hcq/MaxScale
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

MXS-1907: Allow ssl_verify_peer_certificate when creating listener

Browse Source 
When a listener is created at runtime or SSL is being enabled for an
already created listener, the ssl_verify_peer_certificate parameter can
now be defined.
This commit is contained in:
Markus Mäkelä
2018-06-08 10:11:43 +03:00
parent 46d1187172
commit c850336199
3 changed files with 40 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
server/core/config_runtime.c
View File

@ -206,7 +206,8 @@ bool runtime_destroy_server(SERVER *server)
} }
static SSL_LISTENER* create_ssl(const char *name, const char *key, const char *cert, static SSL_LISTENER* create_ssl(const char *name, const char *key, const char *cert,
const char *ca, const char *version, const char *depth) const char *ca, const char *version, const char *depth,
const char *verify)
{ {
SSL_LISTENER *rval = NULL; SSL_LISTENER *rval = NULL;
CONFIG_CONTEXT *obj = config_context_create(name); CONFIG_CONTEXT *obj = config_context_create(name);
@ -218,7 +219,8 @@ static SSL_LISTENER* create_ssl(const char *name, const char *key, const char *c
config_add_param(obj, "ssl_cert", cert) && config_add_param(obj, "ssl_cert", cert) &&
config_add_param(obj, "ssl_ca_cert", ca) && config_add_param(obj, "ssl_ca_cert", ca) &&
(!version || config_add_param(obj, "ssl_version", version)) && (!version || config_add_param(obj, "ssl_version", version)) &&
(!depth || config_add_param(obj, "ssl_cert_verify_depth", depth))) (!depth || config_add_param(obj, "ssl_cert_verify_depth", depth)) &&
(!verify || config_add_param(obj, "ssl_verify_peer_certificate", verify)))
{ {
int err = 0; int err = 0;
SSL_LISTENER *ssl = make_ssl_structure(obj, true, &err); SSL_LISTENER *ssl = make_ssl_structure(obj, true, &err);
@ -236,14 +238,15 @@ static SSL_LISTENER* create_ssl(const char *name, const char *key, const char *c
} }
bool runtime_enable_server_ssl(SERVER *server, const char *key, const char *cert, bool runtime_enable_server_ssl(SERVER *server, const char *key, const char *cert,
const char *ca, const char *version, const char *depth) const char *ca, const char *version, const char *depth,
const char *verify)
{ {
bool rval = false; bool rval = false;
if (key && cert && ca) if (key && cert && ca)
{ {
spinlock_acquire(&crt_lock); spinlock_acquire(&crt_lock);
SSL_LISTENER *ssl = create_ssl(server->unique_name, key, cert, ca, version, depth); SSL_LISTENER *ssl = create_ssl(server->unique_name, key, cert, ca, version, depth, verify);
if (ssl) if (ssl)
{ {
@ -494,7 +497,8 @@ bool runtime_create_listener(SERVICE *service, const char *name, const char *add
const char *port, const char *proto, const char *auth, const char *port, const char *proto, const char *auth,
const char *auth_opt, const char *ssl_key, const char *auth_opt, const char *ssl_key,
const char *ssl_cert, const char *ssl_ca, const char *ssl_cert, const char *ssl_ca,
const char *ssl_version, const char *ssl_depth) const char *ssl_version, const char *ssl_depth,
const char *verify_ssl)
{ {
if (addr == NULL || strcasecmp(addr, "default") == 0) if (addr == NULL || strcasecmp(addr, "default") == 0)
@ -535,7 +539,7 @@ bool runtime_create_listener(SERVICE *service, const char *name, const char *add
if (ssl_key && ssl_cert && ssl_ca) if (ssl_key && ssl_cert && ssl_ca)
{ {
ssl = create_ssl(name, ssl_key, ssl_cert, ssl_ca, ssl_version, ssl_depth); ssl = create_ssl(name, ssl_key, ssl_cert, ssl_ca, ssl_version, ssl_depth, verify_ssl);
if (ssl == NULL) if (ssl == NULL)
{ {

9
server/core/maxscale/config_runtime.h
View File

@ -103,10 +103,13 @@ bool runtime_alter_server(SERVER *server, char *key, char *value);
* @param ca Path to certificate authority * @param ca Path to certificate authority
* @param version Required SSL Version * @param version Required SSL Version
* @param depth Certificate verification depth * @param depth Certificate verification depth
* @param verify Verify peer certificate
*
* @return True if SSL was successfully enabled * @return True if SSL was successfully enabled
*/ */
bool runtime_enable_server_ssl(SERVER *server, const char *key, const char *cert, bool runtime_enable_server_ssl(SERVER *server, const char *key, const char *cert,
const char *ca, const char *version, const char *depth); const char *ca, const char *version, const char *depth,
const char *verify);
/** /**
* @brief Alter monitor parameters * @brief Alter monitor parameters
@ -135,6 +138,7 @@ bool runtime_alter_monitor(MXS_MONITOR *monitor, char *key, char *value);
* @param ssl_ca SSL CA cert, NULL for no CA cert * @param ssl_ca SSL CA cert, NULL for no CA cert
* @param ssl_version SSL version, NULL for default of "MAX" * @param ssl_version SSL version, NULL for default of "MAX"
* @param ssl_depth SSL cert verification depth, NULL for default * @param ssl_depth SSL cert verification depth, NULL for default
* @param verify_ssl SSL peer certificate verification, NULL for default
* *
* @return True if the listener was successfully created and started * @return True if the listener was successfully created and started
*/ */
@ -142,7 +146,8 @@ bool runtime_create_listener(SERVICE *service, const char *name, const char *add
const char *port, const char *proto, const char *auth, const char *port, const char *proto, const char *auth,
const char *auth_opt, const char *ssl_key, const char *auth_opt, const char *ssl_key,
const char *ssl_cert, const char *ssl_ca, const char *ssl_cert, const char *ssl_ca,
const char *ssl_version, const char *ssl_depth); const char *ssl_version, const char *ssl_depth,
const char *verify_ssl);
/** /**
* @brief Destroy a listener * @brief Destroy a listener

