MXS-2956: Fix use of admin_ssl_ca_cert

The parameter is now optional and uses the correct file. If defined, it defines the CA certificate that would be used to verify client certificate. Client certificate verification doesn't seem to currently work as that requires a custom verification callback that interfaces with GnuTLS.
2020-04-07 15:27:35 +03:00 · 2020-04-07 15:27:35 +03:00 · aacae9b508
commit aacae9b508
parent 594e431f1a
2 changed files with 13 additions and 9 deletions
--- a/Documentation/Getting-Started/Configuration-Guide.md
+++ b/Documentation/Getting-Started/Configuration-Guide.md
@ -1004,8 +1004,8 @@ REST API. The default credentials for the interface are `admin:mariadb`.

 The path to the TLS private key in PEM format for the admin interface.

-If the `admin_ssl_key`, `admin_ssl_cert` and `admin_ssl_ca_cert` options are all
-defined, the admin interface will use encrypted HTTPS instead of plain HTTP.
+If the `admin_ssl_key` and `admin_ssl_cert` options are all defined, the admin
+interface will use encrypted HTTPS instead of plain HTTP.

 ### `admin_ssl_cert`

@ -1014,8 +1014,9 @@ documentation for more details.

 ### `admin_ssl_ca_cert`

-The path to the TLS CA certificate in PEM format. See `admin_ssl_key`
-documentation for more details.
+The path to the TLS CA certificate in PEM format. If defined, the client
+certificate, if provided, will be validated against it. This parameter is
+optional starting with MaxScale 2.3.19.

 ### `admin_enabled`

--- a/server/core/admin.cc
+++ b/server/core/admin.cc
@ -352,11 +352,13 @@ static bool load_ssl_certificates()
    const char* cert = config_get_global_options()->admin_ssl_cert;
    const char* ca = config_get_global_options()->admin_ssl_ca_cert;

-    if (*key && *cert && *ca)
+    if (*key && *cert)
    {
-        if ((admin_ssl_key = load_cert(key))
-            && (admin_ssl_cert = load_cert(cert))
-            && (admin_ssl_ca_cert = load_cert(ca)))
+        admin_ssl_key = load_cert(key);
+        admin_ssl_cert = load_cert(cert);
+        admin_ssl_ca_cert = load_cert(ca);
+
+        if (admin_ssl_key && admin_ssl_cert)
        {
            rval = true;
        }
@ -416,7 +418,8 @@ bool mxs_admin_init()
                                       !using_ssl ? MHD_OPTION_END :
                                       MHD_OPTION_HTTPS_MEM_KEY, admin_ssl_key,
                                       MHD_OPTION_HTTPS_MEM_CERT, admin_ssl_cert,
-                                       MHD_OPTION_HTTPS_MEM_TRUST, admin_ssl_cert,
+                                       !admin_ssl_ca_cert ? MHD_OPTION_END :
+                                       MHD_OPTION_HTTPS_MEM_TRUST, admin_ssl_ca_cert,
                                       MHD_OPTION_END);
    }