Mutual P2P auth with Couchbase Lite 2.1

davidj · October 5, 2018, 10:38pm

I’m working on a project where we use P2P replication among a closed community of devices on a network. I’d like to implement mutual authentication when these devices perform P2P replication. The idea I have in mind is to issue each client a TLS cert out of band that is issued by my own private CA. The active peer would send a username password to authenticate itself to the passive peer, while the active peer would authenticate the passive peer by validating that its TLS certificate was issued by our trusted CA.

Would this work, and does CB Lite 2.1 provide the hooks for me to implement such a scheme? Or is there a better way to accomplish this?

borrrden · October 5, 2018, 11:35pm

P2P is entirely transport agnostic. The library does not know or need to know about those details.

jens · October 5, 2018, 11:55pm

You’ll need to do this using a custom transport that does TLS client-cert authentication.

At some point we’d like to add client certs as an authentication option for the built-in replicator transport, but it’s not currently scheduled.

davidj · October 6, 2018, 10:19pm

Thanks for the info. I’ll give it a try.