Merge branch '2.2' into develop
This commit is contained in:
Markus Mäkelä
commit
96ed651466
1336
maxctrl/package-lock.json
generated
1336
maxctrl/package-lock.json
generated
File diff suppressed because it is too large
Load Diff
@ -27,8 +27,8 @@
|
||||
"devDependencies": {
|
||||
"chai": "^3.5.0",
|
||||
"chai-as-promised": "^6.0.0",
|
||||
"mocha": "^3.3.0",
|
||||
"nyc": "^11.0.3",
|
||||
"mocha": "^3.5.3",
|
||||
"nyc": "^11.9.0",
|
||||
"strip-ansi": "^4.0.0"
|
||||
},
|
||||
"nyc": {
|
||||
|
||||
@ -2046,7 +2046,7 @@ free_ssl_structure(SSL_LISTENER *ssl)
|
||||
* @param *error_count An error count which may be incremented
|
||||
* @return SSL_LISTENER structure or NULL
|
||||
*/
|
||||
SSL_LISTENER* make_ssl_structure (CONFIG_CONTEXT *obj, bool require_cert, int *error_count)
|
||||
SSL_LISTENER* make_ssl_structure(CONFIG_CONTEXT *obj, bool require_cert, int *error_count)
|
||||
{
|
||||
char *ssl, *ssl_version, *ssl_cert, *ssl_key, *ssl_ca_cert, *ssl_cert_verify_depth;
|
||||
int local_errors = 0;
|
||||
@ -2073,26 +2073,20 @@ SSL_LISTENER* make_ssl_structure (CONFIG_CONTEXT *obj, bool require_cert, int *e
|
||||
new_ssl->ssl_cert_verify_depth = 9; // Default of 9 as per Linux man page
|
||||
new_ssl->ssl_verify_peer_certificate = true;
|
||||
|
||||
if (ssl_version)
|
||||
if (ssl_version && listener_set_ssl_version(new_ssl, ssl_version) != 0)
|
||||
{
|
||||
if (listener_set_ssl_version(new_ssl, ssl_version) != 0)
|
||||
{
|
||||
MXS_ERROR("Unknown parameter value for 'ssl_version' for"
|
||||
" service '%s': %s", obj->object, ssl_version);
|
||||
local_errors++;
|
||||
}
|
||||
MXS_ERROR("Unknown parameter value for 'ssl_version' for '%s': %s",
|
||||
obj->object, ssl_version);
|
||||
local_errors++;
|
||||
}
|
||||
|
||||
if (ssl_cert_verify_depth)
|
||||
if (ssl_cert_verify_depth &&
|
||||
(new_ssl->ssl_cert_verify_depth = atoi(ssl_cert_verify_depth)) < 0)
|
||||
{
|
||||
new_ssl->ssl_cert_verify_depth = atoi(ssl_cert_verify_depth);
|
||||
if (new_ssl->ssl_cert_verify_depth < 0)
|
||||
{
|
||||
MXS_ERROR("Invalid parameter value for 'ssl_cert_verify_depth"
|
||||
" for service '%s': %s", obj->object, ssl_cert_verify_depth);
|
||||
new_ssl->ssl_cert_verify_depth = 0;
|
||||
local_errors++;
|
||||
}
|
||||
MXS_ERROR("Invalid parameter value for 'ssl_cert_verify_depth for '%s': %s",
|
||||
obj->object, ssl_cert_verify_depth);
|
||||
new_ssl->ssl_cert_verify_depth = 0;
|
||||
local_errors++;
|
||||
}
|
||||
|
||||
if (ssl_verify_peer_certificate)
|
||||
@ -2101,7 +2095,7 @@ SSL_LISTENER* make_ssl_structure (CONFIG_CONTEXT *obj, bool require_cert, int *e
|
||||
if (rv == -1)
|
||||
{
|
||||
MXS_ERROR("Invalid parameter value for 'ssl_verify_peer_certificate"
|
||||
" for service '%s': %s", obj->object, ssl_verify_peer_certificate);
|
||||
" for '%s': %s", obj->object, ssl_verify_peer_certificate);
|
||||
local_errors++;
|
||||
}
|
||||
else
|
||||
@ -2112,53 +2106,49 @@ SSL_LISTENER* make_ssl_structure (CONFIG_CONTEXT *obj, bool require_cert, int *e
|
||||
|
||||
listener_set_certificates(new_ssl, ssl_cert, ssl_key, ssl_ca_cert);
|
||||
|
||||
if (require_cert && new_ssl->ssl_cert == NULL)
|
||||
if (require_cert)
|
||||
{
|
||||
local_errors++;
|
||||
MXS_ERROR("Server certificate missing for service '%s'."
