Merge branch '2.3' of github.com:mariadb-corporation/MaxScale into 2.3

2019-11-30 22:35:47 +02:00
parent 99d1ecd472 cd9b82ba09
commit 5ae2d02215
4 changed files with 13 additions and 8 deletions
--- a/Documentation/Getting-Started/Configuration-Guide.md
+++ b/Documentation/Getting-Started/Configuration-Guide.md
@ -1852,10 +1852,14 @@ This parameter controls the level of encryption used. Accepted values are:
 * TLSv10
 * TLSv11
 * TLSv12
+ * TLSv13
 * MAX

-The default is to use the highest level of encryption available. For OpenSSL 1.0
-and newer this is TLSv1.2.
+The default is to use the highest level of encryption available that both the
+client and server support. MaxScale supports TLSv1.0, TLSv1.1, TLSv1.2 and
+TLSv1.3 depending on the OpenSSL library version.
+
+The `TLSv13` value was added in MaxScale 2.3.15 ([MXS-2762](https://jira.mariadb.org/browse/MXS-2762)).

 ### `ssl_cert_verify_depth`

--- a/server/core/listener.cc
+++ b/server/core/listener.cc
@ -288,7 +288,7 @@ bool SSL_LISTENER_init(SSL_LISTENER* ssl)


    case SERVICE_TLS11:
-#ifdef OPENSSL_1_0
+#if defined (OPENSSL_1_0) || defined (OPENSSL_1_1)
        ssl->method = (SSL_METHOD*)TLSv1_1_method();
 #else
        MXS_ERROR("TLSv1.1 is not supported on this system.");
@ -297,7 +297,7 @@ bool SSL_LISTENER_init(SSL_LISTENER* ssl)
        break;

    case SERVICE_TLS12:
-#ifdef OPENSSL_1_0
+#if defined (OPENSSL_1_0) || defined (OPENSSL_1_1)
        ssl->method = (SSL_METHOD*)TLSv1_2_method();
 #else
        MXS_ERROR("TLSv1.2 is not supported on this system.");
@ -383,7 +383,7 @@ bool SSL_LISTENER_init(SSL_LISTENER* ssl)
    /* Load the CA certificate into the SSL_CTX structure */
    if (!SSL_CTX_load_verify_locations(ctx, ssl->ssl_ca_cert, NULL))
    {
-        MXS_ERROR("Failed to set Certificate Authority file");
+        MXS_ERROR("Failed to set Certificate Authority file: %s", get_ssl_errors());
        rval = false;
    }

--- a/server/core/routingworker.cc
+++ b/server/core/routingworker.cc
@ -453,9 +453,9 @@ RoutingWorker* RoutingWorker::get(int worker_id)
        worker_id = this_unit.id_main_worker;
    }

-    mxb_assert((worker_id >= this_unit.id_min_worker) && (worker_id <= this_unit.id_max_worker));
+    bool valid = (worker_id >= this_unit.id_min_worker && worker_id <= this_unit.id_max_worker);

-    return this_unit.ppWorkers[worker_id];
+    return valid ? this_unit.ppWorkers[worker_id] : nullptr;
 }

 RoutingWorker* RoutingWorker::get_current()
--- a/server/modules/authenticator/MySQLAuth/dbusers.cc
+++ b/server/modules/authenticator/MySQLAuth/dbusers.cc
@ -77,7 +77,7 @@ const char* mariadb_102_users_query =
    "), users AS ("
    // Select the root row, the actual user
    "  SELECT t.user, t.host, t.db, t.select_priv, t.password, t.default_role AS role FROM t"
-    "  WHERE t.is_role <> 'Y'"
+    "  WHERE t.is_role = 'N'"
    "  UNION"
    // Recursively select all roles for the users
    "  SELECT u.user, u.host, t.db, t.select_priv, u.password, r.role FROM t"
@ -85,6 +85,7 @@ const char* mariadb_102_users_query =
    "  ON (t.user = u.role)"
    "  LEFT JOIN mysql.roles_mapping AS r"
    "  ON (t.user = r.user)"
+    "  WHERE t.is_role = 'Y'"
    ")"
    "SELECT DISTINCT t.user, t.host, t.db, t.select_priv, t.password FROM users AS t %s";