hcq/MaxScale
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch '2.1' into 2.2

Browse Source
This commit is contained in:
Markus Mäkelä
2017-11-21 16:49:21 +02:00
parent bc7209c04e dd699f2739
commit afcb708e6e
18 changed files with 345 additions and 262 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
server/core/config.cc
View File

@ -134,6 +134,7 @@ const char CN_SSL[] = "ssl";
const char CN_SSL_CA_CERT[] = "ssl_ca_cert";
const char CN_SSL_CERT[] = "ssl_cert";
const char CN_SSL_CERT_VERIFY_DEPTH[] = "ssl_cert_verify_depth";
const char CN_SSL_VERIFY_PEER_CERTIFICATE[] = "ssl_verify_peer_certificate";
const char CN_SSL_KEY[] = "ssl_key";
const char CN_SSL_VERSION[] = "ssl_version";
const char CN_STRIP_DB_ESC[] = "strip_db_esc";
@ -231,6 +232,7 @@ const char *config_listener_params[] =
CN_SSL_KEY,
CN_SSL_VERSION,
CN_SSL_CERT_VERIFY_DEPTH,
CN_SSL_VERIFY_PEER_CERTIFICATE,
NULL
};
@ -279,6 +281,7 @@ const char *server_params[] =
CN_SSL_KEY,
CN_SSL_VERSION,
CN_SSL_CERT_VERIFY_DEPTH,
CN_SSL_VERIFY_PEER_CERTIFICATE,
CN_PROXY_PROTOCOL,
NULL
};
@ -1688,6 +1691,8 @@ SSL_LISTENER* make_ssl_structure (CONFIG_CONTEXT *obj, bool require_cert, int *e
ssl_version = config_get_value(obj->parameters, CN_SSL_VERSION);
ssl_cert_verify_depth = config_get_value(obj->parameters, CN_SSL_CERT_VERIFY_DEPTH);
new_ssl->ssl_init_done = false;
new_ssl->ssl_cert_verify_depth = 9; // Default of 9 as per Linux man page
new_ssl->ssl_verify_peer_certificate = true;
if (ssl_version)
{
@ -1710,12 +1715,20 @@ SSL_LISTENER* make_ssl_structure (CONFIG_CONTEXT *obj, bool require_cert, int *e
local_errors++;
}
}
else
if (ssl_verify_peer_certificate)
{
/**
* Default of 9 as per Linux man page
*/
new_ssl->ssl_cert_verify_depth = 9;
int rv = config_truth_value(ssl_verify_peer_certificate);
if (rv == -1)
{
MXS_ERROR("Invalid parameter value for 'ssl_verify_peer_certificate"
" for service '%s': %s", obj->object, ssl_verify_peer_certificate);
local_errors++;
}
else
{
new_ssl->ssl_verify_peer_certificate = rv;
}
}
listener_set_certificates(new_ssl, ssl_cert, ssl_key, ssl_ca_cert);
@ -3493,6 +3506,7 @@ bool config_is_ssl_parameter(const char *key)
CN_SSL_KEY,
CN_SSL_VERSION,
CN_SSL_CERT_VERIFY_DEPTH,
CN_SSL_VERIFY_PEER_CERTIFICATE,
NULL
};

54
server/core/listener.cc
View File

@ -366,7 +366,7 @@ listener_init_SSL(SSL_LISTENER *ssl_listener)
}
/* Set to require peer (client) certificate verification */
if (ssl_listener->ssl_cert_verify_depth)
if (ssl_listener->ssl_verify_peer_certificate)
{
SSL_CTX_set_verify(ssl_listener->ctx, SSL_VERIFY_PEER, NULL);
}
@ -458,57 +458,7 @@ static bool create_listener_config(const SERV_LISTENER *listener, const char *fi
if (listener->ssl)
{
dprintf(file, "ssl=required\n");
if (listener->ssl->ssl_cert)
{
dprintf(file, "ssl_cert=%s\n", listener->ssl->ssl_cert);
}
if (listener->ssl->ssl_key)
{
dprintf(file, "ssl_key=%s\n", listener->ssl->ssl_key);
}
if (listener->ssl->ssl_ca_cert)
{
dprintf(file, "ssl_ca_cert=%s\n", listener->ssl->ssl_ca_cert);
}
if (listener->ssl->ssl_cert_verify_depth)
{
dprintf(file, "ssl_cert_verify_depth=%d\n", listener->ssl->ssl_cert_verify_depth);
}
const char *version = NULL;
switch (listener->ssl->ssl_method_type)
{
#ifndef OPENSSL_1_1
case SERVICE_TLS10:
version = "TLSV10";
break;
#endif
#ifdef OPENSSL_1_0
case SERVICE_TLS11:
version = "TLSV11";
break;
case SERVICE_TLS12:
version = "TLSV12";
break;
#endif
case SERVICE_SSL_TLS_MAX:
version = "MAX";
break;
default:
break;
}
if (version)
{
dprintf(file, "ssl_version=%s\n", version);
}
write_ssl_config(file, listener->ssl);
}
close(file);

