From c850336199c3c19508a3d280fb7000291d66b80c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Markus=20M=C3=A4kel=C3=A4?= Date: Fri, 8 Jun 2018 10:11:43 +0300 Subject: [PATCH] MXS-1907: Allow ssl_verify_peer_certificate when creating listener When a listener is created at runtime or SSL is being enabled for an already created listener, the ssl_verify_peer_certificate parameter can now be defined. --- server/core/config_runtime.c | 16 +++++---- server/core/maxscale/config_runtime.h | 9 +++-- server/modules/routing/debugcli/debugcmd.c | 40 +++++++++++++--------- 3 files changed, 40 insertions(+), 25 deletions(-) diff --git a/server/core/config_runtime.c b/server/core/config_runtime.c index 0a963f887..bcdd32f5f 100644 --- a/server/core/config_runtime.c +++ b/server/core/config_runtime.c @@ -206,7 +206,8 @@ bool runtime_destroy_server(SERVER *server) } static SSL_LISTENER* create_ssl(const char *name, const char *key, const char *cert, - const char *ca, const char *version, const char *depth) + const char *ca, const char *version, const char *depth, + const char *verify) { SSL_LISTENER *rval = NULL; CONFIG_CONTEXT *obj = config_context_create(name); @@ -218,7 +219,8 @@ static SSL_LISTENER* create_ssl(const char *name, const char *key, const char *c config_add_param(obj, "ssl_cert", cert) && config_add_param(obj, "ssl_ca_cert", ca) && (!version || config_add_param(obj, "ssl_version", version)) && - (!depth || config_add_param(obj, "ssl_cert_verify_depth", depth))) + (!depth || config_add_param(obj, "ssl_cert_verify_depth", depth)) && + (!verify || config_add_param(obj, "ssl_verify_peer_certificate", verify))) { int err = 0; SSL_LISTENER *ssl = make_ssl_structure(obj, true, &err); @@ -236,14 +238,15 @@ static SSL_LISTENER* create_ssl(const char *name, const char *key, const char *c } bool runtime_enable_server_ssl(SERVER *server, const char *key, const char *cert, - const char *ca, const char *version, const char *depth) + const char *ca, const char *version, const char *depth, + const char *verify) { bool rval = false; if (key && cert && ca) { spinlock_acquire(&crt_lock); - SSL_LISTENER *ssl = create_ssl(server->unique_name, key, cert, ca, version, depth); + SSL_LISTENER *ssl = create_ssl(server->unique_name, key, cert, ca, version, depth, verify); if (ssl) { @@ -494,7 +497,8 @@ bool runtime_create_listener(SERVICE *service, const char *name, const char *add const char *port, const char *proto, const char *auth, const char *auth_opt, const char *ssl_key, const char *ssl_cert, const char *ssl_ca, - const char *ssl_version, const char *ssl_depth) + const char *ssl_version, const char *ssl_depth, + const char *verify_ssl) { if (addr == NULL || strcasecmp(addr, "default") == 0) @@ -535,7 +539,7 @@ bool runtime_create_listener(SERVICE *service, const char *name, const char *add if (ssl_key && ssl_cert && ssl_ca) { - ssl = create_ssl(name, ssl_key, ssl_cert, ssl_ca, ssl_version, ssl_depth); + ssl = create_ssl(name, ssl_key, ssl_cert, ssl_ca, ssl_version, ssl_depth, verify_ssl); if (ssl == NULL) { diff --git a/server/core/maxscale/config_runtime.h b/server/core/maxscale/config_runtime.h index b18ed9c66..195460417 100644 --- a/server/core/maxscale/config_runtime.h +++ b/server/core/maxscale/config_runtime.h @@ -103,10 +103,13 @@ bool runtime_alter_server(SERVER *server, char *key, char *value); * @param ca Path to certificate authority * @param version Required SSL Version * @param depth Certificate verification depth + * @param verify Verify peer certificate + * * @return True if SSL was successfully enabled */ bool runtime_enable_server_ssl(SERVER *server, const char *key, const char *cert, - const char *ca, const char *version, const char *depth); + const char *ca, const char *version, const char *depth, + const char *verify); /** * @brief Alter monitor parameters @@ -135,6 +138,7 @@ bool runtime_alter_monitor(MXS_MONITOR *monitor, char *key, char *value); * @param ssl_ca SSL CA cert, NULL for no CA cert * @param ssl_version SSL version, NULL for default of "MAX" * @param ssl_depth SSL cert verification depth, NULL for default + * @param verify_ssl SSL peer certificate verification, NULL for