MXS-2483: Remove runtime enabling of TLS
TLS can no longer be enabled at runtime via maxadmin.
This commit is contained in:
Markus Mäkelä
parent
1d87a1c3bc
commit
21cdc4822b
@ -394,71 +394,6 @@ bool runtime_destroy_server(Server* server)
|
||||
return rval;
|
||||
}
|
||||
|
||||
static std::unique_ptr<mxs::SSLContext> create_ssl(const char* name,
|
||||
const char* key,
|
||||
const char* cert,
|
||||
const char* ca,
|
||||
const char* version,
|
||||
const char* depth,
|
||||
const char* verify)
|
||||
{
|
||||
std::unique_ptr<mxs::SSLContext> rval;
|
||||
CONFIG_CONTEXT* obj = config_context_create(name);
|
||||
|
||||
if (obj)
|
||||
{
|
||||
if (config_add_param(obj, CN_SSL, CN_REQUIRED)
|
||||
&& (!key || config_add_param(obj, CN_SSL_KEY, key))
|
||||
&& (!cert || config_add_param(obj, CN_SSL_CERT, cert))
|
||||
&& config_add_param(obj, CN_SSL_CA_CERT, ca)
|
||||
&& (!version || config_add_param(obj, CN_SSL_VERSION, version))
|
||||
&& (!depth || config_add_param(obj, CN_SSL_CERT_VERIFY_DEPTH, depth))
|
||||
&& (!verify || config_add_param(obj, CN_SSL_VERIFY_PEER_CERTIFICATE, verify)))
|
||||
{
|
||||
config_create_ssl(name, obj->m_parameters, true, &rval);
|
||||
}
|
||||
|
||||
config_context_free(obj);
|
||||
}
|
||||
|
||||
return rval;
|
||||
}
|
||||
|
||||
bool runtime_enable_server_ssl(Server* server,
|
||||
const char* key,
|
||||
const char* cert,
|
||||
const char* ca,
|
||||
const char* version,
|
||||
const char* depth,
|
||||
const char* verify)
|
||||
{
|
||||
bool rval = false;
|
||||
|
||||
if (server->ssl().context())
|
||||
{
|
||||
config_runtime_error("Server '%s' already configured to use SSL.", server->name());
|
||||
}
|
||||
else if (key && cert && ca)
|
||||
{
|
||||
std::lock_guard<std::mutex> guard(crt_lock);
|
||||
std::unique_ptr<mxs::SSLContext> ssl(create_ssl(server->name(), key, cert, ca,
|
||||
version, depth, verify));
|
||||
|
||||
if (ssl)
|
||||
{
|
||||
server->ssl().set_context(std::move(ssl));
|
||||
|
||||
if (server->serialize())
|
||||
{
|
||||
MXS_NOTICE("Enabled SSL for server '%s'", server->name());
|
||||
rval = true;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return rval;
|
||||
}
|
||||
|
||||
/**
|
||||
* @brief Convert a string value to a positive integer
|
||||
*
|
||||
@ -1914,56 +1849,6 @@ static bool validate_ssl_json(json_t* params, object_type type)
|
||||
return rval;
|
||||
}
|
||||
|
||||
static bool process_ssl_parameters(Server* server, json_t* params)
|
||||
{
|
||||
mxb_assert(server->ssl().context() == NULL);
|
||||
bool rval = true;
|
||||
|
||||
if (have_ssl_json(params))
|
||||
{
|
||||
if (validate_ssl_json(params, OT_SERVER))
|
||||
{
|
||||
char buf[20]; // Enough to hold the string form of the ssl_cert_verify_depth
|
||||
char buf_verify[20];// Enough to hold the string form of the ssl_verify_peer_certificate
|
||||
const char* key = json_string_value(mxs_json_pointer(params, CN_SSL_KEY));
|
||||
const char* cert = json_string_value(mxs_json_pointer(params, CN_SSL_CERT));
|
||||
const char* ca = json_string_value(mxs_json_pointer(params, CN_SSL_CA_CERT));
|
||||
const char* version = json_string_value(mxs_json_pointer(params, CN_SSL_VERSION));
|
||||
const char* depth = NULL;
|
||||
json_t* depth_json = mxs_json_pointer(params, CN_SSL_CERT_VERIFY_DEPTH);
|
||||
|
||||
if (depth_json)
|
||||
{
|
||||
snprintf(buf, sizeof(buf), "%lld", json_integer_value(depth_json));
|
||||
depth = buf;
|
||||
}
|
||||
|
||||
const char* verify = NULL;
|
||||
json_t* verify_json = mxs_json_pointer(params, CN_SSL_VERIFY_PEER_CERTIFICATE);
|
||||
|
||||
if (verify_json)
|
||||
{
|
||||
snprintf(buf_verify, sizeof(buf), "%s", json_boolean_value(verify_json) ? "true" : "false");
|
||||
verify = buf_verify;
|
||||
}
|
||||
|
||||
if (!runtime_enable_server_ssl(server, key, cert, ca, version, depth, verify))
|
||||
{
|
||||
config_runtime_error("Failed to initialize SSL for server '%s'. See "
|
||||
"error log for more details.",
|
||||
server->name());
|
||||
rval = false;
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
rval = false;
|
||||
}
|
||||
}
|
||||
|
||||
return rval;
|
||||
}
|
||||
|
||||
bool runtime_create_server_from_json(json_t* json)
|
||||
{
|
||||
bool rval = false;
|
||||
|
||||
@ -109,32 +109,6 @@ bool runtime_unlink_server(Server* server, const char* target);
|
||||
*/
|
||||
bool runtime_alter_server(Server* server, const char* key, const char* value);
|
||||
|
||||
/**
|
||||
* @brief Enable SSL for a server
|
||||
*
|
||||
* The @c key , @c cert and @c ca parameters are required. @c version and @c depth
|
||||
* are optional.
