hcq/MaxScale
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix binlogrouter SSL creation

Browse Source 
The SSLContext could get invalid parameters as the router unconditionally
added all the parameters.
This commit is contained in:
Markus Mäkelä
2019-05-23 15:15:38 +03:00
parent 3af66f3309
commit d5ec357731
1 changed files with 22 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

50
server/modules/routing/binlogrouter/blr_slave.cc
View File

@ -6336,7 +6336,7 @@ static int blr_set_master_ssl(ROUTER_INSTANCE* router,
router->ssl_enabled = config.ssl_enabled; router->ssl_enabled = config.ssl_enabled;
} }
if (router->ssl_enabled) if (router->ssl_enabled && !config.ssl_ca.empty() && !config.ssl_key.empty() && !config.ssl_cert.empty())
{ {
MXS_CONFIG_PARAMETER params; MXS_CONFIG_PARAMETER params;
params.set_from_list({ params.set_from_list({
@ -6344,43 +6344,37 @@ static int blr_set_master_ssl(ROUTER_INSTANCE* router,
{CN_SSL_KEY, config.ssl_key}, {CN_SSL_KEY, config.ssl_key},
{CN_SSL_CERT, config.ssl_cert}, {CN_SSL_CERT, config.ssl_cert},
{CN_SSL_CA_CERT, config.ssl_ca}, {CN_SSL_CA_CERT, config.ssl_ca},
{CN_SSL_VERSION, config.ssl_version},
{CN_SSL_CERT_VERIFY_DEPTH, "9"}, {CN_SSL_CERT_VERIFY_DEPTH, "9"},
{CN_SSL_VERIFY_PEER_CERTIFICATE, "true"} {CN_SSL_VERIFY_PEER_CERTIFICATE, "true"}
}); });
if (!config.ssl_version.empty())
{
mxb_assert((config.ssl_version.front() != '\'') && (config.ssl_version.front() != '"'));
params.set(CN_SSL_VERSION, config.ssl_version);
MXS_FREE(router->ssl_version);
router->ssl_version = MXS_STRDUP_A(config.ssl_version.c_str());
}
/* Update options in router fields */
mxb_assert((config.ssl_key.front() != '\'') && (config.ssl_key.front() != '"'));
MXS_FREE(router->ssl_key);
router->ssl_key = MXS_STRDUP_A(config.ssl_key.c_str());
mxb_assert((config.ssl_ca.front() != '\'') && (config.ssl_ca.front() != '"'));
MXS_FREE(router->ssl_ca);
router->ssl_ca = MXS_STRDUP_A(config.ssl_ca.c_str());
mxb_assert((config.ssl_cert.front() != '\'') && (config.ssl_cert.front() != '"'));
MXS_FREE(router->ssl_cert);
router->ssl_cert = MXS_STRDUP_A(config.ssl_cert.c_str());
std::unique_ptr<mxs::SSLContext> ssl(mxs::SSLContext::create(params)); std::unique_ptr<mxs::SSLContext> ssl(mxs::SSLContext::create(params));
if (ssl) if (ssl)
{ {
updated = 1; updated = 1;
router->service->dbref->server->ssl().set_context(std::move(ssl)); router->service->dbref->server->ssl().set_context(std::move(ssl));
/* Update options in router fields */
if (!config.ssl_key.empty())
{
mxb_assert((config.ssl_key.front() != '\'') && (config.ssl_key.front() != '"'));
MXS_FREE(router->ssl_key);
router->ssl_key = MXS_STRDUP_A(config.ssl_key.c_str());
}
if (!config.ssl_ca.empty())
{
mxb_assert((config.ssl_ca.front() != '\'') && (config.ssl_ca.front() != '"'));
MXS_FREE(router->ssl_ca);
router->ssl_ca = MXS_STRDUP_A(config.ssl_ca.c_str());
}
if (!config.ssl_cert.empty())
{
mxb_assert((config.ssl_cert.front() != '\'') && (config.ssl_cert.front() != '"'));
MXS_FREE(router->ssl_cert);
router->ssl_cert = MXS_STRDUP_A(config.ssl_cert.c_str());
}
if (!config.ssl_version.empty())
{
mxb_assert((config.ssl_version.front() != '\'') && (config.ssl_version.front() != '"'));
MXS_FREE(router->ssl_version);
router->ssl_version = MXS_STRDUP_A(config.ssl_version.c_str());
}
} }
else else
{ {