Merge branch '2.3' into 2.4

2019-11-29 16:41:07 +02:00 · 2019-11-29 16:41:07 +02:00 · 7a5e50f980
commit 7a5e50f980
parent 521c75505b cd9b82ba09
3 changed files with 11 additions and 6 deletions
--- a/Documentation/Getting-Started/Configuration-Guide.md
+++ b/Documentation/Getting-Started/Configuration-Guide.md
@ -2022,10 +2022,14 @@ This parameter controls the level of encryption used. Accepted values are:
 * TLSv10
 * TLSv11
 * TLSv12
+ * TLSv13
 * MAX

-The default is to use the highest level of encryption available. For OpenSSL 1.0
-and newer this is TLSv1.2.
+The default is to use the highest level of encryption available that both the
+client and server support. MaxScale supports TLSv1.0, TLSv1.1, TLSv1.2 and
+TLSv1.3 depending on the OpenSSL library version.
+
+The `TLSv13` value was added in MaxScale 2.3.15 ([MXS-2762](https://jira.mariadb.org/browse/MXS-2762)).

 ### `ssl_cert_verify_depth`

--- a/server/core/ssl.cc
+++ b/server/core/ssl.cc
@ -245,7 +245,7 @@ bool SSLContext::init()


    case SERVICE_TLS11:
-#ifdef OPENSSL_1_0
+#if defined (OPENSSL_1_0) || defined (OPENSSL_1_1)
        m_method = (SSL_METHOD*)TLSv1_1_method();
 #else
        MXS_ERROR("TLSv1.1 is not supported on this system.");
@ -254,7 +254,7 @@ bool SSLContext::init()
        break;

    case SERVICE_TLS12:
-#ifdef OPENSSL_1_0
+#if defined (OPENSSL_1_0) || defined (OPENSSL_1_1)
        m_method = (SSL_METHOD*)TLSv1_2_method();
 #else
        MXS_ERROR("TLSv1.2 is not supported on this system.");
@ -340,7 +340,7 @@ bool SSLContext::init()
    /* Load the CA certificate into the SSL_CTX structure */
    if (!SSL_CTX_load_verify_locations(m_ctx, m_cfg.ca.c_str(), NULL))
    {
-        MXS_ERROR("Failed to set Certificate Authority file");
+        MXS_ERROR("Failed to set Certificate Authority file: %s", get_ssl_errors());
        return false;
    }

--- a/server/modules/authenticator/MariaDBAuth/dbusers.cc
+++ b/server/modules/authenticator/MariaDBAuth/dbusers.cc
@ -77,7 +77,7 @@ const char* mariadb_102_users_query =
    "), users AS ("
    // Select the root row, the actual user
    "  SELECT t.user, t.host, t.db, t.select_priv, t.password, t.default_role AS role FROM t"
-    "  WHERE t.is_role <> 'Y'"
+    "  WHERE t.is_role = 'N'"
    "  UNION"
    // Recursively select all roles for the users
    "  SELECT u.user, u.host, t.db, t.select_priv, u.password, r.role FROM t"
@ -85,6 +85,7 @@ const char* mariadb_102_users_query =
    "  ON (t.user = u.role)"
    "  LEFT JOIN mysql.roles_mapping AS r"
    "  ON (t.user = r.user)"
+    "  WHERE t.is_role = 'Y'"
    ")"
    "SELECT DISTINCT t.user, t.host, t.db, t.select_priv, t.password FROM users AS t %s";