diff --git a/Documentation/Getting-Started/Configuration-Guide.md b/Documentation/Getting-Started/Configuration-Guide.md index 2866424db..11ddc9d0d 100644 --- a/Documentation/Getting-Started/Configuration-Guide.md +++ b/Documentation/Getting-Started/Configuration-Guide.md @@ -1979,13 +1979,14 @@ This section describes configuration parameters for both servers and listeners that control the TLS/SSL encryption method and the various certificate files involved in it. -To enable TLS/SSL for a listener, you must set the `ssl` parameter to `true` -and provide the three files for `ssl_cert`, `ssl_key` and `ssl_ca_cert`. +To enable TLS/SSL for a listener, you must set the `ssl` parameter to +`true` and provide at least the `ssl_cert` and `ssl_key` parameters. -To enable TLS/SSL for a server, you must set the `ssl` parameter to `required` -and provide at least the `ssl_ca_cert` parameter. If the backend database server -has certificate verification enabled, the `ssl_cert` and `ssl_key` parameters -must also be defined. +To enable TLS/SSL for a server, you must set the `ssl` parameter to +`true`. If the backend database server has certificate verification +enabled, the `ssl_cert` and `ssl_key` parameters must also be defined. + +Custom CA certificates can be defined with the `ssl_ca_cert` parameter. After this, MaxScale connections between the server and/or the client will be encrypted. Note that the database must also be configured to use TLS/SSL diff --git a/server/core/config.cc b/server/core/config.cc index 41a47779b..c418a4846 100644 --- a/server/core/config.cc +++ b/server/core/config.cc @@ -2889,15 +2889,6 @@ bool config_create_ssl(const char* name, if (value) { - if (!params.contains(CN_SSL_CA_CERT)) - { - MXS_ERROR("CA Certificate missing for '%s'." - "Please provide the path to the certificate authority " - "certificate by adding the ssl_ca_cert= parameter", - name); - ok = false; - } - if (require_cert) { if (!params.contains(CN_SSL_CERT)) diff --git a/server/core/ssl.cc b/server/core/ssl.cc index 34620d8e6..9fe5e975a 100644 --- a/server/core/ssl.cc +++ b/server/core/ssl.cc @@ -335,12 +335,18 @@ bool SSLContext::init() SSL_CTX_set_tmp_rsa_callback(m_ctx, tmp_rsa_callback); } - mxb_assert(!m_cfg.ca.empty()); - - /* Load the CA certificate into the SSL_CTX structure */ - if (!SSL_CTX_load_verify_locations(m_ctx, m_cfg.ca.c_str(), NULL)) + if (!m_cfg.ca.empty()) { - MXS_ERROR("Failed to set Certificate Authority file: %s", get_ssl_errors()); + /* Load the CA certificate into the SSL_CTX structure */ + if (!SSL_CTX_load_verify_locations(m_ctx, m_cfg.ca.c_str(), NULL)) + { + MXS_ERROR("Failed to set Certificate Authority file: %s", get_ssl_errors()); + return false; + } + } + else if (SSL_CTX_set_default_verify_paths(m_ctx) == 0) + { + MXS_ERROR("Failed to set default CA verify paths: %s", get_ssl_errors()); return false; }