Added SSL level configuration to services.

2015-06-02 17:00:39 +03:00 · 2015-06-02 17:00:39 +03:00 · 57060cafec
commit 57060cafec
parent a5de4fc503
5 changed files with 124 additions and 6 deletions
--- a/Documentation/Getting-Started/Configuration-Guide.md
+++ b/Documentation/Getting-Started/Configuration-Guide.md
@ -326,6 +326,54 @@ Example:
 connection_timeout=300
 ```

+### Service and SSL
+
+This section describes configuration parameters for services that control the SSL/TLS encrption method and the various certificate files involved in it. To enable SSL, you must configure the `ssl` parameter with either `enabled` or `required` and provide the three files for `ssl_cert`, `ssl_key` and `ssl_ca_cert`. After this, MySQL connections to this service can be encrypted with SSL.
+
+#### `ssl`
+
+This enables SSL connections to the service. If this parameter is set to either `required` or `enabled` and the three certificate files can be found (these are explained afterwards), then client connections will be encrypted with SSL. If the parameter is `enabled` then both SSL and non-SSL connections can connect to this service. If the parameter is set to `required` then only SSL connections can be used for this service and non-SSL connections will get an error when they try to connect to the service.
+
+#### `ssl_key`
+
+The SSL private key the service should use. This will be the private key that is used as the server side private key during a client-server SSL handshake. This is a required parameter for SSL enabled services.
+
+#### `ssl_cert`
+
+The SSL certificate the service should use. This will be the public certificate that is used as the server side certificate during a client-server SSL handshake. This is a required parameter for SSL enabled services.
+
+#### `ssl_ca_cert`
+
+This is the Certificate Authority file. It will be used to verify that both the client and the server certificates are valid. This is a required parameter for SSL enabled services.
+
+### `ssl_version`
+
+This parameter controls the level of encryption used. Accepted values are:
+ * SSLv2
+ * SSLv3
+ * TLSv10
+ * TLSv11
+ * TLSv12
+ * MAX   
+
+Example SSL enabled service configuration:
+
+```
+[ReadWriteSplitService]
+type=service
+router=readwritesplit
+servers=server1,server2,server3
+user=myuser
+passwd=mypasswd
+ssl=required
+ssl_cert=/home/markus/certs/server-cert.pem
+ssl_key=/home/markus/certs/server-key.pem
+ssl_ca_cert=/home/markus/certs/ca.pem
+ssl_version=TLSv12
+```
+
+This configuration requires all connections to be encryped with SSL. It also specifies that TLSv1.2 should be used as the encryption method. The paths to the server certificate files and the Certificate Authority file are also provided.
+
 ### Server

 Server sections are used to define the backend database servers that can be formed into a service. A server may be a member of one or more services within MaxScale. Servers are identified by a server name which is the section name in the configuration file. Servers have a type parameter of server, plus address port and protocol parameters.
--- a/Documentation/Reference/MaxScale-and-SSL.md
+++ b/Documentation/Reference/MaxScale-and-SSL.md
@ -5,9 +5,10 @@ MaxScale supports client side SSL connections. Enabling is done on a per service
 ## SSL Options

 Here are the options which relate to SSL and certificates.
-Parameter|Values|Description
+Parameter|Values     |Description
 ---------|-----------|--------
 ssl         | disabled, enabled, required |`disable` disables SSL, `enabled` enables SSL for client connections but still allows non-SSL connections and `required` requires SSL from all client connections. With the `required` option, client connections that do not use SSL will be rejected.
 ssl_cert    | <path to file>              |Path to server certificate
 ssl_key     | <path to file>              |Path to server private key
 ssl_ca_cert | <path to file>              |Path to Certificate Authority file
+ssl_version|SSLV2,SSLV3,TLSV10,TLSV11,TLSV12,MAX| The SSL method level,  defaults to highest available encryption level which is TLSv1.2
--- a/server/core/config.c
+++ b/server/core/config.c
@ -345,7 +345,7 @@ hashtable_memory_fns(monitorhash,strdup,NULL,free,NULL);
 				char *weightby;
 				char *version_string;
 				char *subservices;
-				char *ssl,*ssl_cert,*ssl_key,*ssl_ca_cert;
+				char *ssl,*ssl_cert,*ssl_key,*ssl_ca_cert,*ssl_version;
 				bool  is_rwsplit = false;
 				bool  is_schemarouter = false;
 				char *allow_localhost_match_wildcard_host;
@ -358,6 +358,7 @@ hashtable_memory_fns(monitorhash,strdup,NULL,free,NULL);
