From 1e1734f42ee0aa8fa12aa8021263ad580d019b74 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Markus=20M=C3=A4kel=C3=A4?= Date: Sat, 9 Jun 2018 00:15:48 +0300 Subject: [PATCH] MXS-1910: Only require ssl_ca_cert for servers Servers in MaxScale can encrypt the connections without client keys and certificates. As keys and certificates are no longer required, the CA certificate must always be initialized. --- server/core/config.c | 100 ++++++++++----------- server/core/config_runtime.c | 4 +- server/core/listener.c | 16 ++-- server/modules/routing/debugcli/debugcmd.c | 6 +- 4 files changed, 59 insertions(+), 67 deletions(-) diff --git a/server/core/config.c b/server/core/config.c index 348491205..f9a8f0c79 100644 --- a/server/core/config.c +++ b/server/core/config.c @@ -1489,7 +1489,7 @@ free_ssl_structure(SSL_LISTENER *ssl) * @param *error_count An error count which may be incremented * @return SSL_LISTENER structure or NULL */ -SSL_LISTENER* make_ssl_structure (CONFIG_CONTEXT *obj, bool require_cert, int *error_count) +SSL_LISTENER* make_ssl_structure(CONFIG_CONTEXT *obj, bool require_cert, int *error_count) { char *ssl, *ssl_version, *ssl_cert, *ssl_key, *ssl_ca_cert, *ssl_cert_verify_depth; int local_errors = 0; @@ -1516,26 +1516,20 @@ SSL_LISTENER* make_ssl_structure (CONFIG_CONTEXT *obj, bool require_cert, int *e new_ssl->ssl_cert_verify_depth = 9; // Default of 9 as per Linux man page new_ssl->ssl_verify_peer_certificate = true; - if (ssl_version) + if (ssl_version && listener_set_ssl_version(new_ssl, ssl_version) != 0) { - if (listener_set_ssl_version(new_ssl, ssl_version) != 0) - { - MXS_ERROR("Unknown parameter value for 'ssl_version' for" - " service '%s': %s", obj->object, ssl_version); - local_errors++; - } + MXS_ERROR("Unknown parameter value for 'ssl_version' for '%s': %s", + obj->object, ssl_version); + local_errors++; } - if (ssl_cert_verify_depth) + if (ssl_cert_verify_depth && + (new_ssl->ssl_cert_verify_depth = atoi(ssl_cert_verify_depth)) < 0) { - new_ssl->ssl_cert_verify_depth = atoi(ssl_cert_verify_depth); - if (new_ssl->ssl_cert_verify_depth < 0) - { - MXS_ERROR("Invalid parameter value for 'ssl_cert_verify_depth" - " for service '%s': %s", obj->object, ssl_cert_verify_depth); - new_ssl->ssl_cert_verify_depth = 0; - local_errors++; - } + MXS_ERROR("Invalid parameter value for 'ssl_cert_verify_depth for '%s': %s", + obj->object, ssl_cert_verify_depth); + new_ssl->ssl_cert_verify_depth = 0; + local_errors++; } if (ssl_verify_peer_certificate) @@ -1544,7 +1538,7 @@ SSL_LISTENER* make_ssl_structure (CONFIG_CONTEXT *obj, bool require_cert, int *e if (rv == -1) { MXS_ERROR("Invalid parameter value for 'ssl_verify_peer_certificate" - " for service '%s': %s", obj->object, ssl_verify_peer_certificate); + " for '%s': %s", obj->object, ssl_verify_peer_certificate); local_errors++; } else @@ -1555,53 +1549,49 @@ SSL_LISTENER* make_ssl_structure (CONFIG_CONTEXT *obj, bool require_cert, int *e listener_set_certificates(new_ssl, ssl_cert, ssl_key, ssl_ca_cert); - if (require_cert && new_ssl->ssl_cert == NULL) + if (require_cert) { - local_errors++; - MXS_ERROR("Server certificate missing for service '%s'." - "Please provide the path to the server certificate by adding " - "the ssl_cert= parameter", obj->object); + if (new_ssl->ssl_cert == NULL) + { + local_errors++; + MXS_ERROR("Server certificate missing for listener '%s'." + "Please provide the path to the server certificate by adding " + "the ssl_cert= parameter", obj->object); + } + else if (access(new_ssl->ssl_cert, F_OK) != 0) + { + MXS_ERROR("Server certificate file for listener '%s' not found: %s", + obj->object, new_ssl->ssl_cert); + local_errors++; + } + + if (new_ssl->ssl_key == NULL) + { + local_errors++; + MXS_ERROR("Server private key missing for listener '%s'. " + "Please provide the path to the server certificate key by " + "adding the ssl_key= parameter", obj->object); + } + else if (access(new_ssl->ssl_key, F_OK) != 0) + { + MXS_ERROR("Server private key file for listener '%s' not found: %s", + obj->object, new_ssl->ssl_key); + local_errors++; + } } - if (require_cert && new_ssl->ssl_ca_cert == NULL) + if (new_ssl->ssl_ca_cert == NULL) { local_errors++; - MXS_ERROR("CA Certificate missing for service '%s'." + MXS_ERROR("CA Certificate missing for '%s'." "Please provide the path to the certificate authority " "certificate by adding the ssl_ca_cert= parameter", obj->object); } - - if (require_cert && new_ssl->ssl_key == NULL) + else if (access(new_ssl->ssl_ca_cert, F_OK) != 0) { - local_errors++; - MXS_ERROR("Server private key missing for service '%s'. " - "Please provide the path to the server certificate key by " - "adding the ssl_key= parameter", - obj->object); - } - - if (require_cert && access(new_ssl->ssl_ca_cert, F_OK) != 0) - { - MXS_ERROR("Certificate authority file for service '%s' not found: %s", - obj->object, - new_ssl->ssl_ca_cert); - local_errors++; - } - - if (require_cert && access(new_ssl->ssl_cert, F_OK) != 0) - { - MXS_ERROR("Server certificate file for service '%s' not found: %s", - obj->object, - new_ssl->ssl_cert); - local_errors++; - } - - if (require_cert && access(new_ssl->ssl_key, F_OK) != 0) - { - MXS_ERROR("Server private key file for service '%s' not found: %s", - obj->object, - new_ssl->ssl_key); + MXS_ERROR("Certificate authority file for '%s' not found: %s", + obj->object, new_ssl->ssl_ca_cert); local_errors++; } diff --git a/server/core/config_runtime.c b/server/core/config_runtime.c index bcdd32f5f..dc10ea0bc 100644 --- a/server/core/config_runtime.c +++ b/server/core/config_runtime.c @@ -215,8 +215,8 @@ static SSL_LISTENER* create_ssl(const char *name, const char *key, const char *c if (obj) { if (config_add_param(obj, "ssl", "required") && - config_add_param(obj, "ssl_key", key) && - config_add_param(obj, "ssl_cert", cert) && + (!key || config_add_param(obj, "ssl_key", key)) && + (!cert || config_add_param(obj, "ssl_cert", cert)) && config_add_param(obj, "ssl_ca_cert", ca) && (!version || config_add_param(obj, "ssl_version", version)) && (!depth || config_add_param(obj, "ssl_cert_verify_depth", depth)) && diff --git a/server/core/listener.c b/server/core/listener.c index b1dabca69..16a44d14d 100644 --- a/server/core/listener.c +++ b/server/core/listener.c @@ -308,6 +308,15 @@ listener_init_SSL(SSL_LISTENER *ssl_listener) ss_dassert(rsa_512 && rsa_1024); SSL_CTX_set_tmp_rsa_callback(ssl_listener->ctx, tmp_rsa_callback); + ss_dassert(ssl_listener->ssl_ca_cert); + + /* Load the CA certificate into the SSL_CTX structure */ + if (!SSL_CTX_load_verify_locations(ssl_listener->ctx, ssl_listener->ssl_ca_cert, NULL)) + { + MXS_ERROR("Failed to set Certificate Authority file"); + return -1; + } + if (ssl_listener->ssl_cert && ssl_listener->ssl_key) { /** Load the server certificate */ @@ -330,13 +339,6 @@ listener_init_SSL(SSL_LISTENER *ssl_listener) MXS_ERROR("Server SSL certificate and key do not match."); return -1; } - - /* Load the RSA CA certificate into the SSL_CTX structure */ - if (!SSL_CTX_load_verify_locations(ssl_listener->ctx, ssl_listener->ssl_ca_cert, NULL)) - { - MXS_ERROR("Failed to set Certificate Authority file."); - return -1; - } } /* Set to require peer (client) certificate verification */ diff --git a/server/modules/routing/debugcli/debugcmd.c b/server/modules/routing/debugcli/debugcmd.c index 46c87bdf1..509ae0b91 100644 --- a/server/modules/routing/debugcli/debugcmd.c +++ b/server/modules/routing/debugcli/debugcmd.c @@ -1410,9 +1410,9 @@ static void alterServer(DCB *dcb, SERVER *server, char *v1, char *v2, char *v3, } } - if (enable || ssl_key || ssl_cert || ssl_ca) + if (enable || ssl_ca) { - if (enable && ssl_key && ssl_cert && ssl_ca) + if (enable && ssl_ca) { /** We have SSL parameters, try to process them */ if (!runtime_enable_server_ssl(server, ssl_key, ssl_cert, ssl_ca, @@ -1425,7 +1425,7 @@ static void alterServer(DCB *dcb, SERVER *server, char *v1, char *v2, char *v3, else { dcb_printf(dcb, "Error: SSL configuration requires the following parameters:\n" - "ssl=required ssl_key=PATH ssl_cert=PATH ssl_ca_cert=PATH\n"); + "ssl=required ssl_ca_cert=PATH\n"); } } }