TLS: add `{verify, verify_peer}` to enable verification
When the CouchDB custom (couch) distribution is enabled, OTP 24 and 25,
you will get a warning when using `remsh-tls` or `remsh -t`; but in OTP 26,
this is an error. Because the default value of the verify option is `verify_peer`
instead of `verify_none`. We need to provide the appropriate CA certificates to
pass the validation.
```bash
$ ./dev/remsh-tls
=WARNING REPORT==== 4-May-2023::12:43:28.893022 ===
Description: "Server authenticity is not verified since certificate path validation is not enabled"
Reason: "The option {verify, verify_peer} and one of the options 'cacertfile' or 'cacerts' are required to enable this."
```
```bash
$ ./dev/remsh-tls
Could not connect to "node1@127.0.0.1"
```
- Add `{verify, verify_peer}` to enable verification
- Add `certs` in `couch_dist` app to generate proper certificates
- Add `-t`/`--enable-tls` mode in ./dev/run to automatically generate
vm.args, certificates and configuration files
- Add `--no-tls <node>` option to specify node to use TCP only
- Add README and documentation
- Remove TLS certificate generation code from `configure`
Greate thanks to Robert Newson for figuring out how to generate the
correct certificates to pass verification!
Ref:
- https://www.erlang.org/doc/apps/ssl/ssl_distribution.html
- https://www.erlang.org/doc/man/ssl_app.html
- https://www.erlang.org/blog/otp-26-highlights/#ssl-safer-defaults
- https://github.com/rnewson/elixir-certs
13 files changed
