote:

> I would recomment nginx which can be easily configured as a reverse proxy (it's also free of charge as stunnel). It works perfectly right out of the box with the CouchDB if you configure it properly. You can find many ressources for this if you search google for 'nginx as reverse proxy'.
> Another advantage is that you can evaluate SSL Client Certificates if you change the TouchDB framework a little bit (which isn't supported by CouchDB).
>

> --
>
>

[Dave Cottlehuber]

On 9 October 2012 23:25, Aaron Vegh <aaro...@gmail.com> wrote:
> Hi Dave,
> That sounds like really good advice. I'm wondering if you have any pointers to online resources to help me figure this one out?
>
> Thanks,
> Aaron.

Hi Aaron,

As my couches don't get this big, a good place would be to probe the
cloudant people on #couchdb on irc, and to read all the links in
http://vincent.bernat.im/en/blog/2011-ssl-benchmark.html its the bees
knees. Most of the front end / reverse proxies out there will do SSL
more or less out of the box, so unless you're planning to conquer the
world that may be sufficient.

Some caveats, I did this stuff a long time ago (last century) but IIRC
there arent too many knobs to play with. The usual suspects of
ulimit/file handles and std linux netstack tuning apply, make sure you
control the ciphers available, baseline etc etc, and watch out for
memory consumption. Here's some old erlang notes
http://www.metabrew.com/article/a-million-user-comet-application-with-mochiweb-part-1
& erlang / linux tcp stack tuning.

A+
Dave