hcq/MaxScale
hcq/MaxScale
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

MXS-1910: Only require ssl_ca_cert for servers

Browse Source 
Servers in MaxScale can encrypt the connections without client keys and
certificates. As keys and certificates are no longer required, the CA
certificate must always be initialized.
This commit is contained in:
Markus Mäkelä 2018-06-09 00:15:48 +03:00
parent c850336199
commit 1e1734f42e
No known key found for this signature in database
GPG Key ID: 72D48FCE664F7B19
4 changed files with 59 additions and 67 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

100
server/core/config.c
View File

@ -1489,7 +1489,7 @@ free_ssl_structure(SSL_LISTENER *ssl)
* @param *error_count An error count which may be incremented
* @return SSL_LISTENER structure or NULL
*/
SSL_LISTENER* make_ssl_structure (CONFIG_CONTEXT *obj, bool require_cert, int *error_count)
SSL_LISTENER* make_ssl_structure(CONFIG_CONTEXT *obj, bool require_cert, int *error_count)
{
char *ssl, *ssl_version, *ssl_cert, *ssl_key, *ssl_ca_cert, *ssl_cert_verify_depth;
int local_errors = 0;
@ -1516,26 +1516,20 @@ SSL_LISTENER* make_ssl_structure (CONFIG_CONTEXT *obj, bool require_cert, int *e
new_ssl->ssl_cert_verify_depth = 9; // Default of 9 as per Linux man page
new_ssl->ssl_verify_peer_certificate = true;
if (ssl_version)
if (ssl_version && listener_set_ssl_version(new_ssl, ssl_version) != 0)
{
if (listener_set_ssl_version(new_ssl, ssl_version) != 0)
{
MXS_ERROR("Unknown parameter value for 'ssl_version' for"
" service '%s': %s", obj->object, ssl_version);
local_errors++;
}
MXS_ERROR("Unknown parameter value for 'ssl_version' for '%s': %s",
obj->object, ssl_version);
local_errors++;
}
if (ssl_cert_verify_depth)
if (ssl_cert_verify_depth &&
(new_ssl->ssl_cert_verify_depth = atoi(ssl_cert_verify_depth)) < 0)
{
new_ssl->ssl_cert_verify_depth = atoi(ssl_cert_verify_depth);
if (new_ssl->ssl_cert_verify_depth < 0)
{
MXS_ERROR("Invalid parameter value for 'ssl_cert_verify_depth"
" for service '%s': %s", obj->object, ssl_cert_verify_depth);
new_ssl->ssl_cert_verify_depth = 0;
local_errors++;
}
MXS_ERROR("Invalid parameter value for 'ssl_cert_verify_depth for '%s': %s",
obj->object, ssl_cert_verify_depth);
new_ssl->ssl_cert_verify_depth = 0;
local_errors++;
}
if (ssl_verify_peer_certificate)
@ -1544,7 +1538,7 @@ SSL_LISTENER* make_ssl_structure (CONFIG_CONTEXT *obj, bool require_cert, int *e
if (rv == -1)
{
MXS_ERROR("Invalid parameter value for 'ssl_verify_peer_certificate"
" for service '%s': %s", obj->object, ssl_verify_peer_certificate);
" for '%s': %s", obj->object, ssl_verify_peer_certificate);
local_errors++;
}
else
@ -1555,53 +1549,49 @@ SSL_LISTENER* make_ssl_structure (CONFIG_CONTEXT *obj, bool require_cert, int *e
listener_set_certificates(new_ssl, ssl_cert, ssl_key, ssl_ca_cert);
if (require_cert && new_ssl->ssl_cert == NULL)
if (require_cert)
{
local_errors++;
MXS_ERROR("Server certificate missing for service '%s'."
"Please provide the path to the server certificate by adding "
"the ssl_cert=<path> parameter", obj->object);
if (new_ssl->ssl_cert == NULL)
{
local_errors++;
MXS_ERROR("Server certificate missing for listener '%s'."
"Please provide the path to the server certificate by adding "
"the ssl_cert=<path> parameter", obj->object);
}
else if (access(new_ssl->ssl_cert, F_OK) != 0)
{
MXS_ERROR("Server certificate file for listener '%s' not found: %s",
obj->object, new_ssl->ssl_cert);
local_errors++;
}
if (new_ssl->ssl_key == NULL)
{
local_errors++;
MXS_ERROR("Server private key missing for listener '%s'. "
"Please provide the path to the server certificate key by "
"adding the ssl_key=<path> parameter", obj->object);
}
else if (access(new_ssl->ssl_key, F_OK) != 0)
{
MXS_ERROR("Server private key file for listener '%s' not found: %s",
obj->object, new_ssl->ssl_key);
local_errors++;
}
}
if (require_cert && new_ssl->ssl_ca_cert == NULL)
if (new_ssl->ssl_ca_cert == NULL)
{
local_errors++;
MXS_ERROR("CA Certificate missing for service '%s'."
MXS_ERROR("CA Certificate missing for '%s'."
"Please provide the path to the certificate authority "
"certificate by adding the ssl_ca_cert=<path> parameter",
obj->object);
}
if (require_cert && new_ssl->ssl_key == NULL)
else if (access(new_ssl->ssl_ca_cert, F_OK) != 0)
{
local_errors++;
MXS_ERROR("Server private key missing for service '%s'. "
"Please provide the path to the server certificate key by "
"adding the ssl_key=<path> parameter",
obj->object);
}
if (require_cert && access(new_ssl->ssl_ca_cert, F_OK) != 0)
{
MXS_ERROR("Certificate authority file for service '%s' not found: %s",
obj->object,
new_ssl->ssl_ca_cert);
local_errors++;
}
if (require_cert && access(new_ssl->ssl_cert, F_OK) != 0)
{
MXS_ERROR("Server certificate file for service '%s' not found: %s",
obj->object,
new_ssl->ssl_cert);
local_errors++;
}
if (require_cert && access(new_ssl->ssl_key, F_OK) != 0)
{
MXS_ERROR("Server private key file for service '%s' not found: %s",
obj->object,
new_ssl->ssl_key);
MXS_ERROR("Certificate authority file for '%s' not found: %s",
obj->object, new_ssl->ssl_ca_cert);
local_errors++;
}

