hcq/MaxScale
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

MXS-2981: Treat missing TLS files as an error

Browse Source 
Also treats partially defined TLS files as an error.
This commit is contained in:
Markus Mäkelä
2020-05-06 11:39:36 +03:00
parent c34b835c51
commit 0ddee9613b
1 changed files with 36 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
server/core/admin.cc
View File

@ -39,6 +39,13 @@
using std::string; using std::string;
using std::ifstream; using std::ifstream;
enum class LoadResult
{
OK,
IGNORE,
ERROR
};
static struct MHD_Daemon* http_daemon = NULL; static struct MHD_Daemon* http_daemon = NULL;
/** In-memory certificates in PEM format */ /** In-memory certificates in PEM format */
@ -336,34 +343,48 @@ static char* load_cert(const char* file)
if (!infile.good()) if (!infile.good())
{ {
MXS_ERROR("Failed to load certificate file: %s", file);
delete rval; delete rval;
rval = NULL; rval = NULL;
} }
} }
if (!rval)
{
MXS_ERROR("Failed to load certificate file '%s': %d, %s", file, errno, mxb_strerror(errno));
}
return rval; return rval;
} }
static bool load_ssl_certificates() static LoadResult load_ssl_certificates()
{ {
bool rval = false; LoadResult rval = LoadResult::IGNORE;
const char* key = config_get_global_options()->admin_ssl_key; const char* key = config_get_global_options()->admin_ssl_key;
const char* cert = config_get_global_options()->admin_ssl_cert; const char* cert = config_get_global_options()->admin_ssl_cert;
const char* ca = config_get_global_options()->admin_ssl_ca_cert; const char* ca = config_get_global_options()->admin_ssl_ca_cert;
if (*key && *cert) if (!*key != !*cert)
{
MXS_ERROR("Both the admin TLS certificate and private key must be defined.");
rval = LoadResult::ERROR;
}
else if (*key && *cert)
{ {
admin_ssl_key = load_cert(key); admin_ssl_key = load_cert(key);
admin_ssl_cert = load_cert(cert); admin_ssl_cert = load_cert(cert);
admin_ssl_ca_cert = load_cert(ca);
if (admin_ssl_key && admin_ssl_cert) if (*ca)
{ {
rval = true; admin_ssl_ca_cert = load_cert(ca);
}
if (admin_ssl_key && admin_ssl_cert && (!*ca || admin_ssl_ca_cert))
{
rval = LoadResult::OK;
} }
else else
{ {
rval = LoadResult::ERROR;
delete admin_ssl_key; delete admin_ssl_key;
delete admin_ssl_cert; delete admin_ssl_cert;
delete admin_ssl_ca_cert; delete admin_ssl_ca_cert;
@ -404,10 +425,17 @@ bool mxs_admin_init()
options |= MHD_USE_DUAL_STACK; options |= MHD_USE_DUAL_STACK;
} }
if (load_ssl_certificates()) auto ssl_res = load_ssl_certificates();
if (ssl_res == LoadResult::OK)
{ {
using_ssl = true; using_ssl = true;
options |= MHD_USE_SSL; options |= MHD_USE_SSL;
MXS_NOTICE("The REST API will be encrypted, all requests must use HTTPS.");
}
else if (ssl_res == LoadResult::ERROR)
{
return false;
} }
// The port argument is ignored and the port in the struct sockaddr is used instead // The port argument is ignored and the port in the struct sockaddr is used instead