|
||||
"Please provide the path to the server certificate by adding "
|
||||
"the ssl_cert=<path> parameter", obj->object);
|
||||
if (new_ssl->ssl_cert == NULL)
|
||||
{
|
||||
local_errors++;
|
||||
MXS_ERROR("Server certificate missing for listener '%s'."
|
||||
"Please provide the path to the server certificate by adding "
|
||||
"the ssl_cert=<path> parameter", obj->object);
|
||||
}
|
||||
else if (access(new_ssl->ssl_cert, F_OK) != 0)
|
||||
{
|
||||
MXS_ERROR("Server certificate file for listener '%s' not found: %s",
|
||||
obj->object, new_ssl->ssl_cert);
|
||||
local_errors++;
|
||||
}
|
||||
|
||||
if (new_ssl->ssl_key == NULL)
|
||||
{
|
||||
local_errors++;
|
||||
MXS_ERROR("Server private key missing for listener '%s'. "
|
||||
"Please provide the path to the server certificate key by "
|
||||
"adding the ssl_key=<path> parameter", obj->object);
|
||||
}
|
||||
else if (access(new_ssl->ssl_key, F_OK) != 0)
|
||||
{
|
||||
MXS_ERROR("Server private key file for listener '%s' not found: %s",
|
||||
obj->object, new_ssl->ssl_key);
|
||||
local_errors++;
|
||||
}
|
||||
}
|
||||
|
||||
if (require_cert && new_ssl->ssl_ca_cert == NULL)
|
||||
if (new_ssl->ssl_ca_cert == NULL)
|
||||
{
|
||||
local_errors++;
|
||||
MXS_ERROR("CA Certificate missing for service '%s'."
|
||||
MXS_ERROR("CA Certificate missing for '%s'."
|
||||
"Please provide the path to the certificate authority "
|
||||
"certificate by adding the ssl_ca_cert=<path> parameter",
|
||||
obj->object);
|
||||
}
|
||||
|
||||
if (require_cert && new_ssl->ssl_key == NULL)
|
||||
else if (access(new_ssl->ssl_ca_cert, F_OK) != 0)
|
||||
{
|
||||
local_errors++;
|
||||
MXS_ERROR("Server private key missing for service '%s'. "
|
||||
"Please provide the path to the server certificate key by "
|
||||
"adding the ssl_key=<path> parameter",
|
||||
obj->object);
|
||||
}
|
||||
|
||||
if (require_cert && access(new_ssl->ssl_ca_cert, F_OK) != 0)
|
||||
{
|
||||
MXS_ERROR("Certificate authority file for service '%s' not found: %s",
|
||||
obj->object,
|
||||
new_ssl->ssl_ca_cert);
|
||||
local_errors++;
|
||||
}
|
||||
|
||||
if (require_cert && access(new_ssl->ssl_cert, F_OK) != 0)
|
||||
{
|
||||
MXS_ERROR("Server certificate file for service '%s' not found: %s",
|
||||
obj->object,
|
||||
new_ssl->ssl_cert);
|
||||
local_errors++;
|
||||
}
|
||||
|
||||
if (require_cert && access(new_ssl->ssl_key, F_OK) != 0)
|
||||
{
|
||||
MXS_ERROR("Server private key file for service '%s' not found: %s",
|
||||
obj->object,
|
||||
new_ssl->ssl_key);
|
||||
MXS_ERROR("Certificate authority file for '%s' not found: %s",
|
||||
obj->object, new_ssl->ssl_ca_cert);
|
||||
local_errors++;
|
||||
}
|
||||
|
||||
|
||||
@ -254,8 +254,8 @@ static SSL_LISTENER* create_ssl(const char *name, const char *key, const char *c
|
||||
if (obj)
|
||||
{
|
||||
if (config_add_param(obj, CN_SSL, CN_REQUIRED) &&
|
||||
config_add_param(obj, CN_SSL_KEY, key) &&
|
||||
config_add_param(obj, CN_SSL_CERT, cert) &&
|
||||
(!key || config_add_param(obj, CN_SSL_KEY, key)) &&
|
||||
(!cert || config_add_param(obj, CN_SSL_CERT, cert)) &&
|
||||
config_add_param(obj, CN_SSL_CA_CERT, ca) &&
|
||||
(!version || config_add_param(obj, CN_SSL_VERSION, version)) &&
|
||||