16
server/modules/routing/debugcli/debugcmd.c
View File

@ -62,7 +62,7 @@
#include "../../../core/maxscale/poll.h" #include "../../../core/maxscale/poll.h"
#include "../../../core/maxscale/session.h" #include "../../../core/maxscale/session.h"
#define MAXARGS 12 #define MAXARGS 14
#define ARG_TYPE_NONE 0 #define ARG_TYPE_NONE 0
#define ARG_TYPE_ADDRESS 1 #define ARG_TYPE_ADDRESS 1
@ -1143,11 +1143,11 @@ static void createServer(DCB *dcb, char *name, char *address, char *port,
static void createListener(DCB *dcb, SERVICE *service, char *name, char *address, static void createListener(DCB *dcb, SERVICE *service, char *name, char *address,
char *port, char *protocol, char *authenticator, char *port, char *protocol, char *authenticator,
char *authenticator_options, char *key, char *cert, char *authenticator_options, char *key, char *cert,
char *ca, char *version, char *depth) char *ca, char *version, char *depth, char *verify)
{ {
if (runtime_create_listener(service, name, address, port, protocol, if (runtime_create_listener(service, name, address, port, protocol,
authenticator, authenticator_options, authenticator, authenticator_options,
key, cert, ca, version, depth)) key, cert, ca, version, depth, verify))
{ {
dcb_printf(dcb, "Listener '%s' created\n", name); dcb_printf(dcb, "Listener '%s' created\n", name);
} }
@ -1355,6 +1355,7 @@ static void alterServer(DCB *dcb, SERVER *server, char *v1, char *v2, char *v3,
char *ssl_ca = NULL; char *ssl_ca = NULL;
char *ssl_version = NULL; char *ssl_version = NULL;
char *ssl_depth = NULL; char *ssl_depth = NULL;
char *ssl_verify = NULL;
bool enable = false; bool enable = false;
for (int i = 0; i < items && values[i]; i++) for (int i = 0; i < items && values[i]; i++)
@ -1388,6 +1389,10 @@ static void alterServer(DCB *dcb, SERVER *server, char *v1, char *v2, char *v3,
{ {
ssl_depth = value; ssl_depth = value;
} }
else if (strcmp("ssl_verify_peer_certificate", key) == 0)
{
ssl_verify = value;
}
else else
{ {
enable = strcmp("ssl", key) == 0 && strcmp(value, "required") == 0; enable = strcmp("ssl", key) == 0 && strcmp(value, "required") == 0;
@ -1411,7 +1416,7 @@ static void alterServer(DCB *dcb, SERVER *server, char *v1, char *v2, char *v3,
{ {
/** We have SSL parameters, try to process them */ /** We have SSL parameters, try to process them */
if (!runtime_enable_server_ssl(server, ssl_key, ssl_cert, ssl_ca, if (!runtime_enable_server_ssl(server, ssl_key, ssl_cert, ssl_ca,
ssl_version, ssl_depth)) ssl_version, ssl_depth, ssl_verify))
{ {
dcb_printf(dcb, "Enabling SSL for server '%s' failed, see log " dcb_printf(dcb, "Enabling SSL for server '%s' failed, see log "
"for more details.\n", server->unique_name); "for more details.\n", server->unique_name);
@ -1464,7 +1469,7 @@ static void alterMonitor(DCB *dcb, MXS_MONITOR *monitor, char *v1, char *v2, cha
struct subcommand alteroptions[] = struct subcommand alteroptions[] =
{ {
{ {
"server", 2, 12, alterServer, "server", 2, 14, alterServer,
"Alter server parameters", "Alter server parameters",
"Usage: alter server NAME KEY=VALUE ...\n" "Usage: alter server NAME KEY=VALUE ...\n"
"\n" "\n"
@ -1484,6 +1489,7 @@ struct subcommand alteroptions[] =
"ssl_ca_cert Path to SSL CA certificate\n" "ssl_ca_cert Path to SSL CA certificate\n"
"ssl_version SSL version\n" "ssl_version SSL version\n"
"ssl_cert_verify_depth Certificate verification depth\n" "ssl_cert_verify_depth Certificate verification depth\n"
"ssl_verify_peer_certificate Peer certificate verification\n"
"persistpoolmax Persisted connection pool size\n" "persistpoolmax Persisted connection pool size\n"
"persistmaxtime Persisted connection maximum idle time\n" "persistmaxtime Persisted connection maximum idle time\n"
"\n" "\n"