hcq/MaxScale
hcq/MaxScale
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

MXS-1907: Allow ssl_verify_peer_certificate when creating listener

Browse Source 
When a listener is created at runtime or SSL is being enabled for an
already created listener, the ssl_verify_peer_certificate parameter can
now be defined.
This commit is contained in:
Markus Mäkelä 2018-06-08 10:11:43 +03:00
parent 46d1187172
commit c850336199
No known key found for this signature in database
GPG Key ID: 72D48FCE664F7B19
3 changed files with 40 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
server/core/config_runtime.c
View File

@ -206,7 +206,8 @@ bool runtime_destroy_server(SERVER *server)
}
static SSL_LISTENER* create_ssl(const char *name, const char *key, const char *cert,
const char *ca, const char *version, const char *depth)
const char *ca, const char *version, const char *depth,
const char *verify)
{
SSL_LISTENER *rval = NULL;
CONFIG_CONTEXT *obj = config_context_create(name);
@ -218,7 +219,8 @@ static SSL_LISTENER* create_ssl(const char *name, const char *key, const char *c
config_add_param(obj, "ssl_cert", cert) &&
config_add_param(obj, "ssl_ca_cert", ca) &&
(!version || config_add_param(obj, "ssl_version", version)) &&
(!depth || config_add_param(obj, "ssl_cert_verify_depth", depth)))
(!depth || config_add_param(obj, "ssl_cert_verify_depth", depth)) &&
(!verify || config_add_param(obj, "ssl_verify_peer_certificate", verify)))
{
int err = 0;
SSL_LISTENER *ssl = make_ssl_structure(obj, true, &err);
@ -236,14 +238,15 @@ static SSL_LISTENER* create_ssl(const char *name, const char *key, const char *c
}
bool runtime_enable_server_ssl(SERVER *server, const char *key, const char *cert,
const char *ca, const char *version, const char *depth)
const char *ca, const char *version, const char *depth,
const char *verify)
{
bool rval = false;
if (key && cert && ca)
{
spinlock_acquire(&crt_lock);
SSL_LISTENER *ssl = create_ssl(server->unique_name, key, cert, ca, version, depth);
SSL_LISTENER *ssl = create_ssl(server->unique_name, key, cert, ca, version, depth, verify);
if (ssl)
{
@ -494,7 +497,8 @@ bool runtime_create_listener(SERVICE *service, const char *name, const char *add
const char *port, const char *proto, const char *auth,
const char *auth_opt, const char *ssl_key,
const char *ssl_cert, const char *ssl_ca,
const char *ssl_version, const char *ssl_depth)
const char *ssl_version, const char *ssl_depth,
const char *verify_ssl)
{
if (addr == NULL || strcasecmp(addr, "default") == 0)
@ -535,7 +539,7 @@ bool runtime_create_listener(SERVICE *service, const char *name, const char *add
if (ssl_key && ssl_cert && ssl_ca)
{
ssl = create_ssl(name, ssl_key, ssl_cert, ssl_ca, ssl_version, ssl_depth);
ssl = create_ssl(name, ssl_key, ssl_cert, ssl_ca, ssl_version, ssl_depth, verify_ssl);
if (ssl == NULL)
{

9
server/core/maxscale/config_runtime.h
View File

@ -103,10 +103,13 @@ bool runtime_alter_server(SERVER *server, char *key, char *value);
* @param ca Path to certificate authority
* @param version Required SSL Version
* @param depth Certificate verification depth
* @param verify Verify peer certificate
*
* @return True if SSL was successfully enabled
*/
bool runtime_enable_server_ssl(SERVER *server, const char *key, const char *cert,
const char *ca, const char *version, const char *depth);
const char *ca, const char *version, const char *depth,
const char *verify);
/**
* @brief Alter monitor parameters
@ -135,6 +138,7 @@ bool runtime_alter_monitor(MXS_MONITOR *monitor, char *key, char *value);
* @param ssl_ca SSL CA cert, NULL for no CA cert
* @param ssl_version SSL version, NULL for default of "MAX"
* @param ssl_depth SSL cert verification depth, NULL for default
* @param verify_ssl SSL peer certificate verification, NULL for default
*
* @return True if the listener was successfully created and started
*/
@ -142,7 +146,8 @@ bool runtime_create_listener(SERVICE *service, const char *name, const char *add
const char *port, const char *proto, const char *auth,
const char *auth_opt, const char *ssl_key,
const char *ssl_cert, const char *ssl_ca,
const char *ssl_version, const char *ssl_depth);
const char *ssl_version, const char *ssl_depth,
const char *verify_ssl);
/**
* @brief Destroy a listener

