hcq/MaxScale
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

MXS-2956: Fix use of admin_ssl_ca_cert

Browse Source 
The parameter is now optional and uses the correct file. If defined, it
defines the CA certificate that would be used to verify client
certificate. Client certificate verification doesn't seem to currently
work as that requires a custom verification callback that interfaces with
GnuTLS.
This commit is contained in:
Markus Mäkelä
2020-04-07 15:27:35 +03:00
parent 594e431f1a
commit aacae9b508
2 changed files with 13 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
Documentation/Getting-Started/Configuration-Guide.md
View File

@ -1004,8 +1004,8 @@ REST API. The default credentials for the interface are `admin:mariadb`.
The path to the TLS private key in PEM format for the admin interface. The path to the TLS private key in PEM format for the admin interface.
If the `admin_ssl_key`, `admin_ssl_cert` and `admin_ssl_ca_cert` options are all If the `admin_ssl_key` and `admin_ssl_cert` options are all defined, the admin
defined, the admin interface will use encrypted HTTPS instead of plain HTTP. interface will use encrypted HTTPS instead of plain HTTP.
### `admin_ssl_cert` ### `admin_ssl_cert`
@ -1014,8 +1014,9 @@ documentation for more details.
### `admin_ssl_ca_cert` ### `admin_ssl_ca_cert`
The path to the TLS CA certificate in PEM format. See `admin_ssl_key` The path to the TLS CA certificate in PEM format. If defined, the client
documentation for more details. certificate, if provided, will be validated against it. This parameter is
optional starting with MaxScale 2.3.19.
### `admin_enabled` ### `admin_enabled`

13
server/core/admin.cc
View File

@ -352,11 +352,13 @@ static bool load_ssl_certificates()
const char* cert = config_get_global_options()->admin_ssl_cert; const char* cert = config_get_global_options()->admin_ssl_cert;
const char* ca = config_get_global_options()->admin_ssl_ca_cert; const char* ca = config_get_global_options()->admin_ssl_ca_cert;
if (*key && *cert && *ca) if (*key && *cert)
{ {
if ((admin_ssl_key = load_cert(key)) admin_ssl_key = load_cert(key);
&& (admin_ssl_cert = load_cert(cert)) admin_ssl_cert = load_cert(cert);
&& (admin_ssl_ca_cert = load_cert(ca))) admin_ssl_ca_cert = load_cert(ca);
if (admin_ssl_key && admin_ssl_cert)
{ {
rval = true; rval = true;
} }
@ -416,7 +418,8 @@ bool mxs_admin_init()
!using_ssl ? MHD_OPTION_END : !using_ssl ? MHD_OPTION_END :
MHD_OPTION_HTTPS_MEM_KEY, admin_ssl_key, MHD_OPTION_HTTPS_MEM_KEY, admin_ssl_key,
MHD_OPTION_HTTPS_MEM_CERT, admin_ssl_cert, MHD_OPTION_HTTPS_MEM_CERT, admin_ssl_cert,
MHD_OPTION_HTTPS_MEM_TRUST, admin_ssl_cert, !admin_ssl_ca_cert ? MHD_OPTION_END :
MHD_OPTION_HTTPS_MEM_TRUST, admin_ssl_ca_cert,
MHD_OPTION_END); MHD_OPTION_END);
} }