From 21cdc4822b6e8e416a0785420aab5d6f86653051 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Markus=20M=C3=A4kel=C3=A4?= Date: Tue, 28 May 2019 09:27:21 +0300 Subject: [PATCH] MXS-2483: Remove runtime enabling of TLS TLS can no longer be enabled at runtime via maxadmin. --- server/core/config_runtime.cc | 115 ------------------------- server/core/internal/config_runtime.hh | 26 ------ server/modules/routing/cli/debugcmd.cc | 68 +-------------- 3 files changed, 1 insertion(+), 208 deletions(-) diff --git a/server/core/config_runtime.cc b/server/core/config_runtime.cc index 6b871326f..3002da06d 100644 --- a/server/core/config_runtime.cc +++ b/server/core/config_runtime.cc @@ -394,71 +394,6 @@ bool runtime_destroy_server(Server* server) return rval; } -static std::unique_ptr create_ssl(const char* name, - const char* key, - const char* cert, - const char* ca, - const char* version, - const char* depth, - const char* verify) -{ - std::unique_ptr rval; - CONFIG_CONTEXT* obj = config_context_create(name); - - if (obj) - { - if (config_add_param(obj, CN_SSL, CN_REQUIRED) - && (!key || config_add_param(obj, CN_SSL_KEY, key)) - && (!cert || config_add_param(obj, CN_SSL_CERT, cert)) - && config_add_param(obj, CN_SSL_CA_CERT, ca) - && (!version || config_add_param(obj, CN_SSL_VERSION, version)) - && (!depth || config_add_param(obj, CN_SSL_CERT_VERIFY_DEPTH, depth)) - && (!verify || config_add_param(obj, CN_SSL_VERIFY_PEER_CERTIFICATE, verify))) - { - config_create_ssl(name, obj->m_parameters, true, &rval); - } - - config_context_free(obj); - } - - return rval; -} - -bool runtime_enable_server_ssl(Server* server, - const char* key, - const char* cert, - const char* ca, - const char* version, - const char* depth, - const char* verify) -{ - bool rval = false; - - if (server->ssl().context()) - { - config_runtime_error("Server '%s' already configured to use SSL.", server->name()); - } - else if (key && cert && ca) - { - std::lock_guard guard(crt_lock); - std::unique_ptr ssl(create_ssl(server->name(), key, cert, ca, - version, depth, verify)); - - if (ssl) - { - server->ssl().set_context(std::move(ssl)); - - if (server->serialize()) - { - MXS_NOTICE("Enabled SSL for server '%s'", server->name()); - rval = true; - } - } - } - - return rval; -} - /** * @brief Convert a string value to a positive integer * @@ -1914,56 +1849,6 @@ static bool validate_ssl_json(json_t* params, object_type type) return rval; } -static bool process_ssl_parameters(Server* server, json_t* params) -{ - mxb_assert(server->ssl().context() == NULL); - bool rval = true; - - if (have_ssl_json(params)) - { - if (validate_ssl_json(params, OT_SERVER)) - { - char buf[20]; // Enough to hold the string form of the ssl_cert_verify_depth - char buf_verify[20];// Enough to hold the string form of the ssl_verify_peer_certificate - const char* key = json_string_value(mxs_json_pointer(params, CN_SSL_KEY)); - const char* cert = json_string_value(mxs_json_pointer(params, CN_SSL_CERT)); - const char* ca = json_string_value(mxs_json_pointer(params, CN_SSL_CA_CERT)); - const char* version = json_string_value(mxs_json_pointer(params, CN_SSL_VERSION)); - const char* depth = NULL; - json_t* depth_json = mxs_json_pointer(params, CN_SSL_CERT_VERIFY_DEPTH); - - if (depth_json) - { - snprintf(buf, sizeof(buf), "%lld", json_integer_value(depth_json)); - depth = buf; - } - - const char* verify = NULL; - json_t* verify_json = mxs_json_pointer(params, CN_SSL_VERIFY_PEER_CERTIFICATE); - - if (verify_json) - { - snprintf(buf_verify, sizeof(buf), "%s", json_boolean_value(verify_json) ? "true" : "false"); - verify = buf_verify; - } - - if (!runtime_enable_server_ssl(server, key, cert, ca, version, depth, verify)) - { - config_runtime_error("Failed to initialize SSL for server '%s'. See " - "error log for more details.", - server->name()); - rval = false; - } - } - else - { - rval = false; - } - } - - return rval; -} - bool runtime_create_server_from_json(json_t* json) { bool rval = false; diff --git a/server/core/internal/config_runtime.hh b/server/core/internal/config_runtime.hh index f720cd279..f4db4132b 100644 --- a/server/core/internal/config_runtime.hh +++ b/server/core/internal/config_runtime.hh @@ -109,32 +109,6 @@ bool runtime_unlink_server(Server* server, const char* target); */ bool runtime_alter_server(Server* server, const char* key, const char* value); -/** - * @brief Enable SSL for a server - * - * The @c key , @c cert and @c ca parameters are required. @c version and @c depth - * are optional. - * - * @note SSL cannot be disabled at runtime. - * - * @param server Server to configure - * @param key Path to SSL private key - * @param cert Path to SSL public certificate - * @param ca Path to certificate authority - * @param version Required SSL Version - * @param depth Certificate verification depth - * @param verify Verify peer certificate - * - * @return True if SSL was successfully enabled - */ -bool runtime_enable_server_ssl(Server* server, - const char* key, - const char* cert, - const char* ca, - const char* version, - const char* depth, - const char* verify); - /** * @brief Alter monitor parameters * diff --git a/server/modules/routing/cli/debugcmd.cc b/server/modules/routing/cli/debugcmd.cc index b70146720..e511fcc15 100644 --- a/server/modules/routing/cli/debugcmd.cc +++ b/server/modules/routing/cli/debugcmd.cc @@ -1491,13 +1491,6 @@ static void alterServer(DCB* dcb, Server* server, char* values[] = {v1, v2, v3, v4, v5, v6, v7, v8, v9, v10, v11, v12, v13}; const int items = sizeof(values) / sizeof(values[0]); CONFIG_CONTEXT* obj = NULL; - char* ssl_key = NULL; - char* ssl_cert = NULL; - char* ssl_ca = NULL; - char* ssl_version = NULL; - char* ssl_depth = NULL; - char* ssl_verify = NULL; - bool enable = false; for (int i = 0; i < items && values[i]; i++) { @@ -1508,39 +1501,7 @@ static void alterServer(DCB* dcb, Server* server, { *value++ = '\0'; - if (config_is_ssl_parameter(key)) - { - if (strcmp("ssl_cert", key) == 0) - { - ssl_cert = value; - } - else if (strcmp("ssl_ca_cert", key) == 0) - { - ssl_ca = value; - } - else if (strcmp("ssl_key", key) == 0) - { - ssl_key = value; - } - else if (strcmp("ssl_version", key) == 0) - { - ssl_version = value; - } - else if (strcmp("ssl_cert_verify_depth", key) == 0) - { - ssl_depth = value; - } - else if (strcmp("ssl_verify_peer_certificate", key) == 0) - { - ssl_verify = value; - } - else - { - enable = strcmp("ssl", key) == 0 && strcmp(value, "required") == 0; - /** Must be 'ssl' */ - } - } - else if (!runtime_alter_server(server, key, value)) + if (!runtime_alter_server(server, key, value)) { dcb_printf(dcb, "Error: Bad key-value parameter: %s=%s\n", key, value); } @@ -1550,33 +1511,6 @@ static void alterServer(DCB* dcb, Server* server, dcb_printf(dcb, "Error: not a key-value parameter: %s\n", values[i]); } } - - if (enable || ssl_ca) - { - if (enable && ssl_ca) - { - /** We have SSL parameters, try to process them */ - if (!runtime_enable_server_ssl(server, - ssl_key, - ssl_cert, - ssl_ca, - ssl_version, - ssl_depth, - ssl_verify)) - { - dcb_printf(dcb, - "Enabling SSL for server '%s' failed, see log " - "for more details.\n", - server->name()); - } - } - else - { - dcb_printf(dcb, - "Error: SSL configuration requires the following parameters:\n" - "ssl=required ssl_ca_cert=PATH\n"); - } - } } static void alterMonitor(DCB* dcb,