4
server/core/config_runtime.c
View File

@ -215,8 +215,8 @@ static SSL_LISTENER* create_ssl(const char *name, const char *key, const char *c
if (obj)
{
if (config_add_param(obj, "ssl", "required") &&
config_add_param(obj, "ssl_key", key) &&
config_add_param(obj, "ssl_cert", cert) &&
(!key || config_add_param(obj, "ssl_key", key)) &&
(!cert || config_add_param(obj, "ssl_cert", cert)) &&
config_add_param(obj, "ssl_ca_cert", ca) &&
(!version || config_add_param(obj, "ssl_version", version)) &&
(!depth || config_add_param(obj, "ssl_cert_verify_depth", depth)) &&

16
server/core/listener.c
View File

@ -308,6 +308,15 @@ listener_init_SSL(SSL_LISTENER *ssl_listener)
ss_dassert(rsa_512 && rsa_1024);
SSL_CTX_set_tmp_rsa_callback(ssl_listener->ctx, tmp_rsa_callback);
ss_dassert(ssl_listener->ssl_ca_cert);
/* Load the CA certificate into the SSL_CTX structure */
if (!SSL_CTX_load_verify_locations(ssl_listener->ctx, ssl_listener->ssl_ca_cert, NULL))
{
MXS_ERROR("Failed to set Certificate Authority file");
return -1;
}
if (ssl_listener->ssl_cert && ssl_listener->ssl_key)
{
/** Load the server certificate */
@ -330,13 +339,6 @@ listener_init_SSL(SSL_LISTENER *ssl_listener)
MXS_ERROR("Server SSL certificate and key do not match.");
return -1;
}
/* Load the RSA CA certificate into the SSL_CTX structure */
if (!SSL_CTX_load_verify_locations(ssl_listener->ctx, ssl_listener->ssl_ca_cert, NULL))
{
MXS_ERROR("Failed to set Certificate Authority file.");
return -1;
}
}
/* Set to require peer (client) certificate verification */

6
server/modules/routing/debugcli/debugcmd.c
View File

@ -1410,9 +1410,9 @@ static void alterServer(DCB *dcb, SERVER *server, char *v1, char *v2, char *v3,
}
}
if (enable || ssl_key || ssl_cert || ssl_ca)
if (enable || ssl_ca)
{
if (enable && ssl_key && ssl_cert && ssl_ca)
if (enable && ssl_ca)
{
/** We have SSL parameters, try to process them */
if (!runtime_enable_server_ssl(server, ssl_key, ssl_cert, ssl_ca,
@ -1425,7 +1425,7 @@ static void alterServer(DCB *dcb, SERVER *server, char *v1, char *v2, char *v3,
else
{
dcb_printf(dcb, "Error: SSL configuration requires the following parameters:\n"
"ssl=required ssl_key=PATH ssl_cert=PATH ssl_ca_cert=PATH\n");
"ssl=required ssl_ca_cert=PATH\n");
}
}
}