(!depth || config_add_param(obj, CN_SSL_CERT_VERIFY_DEPTH, depth)) &&
|
||||
|
||||
@ -337,6 +337,15 @@ listener_init_SSL(SSL_LISTENER *ssl_listener)
|
||||
ss_dassert(rsa_512 && rsa_1024);
|
||||
SSL_CTX_set_tmp_rsa_callback(ssl_listener->ctx, tmp_rsa_callback);
|
||||
|
||||
ss_dassert(ssl_listener->ssl_ca_cert);
|
||||
|
||||
/* Load the CA certificate into the SSL_CTX structure */
|
||||
if (!SSL_CTX_load_verify_locations(ssl_listener->ctx, ssl_listener->ssl_ca_cert, NULL))
|
||||
{
|
||||
MXS_ERROR("Failed to set Certificate Authority file");
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (ssl_listener->ssl_cert && ssl_listener->ssl_key)
|
||||
{
|
||||
/** Load the server certificate */
|
||||
@ -359,13 +368,6 @@ listener_init_SSL(SSL_LISTENER *ssl_listener)
|
||||
MXS_ERROR("Server SSL certificate and key do not match: %s", get_ssl_errors());
|
||||
return -1;
|
||||
}
|
||||
|
||||
/* Load the RSA CA certificate into the SSL_CTX structure */
|
||||
if (!SSL_CTX_load_verify_locations(ssl_listener->ctx, ssl_listener->ssl_ca_cert, NULL))
|
||||
{
|
||||
MXS_ERROR("Failed to set Certificate Authority file: %s", get_ssl_errors());
|
||||
return -1;
|
||||
}
|
||||
}
|
||||
|
||||
/* Set to require peer (client) certificate verification */
|
||||
|
||||
@ -1435,9 +1435,9 @@ static void alterServer(DCB *dcb, SERVER *server, char *v1, char *v2, char *v3,
|
||||
}
|
||||
}
|
||||
|
||||
if (enable || ssl_key || ssl_cert || ssl_ca)
|
||||
if (enable || ssl_ca)
|
||||
{
|
||||
if (enable && ssl_key && ssl_cert && ssl_ca)
|
||||
if (enable && ssl_ca)
|
||||
{
|
||||
/** We have SSL parameters, try to process them */
|
||||
if (!runtime_enable_server_ssl(server, ssl_key, ssl_cert, ssl_ca,
|
||||
@ -1450,7 +1450,7 @@ static void alterServer(DCB *dcb, SERVER *server, char *v1, char *v2, char *v3,
|
||||
else
|
||||
{
|
||||
dcb_printf(dcb, "Error: SSL configuration requires the following parameters:\n"
|
||||
"ssl=required ssl_key=PATH ssl_cert=PATH ssl_ca_cert=PATH\n");
|
||||
"ssl=required ssl_ca_cert=PATH\n");
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
version: '2'
|
||||
services:
|
||||
server1:
|
||||
image: mariadb:10.1
|
||||
image: mariadb:10.2
|
||||
network_mode: "host"
|
||||
environment:
|
||||
MYSQL_ALLOW_EMPTY_PASSWORD: Y
|
||||
@ -10,7 +10,7 @@ services:
|
||||
command: mysqld --log-bin=binlog --binlog-format=ROW --server-id=3000 --port=3000 --log-slave-updates
|
||||
|
||||
server2:
|
||||
image: mariadb:10.1
|
||||
image: mariadb:10.2
|
||||
network_mode: "host"
|
||||
environment:
|
||||
MYSQL_ALLOW_EMPTY_PASSWORD: Y
|
||||
@ -19,7 +19,7 @@ services:
|
||||
command: mysqld --log-bin=binlog --binlog-format=ROW --server-id=3001 --port=3001 --log-slave-updates
|
||||
|
||||
server3:
|
||||
image: mariadb:10.1
|
||||
image: mariadb:10.2
|
||||
network_mode: "host"
|
||||
environment:
|
||||
MYSQL_ALLOW_EMPTY_PASSWORD: Y
|
||||
@ -28,7 +28,7 @@ services:
|
||||
command: mysqld --log-bin=binlog --binlog-format=ROW --server-id=3002 --port=3002 --log-slave-updates
|
||||
|
||||
server4:
|
||||
image: mariadb:10.1
|
||||
image: mariadb:10.2
|
||||
network_mode: "host"
|
||||
environment:
|
||||
MYSQL_ALLOW_EMPTY_PASSWORD: Y
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user