hcq/MaxScale
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Added ssl handshake to mysql_client

Browse Source
This commit is contained in:
Markus Makela
2015-05-28 22:19:50 +03:00
parent 449c186a66
commit a572166ffd
5 changed files with 134 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
server/core/config.c
View File

@ -345,7 +345,7 @@ hashtable_memory_fns(monitorhash,strdup,NULL,free,NULL);
char *weightby;
char *version_string;
char *subservices;
char* ssl;
char *ssl,*ssl_cert,*ssl_key,*ssl_ca_cert;
bool is_rwsplit = false;
bool is_schemarouter = false;
char *allow_localhost_match_wildcard_host;
@ -355,7 +355,9 @@ hashtable_memory_fns(monitorhash,strdup,NULL,free,NULL);
auth = config_get_value(obj->parameters, "passwd");
subservices = config_get_value(obj->parameters, "subservices");
ssl = config_get_value(obj->parameters, "ssl");
ssl_cert = config_get_value(obj->parameters, "ssl_cert");
ssl_key = config_get_value(obj->parameters, "ssl_key");
ssl_ca_cert = config_get_value(obj->parameters, "ssl_ca_cert");
enable_root_user = config_get_value(
obj->parameters,
"enable_root_user");
@ -448,8 +450,28 @@ hashtable_memory_fns(monitorhash,strdup,NULL,free,NULL);
"max_slave_replication_lag");
if(ssl)
if(serviceSetSSL(obj->element,ssl) != 0)
skygw_log_write(LE,"Error: Unknown parameter for service '%s': %s",obj->object,ssl);
{
if(ssl_cert == NULL)
skygw_log_write(LE,"Error: Server certificate missing for service '%s'.",obj->object);
if(ssl_ca_cert == NULL)
skygw_log_write(LE,"Error: CA Certificate missing for service '%s'.",obj->object);
if(ssl_key == NULL)
skygw_log_write(LE,"Error: Server private key missing for service '%s'.",obj->object);
if(ssl_ca_cert != NULL && ssl_cert != NULL && ssl_key != NULL)
{
if(serviceSetSSL(obj->element,ssl) != 0)
{
skygw_log_write(LE,"Error: Unknown parameter for service '%s': %s",obj->object,ssl);
}
else
{
serviceSetCertificates(obj->element,ssl_cert,ssl_key,ssl_ca_cert);
}
}
}
if (enable_root_user)
serviceEnableRootUser(

50
server/core/service.c
View File

@ -137,6 +137,10 @@ SERVICE *service;
service->users_from_all = false;
service->resources = NULL;
service->ssl_mode = SSL_DISABLED;
service->ssl_init_done = false;
service->ssl_ca_cert = NULL;
service->ssl_cert = NULL;
service->ssl_key = NULL;
if (service->name == NULL || service->routerModule == NULL)
{
@ -856,6 +860,14 @@ serviceOptimizeWildcard(SERVICE *service, int action)
return 1;
}
void
serviceSetCertificates(SERVICE *service, char* cert,char* key, char* ca_cert)
{
service->ssl_cert = strdup(cert);
service->ssl_key = strdup(key);
service->ssl_ca_cert = strdup(ca_cert);
}
/** Enable or disable the service SSL capability*/
int
serviceSetSSL(SERVICE *service, char* action)
@ -1798,3 +1810,41 @@ int *data;
return set;
}
int serviceInitSSL(SERVICE* service)
{
if(!service->ssl_init_done)
{
service->method = (SSL_METHOD*)SSLv23_server_method();
service->ctx = SSL_CTX_new(service->method);
if (SSL_CTX_use_certificate_file(service->ctx, service->ssl_cert, SSL_FILETYPE_PEM) <= 0) {
return -1;
}
/* Load the private-key corresponding to the server certificate */
if (SSL_CTX_use_PrivateKey_file(service->ctx, service->ssl_key, SSL_FILETYPE_PEM) <= 0) {
return -1;
}
/* Check if the server certificate and private-key matches */
if (!SSL_CTX_check_private_key(service->ctx)) {
return -1;
}
/* Load the RSA CA certificate into the SSL_CTX structure */
if (!SSL_CTX_load_verify_locations(service->ctx, service->ssl_ca_cert, NULL)) {
return -1;
}
/* Set to require peer (client) certificate verification */
SSL_CTX_set_verify(service->ctx,SSL_VERIFY_PEER,NULL);
/* Set the verification depth to 1 */
SSL_CTX_set_verify_depth(service->ctx,10);
service->ssl_init_done = true;
}
return 0;
}