|
||||
*
|
||||
* @note SSL cannot be disabled at runtime.
|
||||
*
|
||||
* @param server Server to configure
|
||||
* @param key Path to SSL private key
|
||||
* @param cert Path to SSL public certificate
|
||||
* @param ca Path to certificate authority
|
||||
* @param version Required SSL Version
|
||||
* @param depth Certificate verification depth
|
||||
* @param verify Verify peer certificate
|
||||
*
|
||||
* @return True if SSL was successfully enabled
|
||||
*/
|
||||
bool runtime_enable_server_ssl(Server* server,
|
||||
const char* key,
|
||||
const char* cert,
|
||||
const char* ca,
|
||||
const char* version,
|
||||
const char* depth,
|
||||
const char* verify);
|
||||
|
||||
/**
|
||||
* @brief Alter monitor parameters
|
||||
*
|
||||
|
||||
@ -1491,13 +1491,6 @@ static void alterServer(DCB* dcb, Server* server,
|
||||
char* values[] = {v1, v2, v3, v4, v5, v6, v7, v8, v9, v10, v11, v12, v13};
|
||||
const int items = sizeof(values) / sizeof(values[0]);
|
||||
CONFIG_CONTEXT* obj = NULL;
|
||||
char* ssl_key = NULL;
|
||||
char* ssl_cert = NULL;
|
||||
char* ssl_ca = NULL;
|
||||
char* ssl_version = NULL;
|
||||
char* ssl_depth = NULL;
|
||||
char* ssl_verify = NULL;
|
||||
bool enable = false;
|
||||
|
||||
for (int i = 0; i < items && values[i]; i++)
|
||||
{
|
||||
@ -1508,39 +1501,7 @@ static void alterServer(DCB* dcb, Server* server,
|
||||
{
|
||||
*value++ = '\0';
|
||||
|
||||
if (config_is_ssl_parameter(key))
|
||||
{
|
||||
if (strcmp("ssl_cert", key) == 0)
|
||||
{
|
||||
ssl_cert = value;
|
||||
}
|
||||
else if (strcmp("ssl_ca_cert", key) == 0)
|
||||
{
|
||||
ssl_ca = value;
|
||||
}
|
||||
else if (strcmp("ssl_key", key) == 0)
|
||||
{
|
||||
ssl_key = value;
|
||||
}
|
||||
else if (strcmp("ssl_version", key) == 0)
|
||||
{
|
||||
ssl_version = value;
|
||||
}
|
||||
else if (strcmp("ssl_cert_verify_depth", key) == 0)
|
||||
{
|
||||
ssl_depth = value;
|
||||
}
|
||||
else if (strcmp("ssl_verify_peer_certificate", key) == 0)
|
||||
{
|
||||
ssl_verify = value;
|
||||
}
|
||||
else
|
||||
{
|
||||
enable = strcmp("ssl", key) == 0 && strcmp(value, "required") == 0;
|
||||
/** Must be 'ssl' */
|
||||
}
|
||||
}
|
||||
else if (!runtime_alter_server(server, key, value))
|
||||
if (!runtime_alter_server(server, key, value))
|
||||
{
|
||||
dcb_printf(dcb, "Error: Bad key-value parameter: %s=%s\n", key, value);
|
||||
}
|
||||
@ -1550,33 +1511,6 @@ static void alterServer(DCB* dcb, Server* server,
|
||||
dcb_printf(dcb, "Error: not a key-value parameter: %s\n", values[i]);
|
||||
}
|
||||
}
|
||||
|
||||
if (enable || ssl_ca)
|
||||
{
|
||||
if (enable && ssl_ca)
|
||||
{
|
||||
/** We have SSL parameters, try to process them */
|
||||
if (!runtime_enable_server_ssl(server,
|
||||
ssl_key,
|
||||
ssl_cert,
|
||||
ssl_ca,
|
||||
ssl_version,
|
||||
ssl_depth,
|
||||
ssl_verify))
|
||||
{
|
||||
dcb_printf(dcb,
|
||||
"Enabling SSL for server '%s' failed, see log "
|
||||
"for more details.\n",
|
||||
server->name());
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
dcb_printf(dcb,
|
||||
"Error: SSL configuration requires the following parameters:\n"
|
||||
"ssl=required ssl_ca_cert=PATH\n");
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
static void alterMonitor(DCB* dcb,
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user