hcq/MaxScale
hcq/MaxScale
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

MXS-2650 Fix SSL-use with Connector-C

Browse Source 
Authenticators and monitors now use SSL when configured. The fix has two parts:
1) Removed the extra SSLConfig inside SSLProvider, as SSLContext already contains
the config.
2) When inputting parameter values to mysql_ssl_set(), empty strings are converted
to NULL-pointers as the function expects those for unused values.
This commit is contained in:
Esa Korhonen 2019-08-28 15:37:23 +03:00
parent 96e81a6b59
commit 68f3b235e1
6 changed files with 31 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
include/maxscale/ssl.hh
View File

@ -77,6 +77,9 @@ struct SSLConfig
return ca.empty();
}
// Convert to human readable string representation
std::string to_string() const;
std::string key; /**< SSL private key */
std::string cert; /**< SSL certificate */
std::string ca; /**< SSL CA certificate */
@ -144,20 +147,16 @@ public:
return m_context.get();
}
// Current configuration
const mxs::SSLConfig& config() const;
// Current configuration, or null if none is set.
const mxs::SSLConfig* config() const;
// The context or nullptr if no context is set
mxs::SSLContext* context() const;
// Convert to human readable string representation
std::string to_string() const;
// NOTE: Do not use this, required by binlogrouter
void set_context(std::unique_ptr<mxs::SSLContext> ssl);
private:
std::unique_ptr<mxs::SSLContext> m_context; /**< SSL context */
mxs::SSLConfig m_config; /**< SSL configuration */
};
}

12
server/core/mysql_utils.cc
View File

@ -36,10 +36,14 @@
MYSQL* mxs_mysql_real_connect(MYSQL* con, SERVER* server, const char* user, const char* passwd)
{
auto ssl = server->ssl().config();
if (!ssl.empty())
bool have_ssl = ssl && !ssl->empty();
if (have_ssl)
{
mysql_ssl_set(con, ssl.key.c_str(), ssl.cert.c_str(), ssl.ca.c_str(), NULL, NULL);
// If an option is empty, a null-pointer should be given to mysql_ssl_set.
const char* ssl_key = ssl->key.empty() ? nullptr : ssl->key.c_str();
const char* ssl_cert = ssl->cert.empty() ? nullptr : ssl->cert.c_str();
const char* ssl_ca = ssl->ca.empty() ? nullptr : ssl->ca.c_str();
mysql_ssl_set(con, ssl_key, ssl_cert, ssl_ca, NULL, NULL);
}
char yes = 1;
@ -84,7 +88,7 @@ MYSQL* mxs_mysql_real_connect(MYSQL* con, SERVER* server, const char* user, cons
mysql_get_character_set_info(mysql, &cs_info);
server->charset = cs_info.number;
if (!ssl.empty() && mysql_get_ssl_cipher(con) == NULL)
if (have_ssl && mysql_get_ssl_cipher(con) == NULL)
{
if (server->warn_ssl_not_enabled)
{

2
server/core/server.cc
View File

@ -527,7 +527,7 @@ void Server::print_to_dcb(DCB* dcb) const
}
if (server->ssl().enabled())
{
dcb_printf(dcb, "%s", server->ssl().to_string().c_str());
dcb_printf(dcb, "%s", server->ssl().config()->to_string().c_str());
}
if (server->proxy_protocol)
{

19
server/core/ssl.cc
View File

@ -374,29 +374,28 @@ mxs::SSLContext* SSLProvider::context() const
return m_context.get();
}
const mxs::SSLConfig& SSLProvider::config() const
const mxs::SSLConfig* SSLProvider::config() const
{
return m_config;
return m_context ? &(m_context->config()) : nullptr;
}
void SSLProvider::set_context(std::unique_ptr<mxs::SSLContext> ssl)
{
mxb_assert(ssl);
m_context = std::move(ssl);
m_config = m_context->config();
}
std::string SSLProvider::to_string() const
std::string SSLConfig::to_string() const
{
std::ostringstream ss;
ss << "\tSSL initialized: yes\n"
<< "\tSSL method type: " << ssl_method_type_to_string(m_config.version) << "\n"
<< "\tSSL certificate verification depth: " << m_config.verify_depth << "\n"
<< "\tSSL peer verification : " << (m_config.verify_peer ? "true" : "false") << "\n"
<< "\tSSL certificate: " << m_config.cert << "\n"
<< "\tSSL key: " << m_config.key << "\n"
<< "\tSSL CA certificate: " << m_config.ca << "\n";
<< "\tSSL method type: " << ssl_method_type_to_string(version) << "\n"
<< "\tSSL certificate verification depth: " << verify_depth << "\n"
<< "\tSSL peer verification : " << (verify_peer ? "true" : "false") << "\n"
<< "\tSSL certificate: " << cert << "\n"
<< "\tSSL key: " << key << "\n"
<< "\tSSL CA certificate: " << ca << "\n";
return ss.str();
}

2
server/modules/routing/binlogrouter/blr.cc
View File

@ -1481,7 +1481,7 @@ static void diagnostics(MXS_ROUTER* router, DCB* dcb)
if (ssl.enabled())
{
dcb_printf(dcb, "%s", ssl.to_string().c_str());
dcb_printf(dcb, "%s", ssl.config()->to_string().c_str());
}
/* Binlog Encryption options */

14
server/modules/routing/binlogrouter/blr_slave.cc
View File

@ -4852,24 +4852,24 @@ static void blr_master_get_config(ROUTER_INSTANCE* router, MasterServerConfig* c
/* SSL options */
auto server_ssl = router->service->dbref->server->ssl().config();
if (!server_ssl.empty())
if (server_ssl && !server_ssl->empty())
{
curr_master->ssl_enabled = router->ssl_enabled;
if (router->ssl_version)
{
curr_master->ssl_version = router->ssl_version;
}
if (!server_ssl.key.empty())
if (!server_ssl->key.empty())
{
curr_master->ssl_key = server_ssl.key;
curr_master->ssl_key = server_ssl->key;
}
if (!server_ssl.cert.empty())
if (!server_ssl->cert.empty())
{
curr_master->ssl_cert = server_ssl.cert;
curr_master->ssl_cert = server_ssl->cert;
}
if (!server_ssl.ca.empty())
if (!server_ssl->ca.empty())
{
curr_master->ssl_ca = server_ssl.ca;
curr_master->ssl_ca = server_ssl->ca;
}
}
/* Connect options */