53
server/core/server.cc
View File

@ -578,6 +578,7 @@ dprintServer(DCB *dcb, const SERVER *server)
dcb_printf(dcb, "\tSSL method type: %s\n",
ssl_method_type_to_string(l->ssl_method_type));
dcb_printf(dcb, "\tSSL certificate verification depth: %d\n", l->ssl_cert_verify_depth);
dcb_printf(dcb, "\tSSL peer verification : %s\n", l->ssl_verify_peer_certificate ? "true" : "false");
dcb_printf(dcb, "\tSSL certificate: %s\n",
l->ssl_cert ? l->ssl_cert : "null");
dcb_printf(dcb, "\tSSL key: %s\n",
@ -1203,57 +1204,7 @@ static bool create_server_config(const SERVER *server, const char *filename)
if (server->server_ssl)
{
dprintf(file, "%s=required\n", CN_SSL);
if (server->server_ssl->ssl_cert)
{
dprintf(file, "%s=%s\n", CN_SSL_CERT, server->server_ssl->ssl_cert);
}
if (server->server_ssl->ssl_key)
{
dprintf(file, "%s=%s\n", CN_SSL_KEY, server->server_ssl->ssl_key);
}
if (server->server_ssl->ssl_ca_cert)
{
dprintf(file, "%s=%s\n", CN_SSL_CA_CERT, server->server_ssl->ssl_ca_cert);
}
if (server->server_ssl->ssl_cert_verify_depth)
{
dprintf(file, "%s=%d\n", CN_SSL_CERT_VERIFY_DEPTH, server->server_ssl->ssl_cert_verify_depth);
}
const char *version = NULL;
switch (server->server_ssl->ssl_method_type)
{
#ifndef OPENSSL_1_1
case SERVICE_TLS10:
version = "TLSV10";
break;
#endif
#ifdef OPENSSL_1_0
case SERVICE_TLS11:
version = "TLSV11";
break;
case SERVICE_TLS12:
version = "TLSV12";
break;
#endif
case SERVICE_SSL_TLS_MAX:
version = "MAX";
break;
default:
break;
}
if (version)
{
dprintf(file, "%s=%s\n", CN_SSL_VERSION, version);
}
write_ssl_config(file, server->server_ssl);
}
close(file);

35
server/core/ssl.cc
View File

@ -243,6 +243,39 @@ ssl_method_type_t string_to_ssl_method_type(const char* str)
return SERVICE_SSL_UNKNOWN;
}
void write_ssl_config(int fd, SSL_LISTENER* ssl)
{
if (ssl)
{
dprintf(fd, "ssl=required\n");
if (ssl->ssl_cert)
{
dprintf(fd, "ssl_cert=%s\n", ssl->ssl_cert);
}
if (ssl->ssl_key)
{
dprintf(fd, "ssl_key=%s\n", ssl->ssl_key);
}
if (ssl->ssl_ca_cert)
{
dprintf(fd, "ssl_ca_cert=%s\n", ssl->ssl_ca_cert);
}
if (ssl->ssl_cert_verify_depth)
{
dprintf(fd, "ssl_cert_verify_depth=%d\n", ssl->ssl_cert_verify_depth);
}
dprintf(fd, "ssl_verify_peer_certificate=%s\n",
ssl->ssl_verify_peer_certificate ? "true" : "false");
const char *version = ssl_method_type_to_string(ssl->ssl_method_type);
dprintf(fd, "ssl_version=%s\n", version);
}
}
int ssl_authenticate_check_status(DCB* dcb)
{
int rval = MXS_AUTH_FAILED;
@ -273,4 +306,4 @@ int ssl_authenticate_check_status(DCB* dcb)
rval = MXS_AUTH_SSL_COMPLETE;
}
return rval;
}
}