From d5ec357731342dfe6bc5a2b7858ba9ab3a9234f3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Markus=20M=C3=A4kel=C3=A4?= Date: Thu, 23 May 2019 15:15:38 +0300 Subject: [PATCH] Fix binlogrouter SSL creation The SSLContext could get invalid parameters as the router unconditionally added all the parameters. --- .../modules/routing/binlogrouter/blr_slave.cc | 50 ++++++++----------- 1 file changed, 22 insertions(+), 28 deletions(-) diff --git a/server/modules/routing/binlogrouter/blr_slave.cc b/server/modules/routing/binlogrouter/blr_slave.cc index 8c991da29..25d93a04f 100644 --- a/server/modules/routing/binlogrouter/blr_slave.cc +++ b/server/modules/routing/binlogrouter/blr_slave.cc @@ -6336,7 +6336,7 @@ static int blr_set_master_ssl(ROUTER_INSTANCE* router, router->ssl_enabled = config.ssl_enabled; } - if (router->ssl_enabled) + if (router->ssl_enabled && !config.ssl_ca.empty() && !config.ssl_key.empty() && !config.ssl_cert.empty()) { MXS_CONFIG_PARAMETER params; params.set_from_list({ @@ -6344,43 +6344,37 @@ static int blr_set_master_ssl(ROUTER_INSTANCE* router, {CN_SSL_KEY, config.ssl_key}, {CN_SSL_CERT, config.ssl_cert}, {CN_SSL_CA_CERT, config.ssl_ca}, - {CN_SSL_VERSION, config.ssl_version}, {CN_SSL_CERT_VERIFY_DEPTH, "9"}, {CN_SSL_VERIFY_PEER_CERTIFICATE, "true"} }); + if (!config.ssl_version.empty()) + { + mxb_assert((config.ssl_version.front() != '\'') && (config.ssl_version.front() != '"')); + params.set(CN_SSL_VERSION, config.ssl_version); + MXS_FREE(router->ssl_version); + router->ssl_version = MXS_STRDUP_A(config.ssl_version.c_str()); + } + + /* Update options in router fields */ + mxb_assert((config.ssl_key.front() != '\'') && (config.ssl_key.front() != '"')); + MXS_FREE(router->ssl_key); + router->ssl_key = MXS_STRDUP_A(config.ssl_key.c_str()); + + mxb_assert((config.ssl_ca.front() != '\'') && (config.ssl_ca.front() != '"')); + MXS_FREE(router->ssl_ca); + router->ssl_ca = MXS_STRDUP_A(config.ssl_ca.c_str()); + + mxb_assert((config.ssl_cert.front() != '\'') && (config.ssl_cert.front() != '"')); + MXS_FREE(router->ssl_cert); + router->ssl_cert = MXS_STRDUP_A(config.ssl_cert.c_str()); + std::unique_ptr ssl(mxs::SSLContext::create(params)); if (ssl) { updated = 1; router->service->dbref->server->ssl().set_context(std::move(ssl)); - - /* Update options in router fields */ - if (!config.ssl_key.empty()) - { - mxb_assert((config.ssl_key.front() != '\'') && (config.ssl_key.front() != '"')); - MXS_FREE(router->ssl_key); - router->ssl_key = MXS_STRDUP_A(config.ssl_key.c_str()); - } - if (!config.ssl_ca.empty()) - { - mxb_assert((config.ssl_ca.front() != '\'') && (config.ssl_ca.front() != '"')); - MXS_FREE(router->ssl_ca); - router->ssl_ca = MXS_STRDUP_A(config.ssl_ca.c_str()); - } - if (!config.ssl_cert.empty()) - { - mxb_assert((config.ssl_cert.front() != '\'') && (config.ssl_cert.front() != '"')); - MXS_FREE(router->ssl_cert); - router->ssl_cert = MXS_STRDUP_A(config.ssl_cert.c_str()); - } - if (!config.ssl_version.empty()) - { - mxb_assert((config.ssl_version.front() != '\'') && (config.ssl_version.front() != '"')); - MXS_FREE(router->ssl_version); - router->ssl_version = MXS_STRDUP_A(config.ssl_version.c_str()); - } } else {