Merge branch '2.1' into 2.2

2018-06-11 10:36:57 +03:00 · 2018-06-11 10:36:57 +03:00 · 1a24f0a956
commit 1a24f0a956
parent 283a6d564e 1e1734f42e
4 changed files with 59 additions and 67 deletions
--- a/server/core/config.cc
+++ b/server/core/config.cc
@ -1829,7 +1829,7 @@ free_ssl_structure(SSL_LISTENER *ssl)
 * @param *error_count  An error count which may be incremented
 * @return SSL_LISTENER structure or NULL
 */
-SSL_LISTENER* make_ssl_structure (CONFIG_CONTEXT *obj, bool require_cert, int *error_count)
+SSL_LISTENER* make_ssl_structure(CONFIG_CONTEXT *obj, bool require_cert, int *error_count)
 {
    char *ssl, *ssl_version, *ssl_cert, *ssl_key, *ssl_ca_cert, *ssl_cert_verify_depth;
    int local_errors = 0;
@ -1856,26 +1856,20 @@ SSL_LISTENER* make_ssl_structure (CONFIG_CONTEXT *obj, bool require_cert, int *e
            new_ssl->ssl_cert_verify_depth = 9; // Default of 9 as per Linux man page
            new_ssl->ssl_verify_peer_certificate = true;

-            if (ssl_version)
+            if (ssl_version && listener_set_ssl_version(new_ssl, ssl_version) != 0)
            {
-                if (listener_set_ssl_version(new_ssl, ssl_version) != 0)
-                {
-                    MXS_ERROR("Unknown parameter value for 'ssl_version' for"
-                              " service '%s': %s", obj->object, ssl_version);
-                    local_errors++;
-                }
+                MXS_ERROR("Unknown parameter value for 'ssl_version' for '%s': %s",
+                          obj->object, ssl_version);
+                local_errors++;
            }

-            if (ssl_cert_verify_depth)
+            if (ssl_cert_verify_depth &&
+                (new_ssl->ssl_cert_verify_depth = atoi(ssl_cert_verify_depth)) < 0)
            {
-                new_ssl->ssl_cert_verify_depth = atoi(ssl_cert_verify_depth);
-                if (new_ssl->ssl_cert_verify_depth < 0)
-                {
-                    MXS_ERROR("Invalid parameter value for 'ssl_cert_verify_depth"
-                              " for service '%s': %s", obj->object, ssl_cert_verify_depth);
-                    new_ssl->ssl_cert_verify_depth = 0;
-                    local_errors++;
-                }
+                MXS_ERROR("Invalid parameter value for 'ssl_cert_verify_depth for '%s': %s",
+                          obj->object, ssl_cert_verify_depth);
+                new_ssl->ssl_cert_verify_depth = 0;
+                local_errors++;
            }

            if (ssl_verify_peer_certificate)
@ -1884,7 +1878,7 @@ SSL_LISTENER* make_ssl_structure (CONFIG_CONTEXT *obj, bool require_cert, int *e
                if (rv == -1)
                {
                    MXS_ERROR("Invalid parameter value for 'ssl_verify_peer_certificate"
-                              " for service '%s': %s", obj->object, ssl_verify_peer_certificate);
+                              " for '%s': %s", obj->object, ssl_verify_peer_certificate);
                    local_errors++;
                }
                else
@ -1895,53 +1889,49 @@ SSL_LISTENER* make_ssl_structure (CONFIG_CONTEXT *obj, bool require_cert, int *e

            listener_set_certificates(new_ssl, ssl_cert, ssl_key, ssl_ca_cert);

-            if (require_cert && new_ssl->ssl_cert == NULL)
+            if (require_cert)
            {
-                local_errors++;
-                MXS_ERROR("Server certificate missing for service '%s'."
-                          "Please provide the path to the server certificate by adding "
-                          "the ssl_cert=<path> parameter", obj->object);
+                if (new_ssl->ssl_cert == NULL)
+                {
+                    local_errors++;
+                    MXS_ERROR("Server certificate missing for listener '%s'."
+                              "Please provide the path to the server certificate by adding "
+                              "the ssl_cert=<path> parameter", obj->object);
+                }
+                else if (access(new_ssl->ssl_cert, F_OK) != 0)
+                {
+                    MXS_ERROR("Server certificate file for listener '%s' not found: %s",
+                              obj->object, new_ssl->ssl_cert);
+                    local_errors++;
+                }
+
+                if (new_ssl->ssl_key == NULL)
+                {
+                    local_errors++;
+                    MXS_ERROR("Server private key missing for listener '%s'. "
+                              "Please provide the path to the server certificate key by "
+                              "adding the ssl_key=<path> parameter", obj->object);
+                }
+                else if (access(new_ssl->ssl_key, F_OK) != 0)
+                {
+                    MXS_ERROR("Server private key file for listener '%s' not found: %s",
+                              obj->object, new_ssl->ssl_key);
+                    local_errors++;
+                }
            }