default * * @return True if the listener was successfully created and started */ @@ -142,7 +146,8 @@ bool runtime_create_listener(SERVICE *service, const char *name, const char *add const char *port, const char *proto, const char *auth, const char *auth_opt, const char *ssl_key, const char *ssl_cert, const char *ssl_ca, - const char *ssl_version, const char *ssl_depth); + const char *ssl_version, const char *ssl_depth, + const char *verify_ssl); /** * @brief Destroy a listener diff --git a/server/modules/routing/debugcli/debugcmd.c b/server/modules/routing/debugcli/debugcmd.c index 922456635..46c87bdf1 100644 --- a/server/modules/routing/debugcli/debugcmd.c +++ b/server/modules/routing/debugcli/debugcmd.c @@ -62,7 +62,7 @@ #include "../../../core/maxscale/poll.h" #include "../../../core/maxscale/session.h" -#define MAXARGS 12 +#define MAXARGS 14 #define ARG_TYPE_NONE 0 #define ARG_TYPE_ADDRESS 1 @@ -1143,11 +1143,11 @@ static void createServer(DCB *dcb, char *name, char *address, char *port, static void createListener(DCB *dcb, SERVICE *service, char *name, char *address, char *port, char *protocol, char *authenticator, char *authenticator_options, char *key, char *cert, - char *ca, char *version, char *depth) + char *ca, char *version, char *depth, char *verify) { if (runtime_create_listener(service, name, address, port, protocol, authenticator, authenticator_options, - key, cert, ca, version, depth)) + key, cert, ca, version, depth, verify)) { dcb_printf(dcb, "Listener '%s' created\n", name); } @@ -1355,6 +1355,7 @@ static void alterServer(DCB *dcb, SERVER *server, char *v1, char *v2, char *v3, char *ssl_ca = NULL; char *ssl_version = NULL; char *ssl_depth = NULL; + char *ssl_verify = NULL; bool enable = false; for (int i = 0; i < items && values[i]; i++) @@ -1388,6 +1389,10 @@ static void alterServer(DCB *dcb, SERVER *server, char *v1, char *v2, char *v3, { ssl_depth = value; } + else if (strcmp("ssl_verify_peer_certificate", key) == 0) + { + ssl_verify = value; + } else { enable = strcmp("ssl", key) == 0 && strcmp(value, "required") == 0; @@ -1411,7 +1416,7 @@ static void alterServer(DCB *dcb, SERVER *server, char *v1, char *v2, char *v3, { /** We have SSL parameters, try to process them */ if (!runtime_enable_server_ssl(server, ssl_key, ssl_cert, ssl_ca, - ssl_version, ssl_depth)) + ssl_version, ssl_depth, ssl_verify)) { dcb_printf(dcb, "Enabling SSL for server '%s' failed, see log " "for more details.\n", server->unique_name); @@ -1464,7 +1469,7 @@ static void alterMonitor(DCB *dcb, MXS_MONITOR *monitor, char *v1, char *v2, cha struct subcommand alteroptions[] = { { - "server", 2, 12, alterServer, + "server", 2, 14, alterServer, "Alter server parameters", "Usage: alter server NAME KEY=VALUE ...\n" "\n" @@ -1474,18 +1479,19 @@ struct subcommand alteroptions[] = "\n" "This will alter an existing parameter of a server. The accepted values for KEY are:\n" "\n" - "address Server address\n" - "port Server port\n" - "monitoruser Monitor user for this server\n" - "monitorpw Monitor password for this server\n" - "ssl Enable SSL, value must be 'required'\n" - "ssl_key Path to SSL private key\n" - "ssl_cert Path to SSL certificate\n" - "ssl_ca_cert Path to SSL CA certificate\n" - "ssl_version SSL version\n" - "ssl_cert_verify_depth Certificate verification depth\n" - "persistpoolmax Persisted connection pool size\n" - "persistmaxtime Persisted connection maximum idle time\n" + "address Server address\n" + "port Server port\n" + "monitoruser Monitor user for this server\n" + "monitorpw Monitor password for this server\n" + "ssl Enable SSL, value must be 'required'\n" + "ssl_key Path to SSL private key\n" + "ssl_cert Path to SSL certificate\n" + "ssl_ca_cert Path to SSL CA certificate\n" + "ssl_version SSL version\n" + "ssl_cert_verify_depth Certificate verification depth\n" + "ssl_verify_peer_certificate Peer certificate verification\n" + "persistpoolmax Persisted connection pool size\n" + "persistmaxtime Persisted connection maximum idle time\n" "\n" "To configure SSL for a newly created server, the 'ssl', 'ssl_cert',\n" "'ssl_key' and 'ssl_ca_cert' parameters must be given at the same time.\n"