MXS-2650 Fix SSL-use with Connector-C
Authenticators and monitors now use SSL when configured. The fix has two parts: 1) Removed the extra SSLConfig inside SSLProvider, as SSLContext already contains the config. 2) When inputting parameter values to mysql_ssl_set(), empty strings are converted to NULL-pointers as the function expects those for unused values.
This commit is contained in:
Esa Korhonen
@ -77,6 +77,9 @@ struct SSLConfig
|
|||||||
return ca.empty();
|
return ca.empty();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Convert to human readable string representation
|
||||||
|
std::string to_string() const;
|
||||||
|
|
||||||
std::string key; /**< SSL private key */
|
std::string key; /**< SSL private key */
|
||||||
std::string cert; /**< SSL certificate */
|
std::string cert; /**< SSL certificate */
|
||||||
std::string ca; /**< SSL CA certificate */
|
std::string ca; /**< SSL CA certificate */
|
||||||
@ -144,20 +147,16 @@ public:
|
|||||||
return m_context.get();
|
return m_context.get();
|
||||||
}
|
}
|
||||||
|
|
||||||
// Current configuration
|
// Current configuration, or null if none is set.
|
||||||
const mxs::SSLConfig& config() const;
|
const mxs::SSLConfig* config() const;
|
||||||
|
|
||||||
// The context or nullptr if no context is set
|
// The context or nullptr if no context is set
|
||||||
mxs::SSLContext* context() const;
|
mxs::SSLContext* context() const;
|
||||||
|
|
||||||
// Convert to human readable string representation
|
|
||||||
std::string to_string() const;
|
|
||||||
|
|
||||||
// NOTE: Do not use this, required by binlogrouter
|
// NOTE: Do not use this, required by binlogrouter
|
||||||
void set_context(std::unique_ptr<mxs::SSLContext> ssl);
|
void set_context(std::unique_ptr<mxs::SSLContext> ssl);
|
||||||
|
|
||||||
private:
|
private:
|
||||||
std::unique_ptr<mxs::SSLContext> m_context; /**< SSL context */
|
std::unique_ptr<mxs::SSLContext> m_context; /**< SSL context */
|
||||||
mxs::SSLConfig m_config; /**< SSL configuration */
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|||||||
@ -36,10 +36,14 @@
|
|||||||
MYSQL* mxs_mysql_real_connect(MYSQL* con, SERVER* server, const char* user, const char* passwd)
|
MYSQL* mxs_mysql_real_connect(MYSQL* con, SERVER* server, const char* user, const char* passwd)
|
||||||
{
|
{
|
||||||
auto ssl = server->ssl().config();
|
auto ssl = server->ssl().config();
|
||||||
|
bool have_ssl = ssl && !ssl->empty();
|
||||||
if (!ssl.empty())
|
if (have_ssl)
|
||||||
{
|
{
|
||||||
mysql_ssl_set(con, ssl.key.c_str(), ssl.cert.c_str(), ssl.ca.c_str(), NULL, NULL);
|
// If an option is empty, a null-pointer should be given to mysql_ssl_set.
|
||||||
|
const char* ssl_key = ssl->key.empty() ? nullptr : ssl->key.c_str();
|
||||||
|
const char* ssl_cert = ssl->cert.empty() ? nullptr : ssl->cert.c_str();
|
||||||
|
const char* ssl_ca = ssl->ca.empty() ? nullptr : ssl->ca.c_str();
|
||||||
|
mysql_ssl_set(con, ssl_key, ssl_cert, ssl_ca, NULL, NULL);
|
||||||
}
|
}
|
||||||
|
|
||||||
char yes = 1;
|
char yes = 1;
|
||||||
@ -84,7 +88,7 @@ MYSQL* mxs_mysql_real_connect(MYSQL* con, SERVER* server, const char* user, cons
|
|||||||
mysql_get_character_set_info(mysql, &cs_info);
|
mysql_get_character_set_info(mysql, &cs_info);
|
||||||
server->charset = cs_info.number;
|
server->charset = cs_info.number;
|
||||||
|
|
||||||
if (!ssl.empty() && mysql_get_ssl_cipher(con) == NULL)
|
if (have_ssl && mysql_get_ssl_cipher(con) == NULL)
|
||||||
{
|
{
|
||||||
if (server->warn_ssl_not_enabled)
|
if (server->warn_ssl_not_enabled)
|
||||||
{
|
{
|
||||||
|
|||||||
@ -527,7 +527,7 @@ void Server::print_to_dcb(DCB* dcb) const
|
|||||||
}
|
}
|
||||||
if (server->ssl().enabled())
|
if (server->ssl().enabled())
|
||||||
{
|
{
|
||||||
dcb_printf(dcb, "%s", server->ssl().to_string().c_str());
|