 				ssl_cert = config_get_value(obj->parameters, "ssl_cert");
 				ssl_key = config_get_value(obj->parameters, "ssl_key");
 				ssl_ca_cert = config_get_value(obj->parameters, "ssl_ca_cert");
+				ssl_version = config_get_value(obj->parameters, "ssl_version");
 				enable_root_user = config_get_value(
 							obj->parameters, 
 							"enable_root_user");
@ -474,6 +475,10 @@ hashtable_memory_fns(monitorhash,strdup,NULL,free,NULL);
 					else
 					{
 					    serviceSetCertificates(obj->element,ssl_cert,ssl_key,ssl_ca_cert);
+					    if(ssl_version)
+					    {
+						serviceSetSSLVersion(obj->element,ssl_version);
+					    }
 					}
 				    }
 				    else
@ -1381,7 +1386,7 @@ int i;
        }
 	else if (strcmp(name, "ms_timestamp") == 0)
 	{
-		skygw_set_highp(config_truth_value(value));
+		skygw_set_highp(config_truth_value((char*)value));
 	}
 	else
 	{
@ -1389,7 +1394,7 @@ int i;
 		{
 			if (strcasecmp(name, lognames[i].logname) == 0)
 			{
-				if (config_truth_value(value))
+				if (config_truth_value((char*)value))
 					skygw_log_enable(lognames[i].logfile);
 				else
 					skygw_log_disable(lognames[i].logfile);
@ -1967,6 +1972,11 @@ static char *service_params[] =
                "version_string",
                "filters",
                "weightby",
+		"ssl_cert",
+		"ssl_ca_cert",
+		"ssl",
+		"ssl_key",
+		"ssl_version",
                NULL
        };

--- a/server/core/service.c
+++ b/server/core/service.c
@ -141,7 +141,8 @@ SERVICE 	*service;
 	service->ssl_ca_cert = NULL;
 	service->ssl_cert = NULL;
 	service->ssl_key = NULL;
-
+	/** Use the highest possible SSL/TLS methods available */
+	service->ssl_method_type = SERVICE_SSL_TLS_MAX;
 	if (service->name == NULL || service->routerModule == NULL)
 	{
 		if (service->name)
@ -868,6 +869,22 @@ serviceSetCertificates(SERVICE *service, char* cert,char* key, char* ca_cert)
    service->ssl_ca_cert = strdup(ca_cert);
 }

+void
+serviceSetSSLVersion(SERVICE *service, char* version)
+{
+    if(strcasecmp(version,"SSLV2") == 0)
+	service->ssl_method_type = SERVICE_SSLV2;
+    else if(strcasecmp(version,"SSLV3") == 0)
+	service->ssl_method_type = SERVICE_SSLV3;
+    else if(strcasecmp(version,"TLSV10") == 0)
+	service->ssl_method_type = SERVICE_TLS10;
+    else if(strcasecmp(version,"TLSV11") == 0)
+	service->ssl_method_type = SERVICE_TLS11;
+    else if(strcasecmp(version,"TLSV12") == 0)
+	service->ssl_method_type = SERVICE_TLS12;
+    else if(strcasecmp(version,"MAX") == 0)
+	service->ssl_method_type = SERVICE_SSL_TLS_MAX;
+}
 /** Enable or disable the service SSL capability*/
 int
 serviceSetSSL(SERVICE *service, char* action)
@ -1816,7 +1833,37 @@ int serviceInitSSL(SERVICE* service)
 {
    if(!service->ssl_init_done)
    {
-	service->method = (SSL_METHOD*)SSLv23_server_method();
+	switch(service->ssl_method_type)
+	{
+	case SERVICE_SSLV2:
+	    service->method = (SSL_METHOD*)SSLv2_server_method();
+	    break;
+	case SERVICE_SSLV3:
+	    service->method = (SSL_METHOD*)SSLv3_server_method();
+	    break;
+	case SERVICE_TLS10:
+	    service->method = (SSL_METHOD*)TLSv1_server_method();
+	    break;
+	case SERVICE_TLS11:
+	    service->method = (SSL_METHOD*)TLSv1_1_server_method();
+	    break;
+	case SERVICE_TLS12:
+	    service->method = (SSL_METHOD*)TLSv1_2_server_method();
+	    break;
+	case SERVICE_SSL_MAX:
+	    service->method = (SSL_METHOD*)SSLv23_server_method();
+	    break;
+	case SERVICE_TLS_MAX:
+	    service->method = (SSL_METHOD*)SSLv23_server_method();
+	    break;
+	case SERVICE_SSL_TLS_MAX:
+	    service->method = (SSL_METHOD*)SSLv23_server_method();
+	    break;
+	default:
+	    service->method = (SSL_METHOD*)SSLv23_server_method();
+	    break;
+	}
+
 	service->ctx = SSL_CTX_new(service->method);
 	SSL_CTX_set_read_ahead(service->ctx,1);
 	if (SSL_CTX_use_certificate_file(service->ctx, service->ssl_cert, SSL_FILETYPE_PEM) <= 0) {
--- a/server/include/service.h
+++ b/server/include/service.h
@ -113,6 +113,17 @@ typedef enum {
  SSL_REQUIRED
 } ssl_mode_t;

+enum{
+  SERVICE_SSLV2,
+  SERVICE_SSLV3,
+  SERVICE_TLS10,
+  SERVICE_TLS11,
+  SERVICE_TLS12,
+  SERVICE_SSL_MAX,
+  SERVICE_TLS_MAX,
+  SERVICE_SSL_TLS_MAX
+};
+
 /**
 * Defines a service within the gateway.
 *
@ -164,6 +175,7 @@ typedef struct service {
        SSL            *ssl;
        SSL_METHOD      *method;                           /*<  SSLv2/3 or TLSv1/2 methods
                                                           * see: https://www.openssl.org/docs/ssl/SSL_CTX_new.html */
+        int ssl_method_type; /*< Which of the SSLv2/3 or TLS1.0/1.1/1.2 methods to use */
        char* ssl_cert;
        char* ssl_key;
        char* ssl_ca_cert;