MXS-1907: Allow ssl_verify_peer_certificate when creating listener
When a listener is created at runtime or SSL is being enabled for an already created listener, the ssl_verify_peer_certificate parameter can now be defined.
This commit is contained in:
@ -206,7 +206,8 @@ bool runtime_destroy_server(SERVER *server)
|
|||||||
}
|
}
|
||||||
|
|
||||||
static SSL_LISTENER* create_ssl(const char *name, const char *key, const char *cert,
|
static SSL_LISTENER* create_ssl(const char *name, const char *key, const char *cert,
|
||||||
const char *ca, const char *version, const char *depth)
|
const char *ca, const char *version, const char *depth,
|
||||||
|
const char *verify)
|
||||||
{
|
{
|
||||||
SSL_LISTENER *rval = NULL;
|
SSL_LISTENER *rval = NULL;
|
||||||
CONFIG_CONTEXT *obj = config_context_create(name);
|
CONFIG_CONTEXT *obj = config_context_create(name);
|
||||||
@ -218,7 +219,8 @@ static SSL_LISTENER* create_ssl(const char *name, const char *key, const char *c
|
|||||||
config_add_param(obj, "ssl_cert", cert) &&
|
config_add_param(obj, "ssl_cert", cert) &&
|
||||||
config_add_param(obj, "ssl_ca_cert", ca) &&
|
config_add_param(obj, "ssl_ca_cert", ca) &&
|
||||||
(!version || config_add_param(obj, "ssl_version", version)) &&
|
(!version || config_add_param(obj, "ssl_version", version)) &&
|
||||||
(!depth || config_add_param(obj, "ssl_cert_verify_depth", depth)))
|
(!depth || config_add_param(obj, "ssl_cert_verify_depth", depth)) &&
|
||||||
|
(!verify || config_add_param(obj, "ssl_verify_peer_certificate", verify)))
|
||||||
{
|
{
|
||||||
int err = 0;
|
int err = 0;
|
||||||
SSL_LISTENER *ssl = make_ssl_structure(obj, true, &err);
|
SSL_LISTENER *ssl = make_ssl_structure(obj, true, &err);
|
||||||
@ -236,14 +238,15 @@ static SSL_LISTENER* create_ssl(const char *name, const char *key, const char *c
|
|||||||
}
|
}
|
||||||
|
|
||||||
bool runtime_enable_server_ssl(SERVER *server, const char *key, const char *cert,
|
bool runtime_enable_server_ssl(SERVER *server, const char *key, const char *cert,
|
||||||
const char *ca, const char *version, const char *depth)
|
const char *ca, const char *version, const char *depth,
|
||||||
|
const char *verify)
|
||||||
{
|
{
|
||||||
bool rval = false;
|
bool rval = false;
|
||||||
|
|
||||||
if (key && cert && ca)
|
if (key && cert && ca)
|
||||||
{
|
{
|
||||||
spinlock_acquire(&crt_lock);
|
spinlock_acquire(&crt_lock);
|
||||||
SSL_LISTENER *ssl = create_ssl(server->unique_name, key, cert, ca, version, depth);
|
SSL_LISTENER *ssl = create_ssl(server->unique_name, key, cert, ca, version, depth, verify);
|
||||||
|
|
||||||
if (ssl)
|
if (ssl)
|
||||||
{
|
{
|
||||||
@ -494,7 +497,8 @@ bool runtime_create_listener(SERVICE *service, const char *name, const char *add
|
|||||||
const char *port, const char *proto, const char *auth,
|
const char *port, const char *proto, const char *auth,
|
||||||
const char *auth_opt, const char *ssl_key,
|
const char *auth_opt, const char *ssl_key,
|
||||||
const char *ssl_cert, const char *ssl_ca,
|
const char *ssl_cert, const char *ssl_ca,
|
||||||
const char *ssl_version, const char *ssl_depth)
|
const char *ssl_version, const char *ssl_depth,
|
||||||
|
const char *verify_ssl)
|
||||||
{
|
{
|
||||||
|
|
||||||
if (addr == NULL || strcasecmp(addr, "default") == 0)
|
if (addr == NULL || strcasecmp(addr, "default") == 0)
|
||||||
@ -535,7 +539,7 @@ bool runtime_create_listener(SERVICE *service, const char *name, const char *add
|
|||||||
|
|
||||||
if (ssl_key && ssl_cert && ssl_ca)
|
if (ssl_key && ssl_cert && ssl_ca)
|
||||||
{
|
{
|
||||||
ssl = create_ssl(name, ssl_key, ssl_cert, ssl_ca, ssl_version, ssl_depth);
|
ssl = create_ssl(name, ssl_key, ssl_cert, ssl_ca, ssl_version, ssl_depth, verify_ssl);
|
||||||
|
|
||||||
if (ssl == NULL)
|
if (ssl == NULL)
|
||||||
{
|
{
|
||||||
|
@ -103,10 +103,13 @@ bool runtime_alter_server(SERVER *server, char *key, char *value);
|
|||||||
