Use TLS for erlang distribution (RSA or ECC)

tls_dist.diff

commit eb3560777d70049fb86ef21d09856e3afbb7fdf7
Author: Robert Newson <[email protected]>
Date:   2016-03-26 16:42:48 +0000

    Use TLS for erlang distribution

diff --git a/Makefile b/Makefile
index cefc5da..04eb284 100644
--- a/Makefile
+++ b/Makefile
@@ -63,7 +63,7 @@ help:

 .PHONY: couch
 # target: couch - Build CouchDB core
-couch: config.erl
+couch: config.erl crypto
 	@COUCHDB_VERSION=$(COUCHDB_VERSION) $(REBAR) compile
 	@cp src/couch/priv/couchjs bin/

@@ -336,6 +336,27 @@ uninstall:
 	@rm -rf $(DESTDIR)/$(man_dir)
 	@rm -rf $(DESTDIR)/$(info_dir)

+################################################################################
+# Crypto Goop
+################################################################################
+
+crypto: rsa_bundle.pem ecc_bundle.pem
+
+%_bundle.pem: %_cert.pem
+	cat $*_cert.pem $*_key.pem > $*_bundle.pem
+
+%_cert.pem: %_key.pem %_csr.pem
+	openssl req -x509 -days 99999 -key $*_key.pem -in $*_csr.pem -out $@
+
+%_csr.pem: %_key.pem
+	openssl req -new -key $< -out $@ -subj "/O=The Apache Software Foundation/OU=Infrastructure/CN=*.couchdb.org"
+
+rsa_key.pem:
+	openssl genrsa -out rsa_key.pem 2048
+
+ecc_key.pem:
+	openssl ecparam -genkey -name prime256v1 -out ecc_key.pem
+

 ################################################################################
 # Misc
diff --git a/dev/run b/dev/run
index d2705f7..8ce759c 100755
--- a/dev/run
+++ b/dev/run
@@ -369,6 +369,10 @@ def boot_node(ctx, node):
     reldir = os.path.join(ctx['rootdir'], "rel")
     cmd = [
         "erl",
+        "-proto_dist", "inet_tls",
+        "-ssl_dist_opt", "server_certfile", os.path.join(ctx['rootdir'], "ecc_bundle.pem"),
+        "-ssl_dist_opt", "server_secure_renegotiate", "true",
+        "-ssl_dist_opt", "client_secure_renegotiate", "true",
         "-args_file", os.path.join(node_etcdir, "vm.args"),
         "-config", os.path.join(reldir, "files", "sys"),
         "-couch_ini",