hcq/MaxScale
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

MXS-1019: Make peer certificate verification configurable

Browse Source 
The new `ssl_verify_peer_certificate` parameter controls whether the peer
certificate is verified. This allows self-signed certificates to be
properly used with MaxScale.
This commit is contained in:
Markus Mäkelä
2017-11-14 13:21:40 +02:00
parent 925fff4abc
commit 63ae436bd5
7 changed files with 87 additions and 108 deletions
Download Patch File Download Diff File Expand all files Collapse all files

53
server/core/server.c
View File

@ -577,6 +577,7 @@ dprintServer(DCB *dcb, const SERVER *server)
dcb_printf(dcb, "\tSSL method type: %s\n",
ssl_method_type_to_string(l->ssl_method_type));
dcb_printf(dcb, "\tSSL certificate verification depth: %d\n", l->ssl_cert_verify_depth);
dcb_printf(dcb, "\tSSL peer verification : %s\n", l->ssl_verify_peer_certificate ? "true" : "false");
dcb_printf(dcb, "\tSSL certificate: %s\n",
l->ssl_cert ? l->ssl_cert : "null");
dcb_printf(dcb, "\tSSL key: %s\n",
@ -1167,57 +1168,7 @@ static bool create_server_config(const SERVER *server, const char *filename)
if (server->server_ssl)
{
dprintf(file, "ssl=required\n");
if (server->server_ssl->ssl_cert)
{
dprintf(file, "ssl_cert=%s\n", server->server_ssl->ssl_cert);
}
if (server->server_ssl->ssl_key)
{
dprintf(file, "ssl_key=%s\n", server->server_ssl->ssl_key);
}
if (server->server_ssl->ssl_ca_cert)
{
dprintf(file, "ssl_ca_cert=%s\n", server->server_ssl->ssl_ca_cert);
}
if (server->server_ssl->ssl_cert_verify_depth)
{
dprintf(file, "ssl_cert_verify_depth=%d\n", server->server_ssl->ssl_cert_verify_depth);
}
const char *version = NULL;
switch (server->server_ssl->ssl_method_type)
{
#ifndef OPENSSL_1_1
case SERVICE_TLS10:
version = "TLSV10";
break;
#endif
#ifdef OPENSSL_1_0
case SERVICE_TLS11:
version = "TLSV11";
break;
case SERVICE_TLS12:
version = "TLSV12";
break;
#endif
case SERVICE_SSL_TLS_MAX:
version = "MAX";
break;
default:
break;
}
if (version)
{
dprintf(file, "ssl_version=%s\n", version);
}
write_ssl_config(file, server->server_ssl);
}
close(file);