dcb_printf(dcb, "%s", server->ssl().config()->to_string().c_str());
|
||||||
}
|
}
|
||||||
if (server->proxy_protocol)
|
if (server->proxy_protocol)
|
||||||
{
|
{
|
||||||
|
|||||||
@ -374,29 +374,28 @@ mxs::SSLContext* SSLProvider::context() const
|
|||||||
return m_context.get();
|
return m_context.get();
|
||||||
}
|
}
|
||||||
|
|
||||||
const mxs::SSLConfig& SSLProvider::config() const
|
const mxs::SSLConfig* SSLProvider::config() const
|
||||||
{
|
{
|
||||||
return m_config;
|
return m_context ? &(m_context->config()) : nullptr;
|
||||||
}
|
}
|
||||||
|
|
||||||
void SSLProvider::set_context(std::unique_ptr<mxs::SSLContext> ssl)
|
void SSLProvider::set_context(std::unique_ptr<mxs::SSLContext> ssl)
|
||||||
{
|
{
|
||||||
mxb_assert(ssl);
|
mxb_assert(ssl);
|
||||||
m_context = std::move(ssl);
|
m_context = std::move(ssl);
|
||||||
m_config = m_context->config();
|
|
||||||
}
|
}
|
||||||
|
|
||||||
std::string SSLProvider::to_string() const
|
std::string SSLConfig::to_string() const
|
||||||
{
|
{
|
||||||
std::ostringstream ss;
|
std::ostringstream ss;
|
||||||
|
|
||||||
ss << "\tSSL initialized: yes\n"
|
ss << "\tSSL initialized: yes\n"
|
||||||
<< "\tSSL method type: " << ssl_method_type_to_string(m_config.version) << "\n"
|
<< "\tSSL method type: " << ssl_method_type_to_string(version) << "\n"
|
||||||
<< "\tSSL certificate verification depth: " << m_config.verify_depth << "\n"
|
<< "\tSSL certificate verification depth: " << verify_depth << "\n"
|
||||||
<< "\tSSL peer verification : " << (m_config.verify_peer ? "true" : "false") << "\n"
|
<< "\tSSL peer verification : " << (verify_peer ? "true" : "false") << "\n"
|
||||||
<< "\tSSL certificate: " << m_config.cert << "\n"
|
<< "\tSSL certificate: " << cert << "\n"
|
||||||
<< "\tSSL key: " << m_config.key << "\n"
|
<< "\tSSL key: " << key << "\n"
|
||||||
<< "\tSSL CA certificate: " << m_config.ca << "\n";
|
<< "\tSSL CA certificate: " << ca << "\n";
|
||||||
|
|
||||||
return ss.str();
|
return ss.str();
|
||||||
}
|
}
|
||||||
|
|||||||
@ -1481,7 +1481,7 @@ static void diagnostics(MXS_ROUTER* router, DCB* dcb)
|
|||||||
|
|
||||||
if (ssl.enabled())
|
if (ssl.enabled())
|
||||||
{
|
{
|
||||||
dcb_printf(dcb, "%s", ssl.to_string().c_str());
|
dcb_printf(dcb, "%s", ssl.config()->to_string().c_str());
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Binlog Encryption options */
|
/* Binlog Encryption options */
|
||||||
|
|||||||
@ -4852,24 +4852,24 @@ static void blr_master_get_config(ROUTER_INSTANCE* router, MasterServerConfig* c
|
|||||||
/* SSL options */
|
/* SSL options */
|
||||||
auto server_ssl = router->service->dbref->server->ssl().config();
|
auto server_ssl = router->service->dbref->server->ssl().config();
|
||||||
|
|
||||||
if (!server_ssl.empty())
|
if (server_ssl && !server_ssl->empty())
|
||||||
{
|
{
|
||||||
curr_master->ssl_enabled = router->ssl_enabled;
|
curr_master->ssl_enabled = router->ssl_enabled;
|
||||||
if (router->ssl_version)
|
if (router->ssl_version)
|
||||||
{
|
{
|
||||||
curr_master->ssl_version = router->ssl_version;
|
curr_master->ssl_version = router->ssl_version;
|
||||||
}
|
}
|
||||||
if (!server_ssl.key.empty())
|
if (!server_ssl->key.empty())
|
||||||
{
|
{
|
||||||
curr_master->ssl_key = server_ssl.key;
|
curr_master->ssl_key = server_ssl->key;
|
||||||
}
|
}
|
||||||
if (!server_ssl.cert.empty())
|
if (!server_ssl->cert.empty())
|
||||||
{
|
{
|
||||||
curr_master->ssl_cert = server_ssl.cert;
|
curr_master->ssl_cert = server_ssl->cert;
|
||||||
}
|
}
|
||||||
if (!server_ssl.ca.empty())
|
if (!server_ssl->ca.empty())
|
||||||
{
|
{
|
||||||
curr_master->ssl_ca = server_ssl.ca;
|
curr_master->ssl_ca = server_ssl->ca;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
/* Connect options */
|
/* Connect options */
|
||||||
|
|||||||
Reference in New Issue
Block a user