Merge branch '2.1' into 2.2

2017-11-21 16:49:21 +02:00
parent bc7209c04e dd699f2739
commit afcb708e6e
18 changed files with 345 additions and 262 deletions
--- a/server/core/config.cc
+++ b/server/core/config.cc
@ -134,6 +134,7 @@ const char CN_SSL[]                           = "ssl";
 const char CN_SSL_CA_CERT[]                   = "ssl_ca_cert";
 const char CN_SSL_CERT[]                      = "ssl_cert";
 const char CN_SSL_CERT_VERIFY_DEPTH[]         = "ssl_cert_verify_depth";
+const char CN_SSL_VERIFY_PEER_CERTIFICATE[]   = "ssl_verify_peer_certificate";
 const char CN_SSL_KEY[]                       = "ssl_key";
 const char CN_SSL_VERSION[]                   = "ssl_version";
 const char CN_STRIP_DB_ESC[]                  = "strip_db_esc";
@ -231,6 +232,7 @@ const char *config_listener_params[] =
    CN_SSL_KEY,
    CN_SSL_VERSION,
    CN_SSL_CERT_VERIFY_DEPTH,
+    CN_SSL_VERIFY_PEER_CERTIFICATE,
    NULL
 };

@ -279,6 +281,7 @@ const char *server_params[] =
    CN_SSL_KEY,
    CN_SSL_VERSION,
    CN_SSL_CERT_VERIFY_DEPTH,
+    CN_SSL_VERIFY_PEER_CERTIFICATE,
    CN_PROXY_PROTOCOL,
    NULL
 };
@ -1688,6 +1691,8 @@ SSL_LISTENER* make_ssl_structure (CONFIG_CONTEXT *obj, bool require_cert, int *e
            ssl_version = config_get_value(obj->parameters, CN_SSL_VERSION);
            ssl_cert_verify_depth = config_get_value(obj->parameters, CN_SSL_CERT_VERIFY_DEPTH);
            new_ssl->ssl_init_done = false;
+            new_ssl->ssl_cert_verify_depth = 9; // Default of 9 as per Linux man page
+            new_ssl->ssl_verify_peer_certificate = true;

            if (ssl_version)
            {
@ -1710,12 +1715,20 @@ SSL_LISTENER* make_ssl_structure (CONFIG_CONTEXT *obj, bool require_cert, int *e
                    local_errors++;
                }
            }
-            else
+
+            if (ssl_verify_peer_certificate)
            {
-                /**
-                 * Default of 9 as per Linux man page
-                 */
-                new_ssl->ssl_cert_verify_depth = 9;
+                int rv = config_truth_value(ssl_verify_peer_certificate);
+                if (rv == -1)
+                {
+                    MXS_ERROR("Invalid parameter value for 'ssl_verify_peer_certificate"
+                              " for service '%s': %s", obj->object, ssl_verify_peer_certificate);
+                    local_errors++;
+                }
+                else
+                {
+                    new_ssl->ssl_verify_peer_certificate = rv;
+                }
            }

            listener_set_certificates(new_ssl, ssl_cert, ssl_key, ssl_ca_cert);
@ -3493,6 +3506,7 @@ bool config_is_ssl_parameter(const char *key)
        CN_SSL_KEY,
        CN_SSL_VERSION,
        CN_SSL_CERT_VERIFY_DEPTH,
+        CN_SSL_VERIFY_PEER_CERTIFICATE,
        NULL
    };