-            if (require_cert && new_ssl->ssl_ca_cert == NULL)
+            if (new_ssl->ssl_ca_cert == NULL)
            {
                local_errors++;
-                MXS_ERROR("CA Certificate missing for service '%s'."
+                MXS_ERROR("CA Certificate missing for '%s'."
                          "Please provide the path to the certificate authority "
                          "certificate by adding the ssl_ca_cert=<path> parameter",
                          obj->object);
            }
-
-            if (require_cert && new_ssl->ssl_key == NULL)
+            else if (access(new_ssl->ssl_ca_cert, F_OK) != 0)
            {
-                local_errors++;
-                MXS_ERROR("Server private key missing for service '%s'. "
-                          "Please provide the path to the server certificate key by "
-                          "adding the ssl_key=<path> parameter",
-                          obj->object);
-            }
-
-            if (require_cert && access(new_ssl->ssl_ca_cert, F_OK) != 0)
-            {
-                MXS_ERROR("Certificate authority file for service '%s' not found: %s",
-                          obj->object,
-                          new_ssl->ssl_ca_cert);
-                local_errors++;
-            }
-
-            if (require_cert && access(new_ssl->ssl_cert, F_OK) != 0)
-            {
-                MXS_ERROR("Server certificate file for service '%s' not found: %s",
-                          obj->object,
-                          new_ssl->ssl_cert);
-                local_errors++;
-            }
-
-            if (require_cert && access(new_ssl->ssl_key, F_OK) != 0)
-            {
-                MXS_ERROR("Server private key file for service '%s' not found: %s",
-                          obj->object,
-                          new_ssl->ssl_key);
+                MXS_ERROR("Certificate authority file for '%s' not found: %s",
+                          obj->object, new_ssl->ssl_ca_cert);
                local_errors++;
            }

--- a/server/core/config_runtime.cc
+++ b/server/core/config_runtime.cc
@ -258,8 +258,8 @@ static SSL_LISTENER* create_ssl(const char *name, const char *key, const char *c
    if (obj)
    {
        if (config_add_param(obj, CN_SSL, CN_REQUIRED) &&
-            config_add_param(obj, CN_SSL_KEY, key) &&
-            config_add_param(obj, CN_SSL_CERT, cert) &&
+            (!key || config_add_param(obj, CN_SSL_KEY, key)) &&
+            (!cert || config_add_param(obj, CN_SSL_CERT, cert)) &&
            config_add_param(obj, CN_SSL_CA_CERT, ca) &&
            (!version || config_add_param(obj, CN_SSL_VERSION, version)) &&
            (!depth || config_add_param(obj, CN_SSL_CERT_VERIFY_DEPTH, depth)) &&
--- a/server/core/listener.cc
+++ b/server/core/listener.cc
@ -337,6 +337,15 @@ listener_init_SSL(SSL_LISTENER *ssl_listener)
        ss_dassert(rsa_512 && rsa_1024);
        SSL_CTX_set_tmp_rsa_callback(ssl_listener->ctx, tmp_rsa_callback);

+        ss_dassert(ssl_listener->ssl_ca_cert);
+
+        /* Load the CA certificate into the SSL_CTX structure */
+        if (!SSL_CTX_load_verify_locations(ssl_listener->ctx, ssl_listener->ssl_ca_cert, NULL))
+        {
+            MXS_ERROR("Failed to set Certificate Authority file");
+            return -1;
+        }
+
        if (ssl_listener->ssl_cert && ssl_listener->ssl_key)
        {
            /** Load the server certificate */
@ -359,13 +368,6 @@ listener_init_SSL(SSL_LISTENER *ssl_listener)
                MXS_ERROR("Server SSL certificate and key do not match: %s", get_ssl_errors());
                return -1;
            }
-
-            /* Load the RSA CA certificate into the SSL_CTX structure */
-            if (!SSL_CTX_load_verify_locations(ssl_listener->ctx, ssl_listener->ssl_ca_cert, NULL))
-            {
-                MXS_ERROR("Failed to set Certificate Authority file: %s", get_ssl_errors());
-                return -1;
-            }
        }

        /* Set to require peer (client) certificate verification */
--- a/server/modules/routing/debugcli/debugcmd.c
+++ b/server/modules/routing/debugcli/debugcmd.c
@ -1433,9 +1433,9 @@ static void alterServer(DCB *dcb, SERVER *server, char *v1, char *v2, char *v3,
        }
    }

-    if (enable || ssl_key || ssl_cert || ssl_ca)
+    if (enable || ssl_ca)
    {
-        if (enable && ssl_key && ssl_cert && ssl_ca)
+        if (enable && ssl_ca)
        {
            /** We have SSL parameters, try to process them */
            if (!runtime_enable_server_ssl(server, ssl_key, ssl_cert, ssl_ca,
@ -1448,7 +1448,7 @@ static void alterServer(DCB *dcb, SERVER *server, char *v1, char *v2, char *v3,
        else
        {
            dcb_printf(dcb, "Error: SSL configuration requires the following parameters:\n"
-                       "ssl=required ssl_key=PATH ssl_cert=PATH ssl_ca_cert=PATH\n");
+                       "ssl=required ssl_ca_cert=PATH\n");
        }
    }
 }