40
server/modules/routing/debugcli/debugcmd.c
View File

@ -62,7 +62,7 @@
#include "../../../core/maxscale/poll.h"
#include "../../../core/maxscale/session.h"
#define MAXARGS 12
#define MAXARGS 14
#define ARG_TYPE_NONE 0
#define ARG_TYPE_ADDRESS 1
@ -1143,11 +1143,11 @@ static void createServer(DCB *dcb, char *name, char *address, char *port,
static void createListener(DCB *dcb, SERVICE *service, char *name, char *address,
char *port, char *protocol, char *authenticator,
char *authenticator_options, char *key, char *cert,
char *ca, char *version, char *depth)
char *ca, char *version, char *depth, char *verify)
{
if (runtime_create_listener(service, name, address, port, protocol,
authenticator, authenticator_options,
key, cert, ca, version, depth))
key, cert, ca, version, depth, verify))
{
dcb_printf(dcb, "Listener '%s' created\n", name);
}
@ -1355,6 +1355,7 @@ static void alterServer(DCB *dcb, SERVER *server, char *v1, char *v2, char *v3,
char *ssl_ca = NULL;
char *ssl_version = NULL;
char *ssl_depth = NULL;
char *ssl_verify = NULL;
bool enable = false;
for (int i = 0; i < items && values[i]; i++)
@ -1388,6 +1389,10 @@ static void alterServer(DCB *dcb, SERVER *server, char *v1, char *v2, char *v3,
{
ssl_depth = value;
}
else if (strcmp("ssl_verify_peer_certificate", key) == 0)
{
ssl_verify = value;
}
else
{
enable = strcmp("ssl", key) == 0 && strcmp(value, "required") == 0;
@ -1411,7 +1416,7 @@ static void alterServer(DCB *dcb, SERVER *server, char *v1, char *v2, char *v3,
{
/** We have SSL parameters, try to process them */
if (!runtime_enable_server_ssl(server, ssl_key, ssl_cert, ssl_ca,
ssl_version, ssl_depth))
ssl_version, ssl_depth, ssl_verify))
{
dcb_printf(dcb, "Enabling SSL for server '%s' failed, see log "
"for more details.\n", server->unique_name);
@ -1464,7 +1469,7 @@ static void alterMonitor(DCB *dcb, MXS_MONITOR *monitor, char *v1, char *v2, cha
struct subcommand alteroptions[] =
{
{
"server", 2, 12, alterServer,
"server", 2, 14, alterServer,
"Alter server parameters",
"Usage: alter server NAME KEY=VALUE ...\n"
"\n"
@ -1474,18 +1479,19 @@ struct subcommand alteroptions[] =
"\n"
"This will alter an existing parameter of a server. The accepted values for KEY are:\n"
"\n"
"address Server address\n"
"port Server port\n"
"monitoruser Monitor user for this server\n"
"monitorpw Monitor password for this server\n"
"ssl Enable SSL, value must be 'required'\n"
"ssl_key Path to SSL private key\n"
"ssl_cert Path to SSL certificate\n"
"ssl_ca_cert Path to SSL CA certificate\n"
"ssl_version SSL version\n"
"ssl_cert_verify_depth Certificate verification depth\n"
"persistpoolmax Persisted connection pool size\n"
"persistmaxtime Persisted connection maximum idle time\n"
"address Server address\n"
"port Server port\n"
"monitoruser Monitor user for this server\n"
"monitorpw Monitor password for this server\n"
"ssl Enable SSL, value must be 'required'\n"
"ssl_key Path to SSL private key\n"
"ssl_cert Path to SSL certificate\n"
"ssl_ca_cert Path to SSL CA certificate\n"
"ssl_version SSL version\n"
"ssl_cert_verify_depth Certificate verification depth\n"
"ssl_verify_peer_certificate Peer certificate verification\n"
"persistpoolmax Persisted connection pool size\n"
"persistmaxtime Persisted connection maximum idle time\n"
"\n"
"To configure SSL for a newly created server, the 'ssl', 'ssl_cert',\n"
"'ssl_key' and 'ssl_ca_cert' parameters must be given at the same time.\n"