From 96d9c47016a7f4d1629e36d8bdb7ade7730fb80f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Markus=20M=C3=A4kel=C3=A4?= Date: Fri, 1 Dec 2017 03:50:57 +0200 Subject: [PATCH] MXS-1553: Enforce SSL usage for monitors If a server is configured to use SSL, then MaxScale should respect the configuration and refuse to use a connection that is not encrypted. --- include/maxscale/server.h | 4 ++++ server/core/mysql_utils.c | 13 +++++++++++++ server/core/server.c | 3 +++ 3 files changed, 20 insertions(+) diff --git a/include/maxscale/server.h b/include/maxscale/server.h index 2fb6e4e77..0ecdac470 100644 --- a/include/maxscale/server.h +++ b/include/maxscale/server.h @@ -96,6 +96,10 @@ typedef struct server uint8_t charset; /**< Default server character set */ bool is_active; /**< Server is active and has not been "destroyed" */ bool created_online; /**< Whether this server was created after startup */ + struct + { + bool ssl_not_enabled; /**< SSL not used for an SSL enabled server */ + } log_warning; /**< Whether a specific warning was logged */ #if defined(SS_DEBUG) skygw_chk_t server_chk_tail; #endif diff --git a/server/core/mysql_utils.c b/server/core/mysql_utils.c index c7a4b66b3..ac467d602 100644 --- a/server/core/mysql_utils.c +++ b/server/core/mysql_utils.c @@ -171,6 +171,19 @@ MYSQL *mxs_mysql_real_connect(MYSQL *con, SERVER *server, const char *user, cons MY_CHARSET_INFO cs_info; mysql_get_character_set_info(mysql, &cs_info); server->charset = cs_info.number; + + if (listener && mysql_get_ssl_cipher(con) == NULL) + { + if (server->log_warning.ssl_not_enabled) + { + server->log_warning.ssl_not_enabled = false; + MXS_ERROR("An encrypted connection to '%s' could not be created, " + "ensure that TLS is enabled on the target server.", + server->unique_name); + } + // Don't close the connection as it is closed elsewhere, just set to NULL + mysql = NULL; + } } return mysql; diff --git a/server/core/server.c b/server/core/server.c index 744e0d931..d6db003de 100644 --- a/server/core/server.c +++ b/server/core/server.c @@ -140,6 +140,9 @@ SERVER* server_alloc(const char *name, const char *address, unsigned short port, server->created_online = false; server->charset = SERVER_DEFAULT_CHARSET; + // Log all warnings once + memset(&server->log_warning, 1, sizeof(server->log_warning)); + spinlock_acquire(&server_spin); server->next = allServers; allServers = server;