* @param ca Path to certificate authority
|
* @param ca Path to certificate authority
|
||||||
* @param version Required SSL Version
|
* @param version Required SSL Version
|
||||||
* @param depth Certificate verification depth
|
* @param depth Certificate verification depth
|
||||||
|
* @param verify Verify peer certificate
|
||||||
|
*
|
||||||
* @return True if SSL was successfully enabled
|
* @return True if SSL was successfully enabled
|
||||||
*/
|
*/
|
||||||
bool runtime_enable_server_ssl(SERVER *server, const char *key, const char *cert,
|
bool runtime_enable_server_ssl(SERVER *server, const char *key, const char *cert,
|
||||||
const char *ca, const char *version, const char *depth);
|
const char *ca, const char *version, const char *depth,
|
||||||
|
const char *verify);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @brief Alter monitor parameters
|
* @brief Alter monitor parameters
|
||||||
@ -135,6 +138,7 @@ bool runtime_alter_monitor(MXS_MONITOR *monitor, char *key, char *value);
|
|||||||
* @param ssl_ca SSL CA cert, NULL for no CA cert
|
* @param ssl_ca SSL CA cert, NULL for no CA cert
|
||||||
* @param ssl_version SSL version, NULL for default of "MAX"
|
* @param ssl_version SSL version, NULL for default of "MAX"
|
||||||
* @param ssl_depth SSL cert verification depth, NULL for default
|
* @param ssl_depth SSL cert verification depth, NULL for default
|
||||||
|
* @param verify_ssl SSL peer certificate verification, NULL for default
|
||||||
*
|
*
|
||||||
* @return True if the listener was successfully created and started
|
* @return True if the listener was successfully created and started
|
||||||
*/
|
*/
|
||||||
@ -142,7 +146,8 @@ bool runtime_create_listener(SERVICE *service, const char *name, const char *add
|
|||||||
const char *port, const char *proto, const char *auth,
|
const char *port, const char *proto, const char *auth,
|
||||||
const char *auth_opt, const char *ssl_key,
|
const char *auth_opt, const char *ssl_key,
|
||||||
const char *ssl_cert, const char *ssl_ca,
|
const char *ssl_cert, const char *ssl_ca,
|
||||||
const char *ssl_version, const char *ssl_depth);
|
const char *ssl_version, const char *ssl_depth,
|
||||||
|
const char *verify_ssl);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @brief Destroy a listener
|
* @brief Destroy a listener
|
||||||
|
@ -62,7 +62,7 @@
|
|||||||
#include "../../../core/maxscale/poll.h"
|
#include "../../../core/maxscale/poll.h"
|
||||||
#include "../../../core/maxscale/session.h"
|
#include "../../../core/maxscale/session.h"
|
||||||
|
|
||||||
#define MAXARGS 12
|
#define MAXARGS 14
|
||||||
|
|
||||||
#define ARG_TYPE_NONE 0
|
#define ARG_TYPE_NONE 0
|
||||||
#define ARG_TYPE_ADDRESS 1
|
#define ARG_TYPE_ADDRESS 1
|
||||||
@ -1143,11 +1143,11 @@ static void createServer(DCB *dcb, char *name, char *address, char *port,
|
|||||||
static void createListener(DCB *dcb, SERVICE *service, char *name, char *address,
|
static void createListener(DCB *dcb, SERVICE *service, char *name, char *address,
|
||||||
char *port, char *protocol, char *authenticator,
|
char *port, char *protocol, char *authenticator,
|
||||||
char *authenticator_options, char *key, char *cert,
|
char *authenticator_options, char *key, char *cert,
|
||||||
char *ca, char *version, char *depth)
|
char *ca, char *version, char *depth, char *verify)
|
||||||
{
|
{
|
||||||
if (runtime_create_listener(service, name, address, port, protocol,
|
if (runtime_create_listener(service, name, address, port, protocol,
|
||||||
authenticator, authenticator_options,
|
authenticator, authenticator_options,
|
||||||
key, cert, ca, version, depth))
|
key, cert, ca, version, depth, verify))
|
||||||
{
|
{
|
||||||
dcb_printf(dcb, "Listener '%s' created\n", name);
|
dcb_printf(dcb, "Listener '%s' created\n", name);
|
||||||
}
|
}
|
||||||
@ -1355,6 +1355,7 @@ static void alterServer(DCB *dcb, SERVER *server, char *v1, char *v2, char *v3,
|
