hcq/MaxScale
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

MXS-2839: Make ssl_ca_cert optional

Browse Source 
Not defining ssl_ca_cert causes the system default verification chain to
be used.
This commit is contained in:
Markus Mäkelä
2020-01-17 08:59:19 +02:00
parent 46165f0894
commit b573fcf030
3 changed files with 19 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
server/core/config.cc
View File

@ -2756,15 +2756,6 @@ bool config_create_ssl(const char* name,
char* ssl_key = config_get_value(params, CN_SSL_KEY);
char* ssl_ca_cert = config_get_value(params, CN_SSL_CA_CERT);
if (ssl_ca_cert == NULL)
{
MXS_ERROR("CA Certificate missing for '%s'."
"Please provide the path to the certificate authority "
"certificate by adding the ssl_ca_cert=<path> parameter",
name);
error = true;
}
if (require_cert)
{
if (ssl_cert == NULL)
@ -2803,7 +2794,7 @@ bool config_create_ssl(const char* name,
listener_set_certificates(ssl, ssl_cert, ssl_key, ssl_ca_cert);
mxb_assert(access(ssl_ca_cert, F_OK) == 0);
mxb_assert(!ssl_ca_cert || access(ssl_ca_cert, F_OK) == 0);
mxb_assert(!ssl_cert || access(ssl_cert, F_OK) == 0);
mxb_assert(!ssl_key || access(ssl_key, F_OK) == 0);

16
server/core/listener.cc
View File

@ -378,12 +378,18 @@ bool SSL_LISTENER_init(SSL_LISTENER* ssl)
SSL_CTX_set_tmp_rsa_callback(ctx, tmp_rsa_callback);
}
mxb_assert(ssl->ssl_ca_cert);
/* Load the CA certificate into the SSL_CTX structure */
if (!SSL_CTX_load_verify_locations(ctx, ssl->ssl_ca_cert, NULL))
if (ssl->ssl_ca_cert)
{
MXS_ERROR("Failed to set Certificate Authority file: %s", get_ssl_errors());
/* Load the CA certificate into the SSL_CTX structure */
if (!SSL_CTX_load_verify_locations(ctx, ssl->ssl_ca_cert, NULL))
{
MXS_ERROR("Failed to set Certificate Authority file: %s", get_ssl_errors());
rval = false;
}
}
else if (SSL_CTX_set_default_verify_paths(ctx) == 0)
{
MXS_ERROR("Failed to set default CA verify paths: %s", get_ssl_errors());
rval = false;
}