From aacae9b508c77989936beea47199e16e2f52a9fb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Markus=20M=C3=A4kel=C3=A4?= <markus.makela@mariadb.com>
Date: Tue, 7 Apr 2020 15:27:35 +0300
Subject: [PATCH] MXS-2956: Fix use of admin_ssl_ca_cert

The parameter is now optional and uses the correct file. If defined, it
defines the CA certificate that would be used to verify client
certificate. Client certificate verification doesn't seem to currently
work as that requires a custom verification callback that interfaces with
GnuTLS.
---
 .../Getting-Started/Configuration-Guide.md          |  9 +++++----
 server/core/admin.cc                                | 13 ++++++++-----
 2 files changed, 13 insertions(+), 9 deletions(-)

diff --git a/Documentation/Getting-Started/Configuration-Guide.md b/Documentation/Getting-Started/Configuration-Guide.md
index 9235c4982..8a98ccc89 100644
--- a/Documentation/Getting-Started/Configuration-Guide.md
+++ b/Documentation/Getting-Started/Configuration-Guide.md
@@ -1004,8 +1004,8 @@ REST API. The default credentials for the interface are `admin:mariadb`.
 
 The path to the TLS private key in PEM format for the admin interface.
 
-If the `admin_ssl_key`, `admin_ssl_cert` and `admin_ssl_ca_cert` options are all
-defined, the admin interface will use encrypted HTTPS instead of plain HTTP.
+If the `admin_ssl_key` and `admin_ssl_cert` options are all defined, the admin
+interface will use encrypted HTTPS instead of plain HTTP.
 
 ### `admin_ssl_cert`
 
@@ -1014,8 +1014,9 @@ documentation for more details.
 
 ### `admin_ssl_ca_cert`
 
-The path to the TLS CA certificate in PEM format. See `admin_ssl_key`
-documentation for more details.
+The path to the TLS CA certificate in PEM format. If defined, the client
+certificate, if provided, will be validated against it. This parameter is
+optional starting with MaxScale 2.3.19.
 
 ### `admin_enabled`
 
diff --git a/server/core/admin.cc b/server/core/admin.cc
index 8c8a33fb4..1e24057df 100644
--- a/server/core/admin.cc
+++ b/server/core/admin.cc
@@ -352,11 +352,13 @@ static bool load_ssl_certificates()
     const char* cert = config_get_global_options()->admin_ssl_cert;
     const char* ca = config_get_global_options()->admin_ssl_ca_cert;
 
-    if (*key && *cert && *ca)
+    if (*key && *cert)
     {
-        if ((admin_ssl_key = load_cert(key))
-            && (admin_ssl_cert = load_cert(cert))
-            && (admin_ssl_ca_cert = load_cert(ca)))
+        admin_ssl_key = load_cert(key);
+        admin_ssl_cert = load_cert(cert);
+        admin_ssl_ca_cert = load_cert(ca);
+
+        if (admin_ssl_key && admin_ssl_cert)
         {
             rval = true;
         }
@@ -416,7 +418,8 @@ bool mxs_admin_init()
                                        !using_ssl ? MHD_OPTION_END :
                                        MHD_OPTION_HTTPS_MEM_KEY, admin_ssl_key,
                                        MHD_OPTION_HTTPS_MEM_CERT, admin_ssl_cert,
-                                       MHD_OPTION_HTTPS_MEM_TRUST, admin_ssl_cert,
+                                       !admin_ssl_ca_cert ? MHD_OPTION_END :
+                                       MHD_OPTION_HTTPS_MEM_TRUST, admin_ssl_ca_cert,
                                        MHD_OPTION_END);
     }