Replication and mutual tls (mtls)

[aellerton]

Hi there,

Is there a way to configure the replication process to use client certificates when opening connections to the remote server?

That is, if replication was curl, it currently does something like this:

curl https://example.com/the-db

but I want it to do the equivalent of curl like this:

# pass server-side mtls tests!
curl --key client.key --cert client.crt https://example.com/the-db

I couldn't find any documentation on this. I tried using those key/crt files in the CouchDB config and though it correctly makes the daemon itself work with SSL, those certs aren't used in the replicator as client certs, which is probably fair enough out-of-the-box.

Is there a way to do this?

Background:

We using CouchDB on tablets where users do work away from a network. Data is recorded on the tablet and, when in-network, synchronised to the server.

That works well except we need to shift to mtls on the server.

I've proven mtls configuration works fine with curl etc, but CouchDB replication does not pass the certificates and I can't find a way to instruct it to.

Thank you!

[aellerton]

I might have solved this, but would be good to make sure...

I looked through the default.ini file and saw this:

[replicator]
; cert_file = /path/to/server_cert.pem
; key_file = /path/to/server_key.pem

I uncommented those and replaced with the client cert and key file (cat client.crt client.key > client_key.pem for the latter) and replication seems to work a treat with mtls!