MXS-2839: Make ssl_ca_cert optional

Not defining ssl_ca_cert causes the system default verification chain to be used.
2020-01-17 08:59:19 +02:00
parent 46165f0894
commit b573fcf030
3 changed files with 19 additions and 21 deletions
--- a/Documentation/Getting-Started/Configuration-Guide.md
+++ b/Documentation/Getting-Started/Configuration-Guide.md
@ -1786,13 +1786,14 @@ This section describes configuration parameters for both servers and listeners
 that control the TLS/SSL encryption method and the various certificate files
 involved in it.

-To enable TLS/SSL for a listener, you must set the `ssl` parameter to `true`
-and provide the three files for `ssl_cert`, `ssl_key` and `ssl_ca_cert`.
+To enable TLS/SSL for a listener, you must set the `ssl` parameter to
+`true` and provide at least the `ssl_cert` and `ssl_key` parameters.

-To enable TLS/SSL for a server, you must set the `ssl` parameter to `required`
-and provide at least the `ssl_ca_cert` parameter. If the backend database server
-has certificate verification enabled, the `ssl_cert` and `ssl_key` parameters
-must also be defined.
+To enable TLS/SSL for a server, you must set the `ssl` parameter to
+`true`. If the backend database server has certificate verification
+enabled, the `ssl_cert` and `ssl_key` parameters must also be defined.
+
+Custom CA certificates can be defined with the `ssl_ca_cert` parameter.

 After this, MaxScale connections between the server and/or the client will be
 encrypted. Note that the database must also be configured to use TLS/SSL
--- a/server/core/config.cc
+++ b/server/core/config.cc
@ -2756,15 +2756,6 @@ bool config_create_ssl(const char* name,
        char* ssl_key = config_get_value(params, CN_SSL_KEY);
        char* ssl_ca_cert = config_get_value(params, CN_SSL_CA_CERT);

-        if (ssl_ca_cert == NULL)
-        {
-            MXS_ERROR("CA Certificate missing for '%s'."
-                      "Please provide the path to the certificate authority "
-                      "certificate by adding the ssl_ca_cert=<path> parameter",
-                      name);
-            error = true;
-        }
-
        if (require_cert)
        {
            if (ssl_cert == NULL)
@ -2803,7 +2794,7 @@ bool config_create_ssl(const char* name,

        listener_set_certificates(ssl, ssl_cert, ssl_key, ssl_ca_cert);

-        mxb_assert(access(ssl_ca_cert, F_OK) == 0);
+        mxb_assert(!ssl_ca_cert || access(ssl_ca_cert, F_OK) == 0);
        mxb_assert(!ssl_cert || access(ssl_cert, F_OK) == 0);
        mxb_assert(!ssl_key || access(ssl_key, F_OK) == 0);

--- a/server/core/listener.cc
+++ b/server/core/listener.cc
@ -378,12 +378,18 @@ bool SSL_LISTENER_init(SSL_LISTENER* ssl)
        SSL_CTX_set_tmp_rsa_callback(ctx, tmp_rsa_callback);
    }

-    mxb_assert(ssl->ssl_ca_cert);
-
-    /* Load the CA certificate into the SSL_CTX structure */
-    if (!SSL_CTX_load_verify_locations(ctx, ssl->ssl_ca_cert, NULL))
+    if (ssl->ssl_ca_cert)
    {
-        MXS_ERROR("Failed to set Certificate Authority file: %s", get_ssl_errors());
+        /* Load the CA certificate into the SSL_CTX structure */
+        if (!SSL_CTX_load_verify_locations(ctx, ssl->ssl_ca_cert, NULL))
+        {
+            MXS_ERROR("Failed to set Certificate Authority file: %s", get_ssl_errors());
+            rval = false;
+        }
+    }
+    else if (SSL_CTX_set_default_verify_paths(ctx) == 0)
+    {
+        MXS_ERROR("Failed to set default CA verify paths: %s", get_ssl_errors());
        rval = false;
    }