|||||||
char *ssl_ca = NULL;
|
char *ssl_ca = NULL;
|
||||||
char *ssl_version = NULL;
|
char *ssl_version = NULL;
|
||||||
char *ssl_depth = NULL;
|
char *ssl_depth = NULL;
|
||||||
|
char *ssl_verify = NULL;
|
||||||
bool enable = false;
|
bool enable = false;
|
||||||
|
|
||||||
for (int i = 0; i < items && values[i]; i++)
|
for (int i = 0; i < items && values[i]; i++)
|
||||||
@ -1388,6 +1389,10 @@ static void alterServer(DCB *dcb, SERVER *server, char *v1, char *v2, char *v3,
|
|||||||
{
|
{
|
||||||
ssl_depth = value;
|
ssl_depth = value;
|
||||||
}
|
}
|
||||||
|
else if (strcmp("ssl_verify_peer_certificate", key) == 0)
|
||||||
|
{
|
||||||
|
ssl_verify = value;
|
||||||
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
enable = strcmp("ssl", key) == 0 && strcmp(value, "required") == 0;
|
enable = strcmp("ssl", key) == 0 && strcmp(value, "required") == 0;
|
||||||
@ -1411,7 +1416,7 @@ static void alterServer(DCB *dcb, SERVER *server, char *v1, char *v2, char *v3,
|
|||||||
{
|
{
|
||||||
/** We have SSL parameters, try to process them */
|
/** We have SSL parameters, try to process them */
|
||||||
if (!runtime_enable_server_ssl(server, ssl_key, ssl_cert, ssl_ca,
|
if (!runtime_enable_server_ssl(server, ssl_key, ssl_cert, ssl_ca,
|
||||||
ssl_version, ssl_depth))
|
ssl_version, ssl_depth, ssl_verify))
|
||||||
{
|
{
|
||||||
dcb_printf(dcb, "Enabling SSL for server '%s' failed, see log "
|
dcb_printf(dcb, "Enabling SSL for server '%s' failed, see log "
|
||||||
"for more details.\n", server->unique_name);
|
"for more details.\n", server->unique_name);
|
||||||
@ -1464,7 +1469,7 @@ static void alterMonitor(DCB *dcb, MXS_MONITOR *monitor, char *v1, char *v2, cha
|
|||||||
struct subcommand alteroptions[] =
|
struct subcommand alteroptions[] =
|
||||||
{
|
{
|
||||||
{
|
{
|
||||||
"server", 2, 12, alterServer,
|
"server", 2, 14, alterServer,
|
||||||
"Alter server parameters",
|
"Alter server parameters",
|
||||||
"Usage: alter server NAME KEY=VALUE ...\n"
|
"Usage: alter server NAME KEY=VALUE ...\n"
|
||||||
"\n"
|
"\n"
|
||||||
@ -1474,18 +1479,19 @@ struct subcommand alteroptions[] =
|
|||||||
"\n"
|
"\n"
|
||||||
"This will alter an existing parameter of a server. The accepted values for KEY are:\n"
|
"This will alter an existing parameter of a server. The accepted values for KEY are:\n"
|
||||||
"\n"
|
"\n"
|
||||||
"address Server address\n"
|
"address Server address\n"
|
||||||
"port Server port\n"
|
"port Server port\n"
|
||||||
"monitoruser Monitor user for this server\n"
|
"monitoruser Monitor user for this server\n"
|
||||||
"monitorpw Monitor password for this server\n"
|
"monitorpw Monitor password for this server\n"
|
||||||
"ssl Enable SSL, value must be 'required'\n"
|
"ssl Enable SSL, value must be 'required'\n"
|
||||||
"ssl_key Path to SSL private key\n"
|
"ssl_key Path to SSL private key\n"
|
||||||
"ssl_cert Path to SSL certificate\n"
|
"ssl_cert Path to SSL certificate\n"
|
||||||
"ssl_ca_cert Path to SSL CA certificate\n"
|
"ssl_ca_cert Path to SSL CA certificate\n"
|
||||||
"ssl_version SSL version\n"
|
"ssl_version SSL version\n"
|
||||||
"ssl_cert_verify_depth Certificate verification depth\n"
|
"ssl_cert_verify_depth Certificate verification depth\n"
|
||||||
"persistpoolmax Persisted connection pool size\n"
|
"ssl_verify_peer_certificate Peer certificate verification\n"
|
||||||
"persistmaxtime Persisted connection maximum idle time\n"
|
"persistpoolmax Persisted connection pool size\n"
|
||||||
|
"persistmaxtime Persisted connection maximum idle time\n"
|
||||||
"\n"
|
"\n"
|
||||||
"To configure SSL for a newly created server, the 'ssl', 'ssl_cert',\n"
|
"To configure SSL for a newly created server, the 'ssl', 'ssl_cert',\n"
|
||||||
"'ssl_key' and 'ssl_ca_cert' parameters must be given at the same time.\n"
|
"'ssl_key' and 'ssl_ca_cert' parameters must be given at the same time.\n"
|
||||||
|
Reference in New Issue
Block a user