From b573fcf030375adcce10d7ca9abc1afcb1db1197 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Markus=20M=C3=A4kel=C3=A4?= Date: Fri, 17 Jan 2020 08:59:19 +0200 Subject: [PATCH] MXS-2839: Make ssl_ca_cert optional Not defining ssl_ca_cert causes the system default verification chain to be used. --- .../Getting-Started/Configuration-Guide.md | 13 +++++++------ server/core/config.cc | 11 +---------- server/core/listener.cc | 16 +++++++++++----- 3 files changed, 19 insertions(+), 21 deletions(-) diff --git a/Documentation/Getting-Started/Configuration-Guide.md b/Documentation/Getting-Started/Configuration-Guide.md index 7a2de666d..1b61e7dab 100644 --- a/Documentation/Getting-Started/Configuration-Guide.md +++ b/Documentation/Getting-Started/Configuration-Guide.md @@ -1786,13 +1786,14 @@ This section describes configuration parameters for both servers and listeners that control the TLS/SSL encryption method and the various certificate files involved in it. -To enable TLS/SSL for a listener, you must set the `ssl` parameter to `true` -and provide the three files for `ssl_cert`, `ssl_key` and `ssl_ca_cert`. +To enable TLS/SSL for a listener, you must set the `ssl` parameter to +`true` and provide at least the `ssl_cert` and `ssl_key` parameters. -To enable TLS/SSL for a server, you must set the `ssl` parameter to `required` -and provide at least the `ssl_ca_cert` parameter. If the backend database server -has certificate verification enabled, the `ssl_cert` and `ssl_key` parameters -must also be defined. +To enable TLS/SSL for a server, you must set the `ssl` parameter to +`true`. If the backend database server has certificate verification +enabled, the `ssl_cert` and `ssl_key` parameters must also be defined. + +Custom CA certificates can be defined with the `ssl_ca_cert` parameter. After this, MaxScale connections between the server and/or the client will be encrypted. Note that the database must also be configured to use TLS/SSL diff --git a/server/core/config.cc b/server/core/config.cc index 789f61804..080b469e0 100644 --- a/server/core/config.cc +++ b/server/core/config.cc @@ -2756,15 +2756,6 @@ bool config_create_ssl(const char* name, char* ssl_key = config_get_value(params, CN_SSL_KEY); char* ssl_ca_cert = config_get_value(params, CN_SSL_CA_CERT); - if (ssl_ca_cert == NULL) - { - MXS_ERROR("CA Certificate missing for '%s'." - "Please provide the path to the certificate authority " - "certificate by adding the ssl_ca_cert= parameter", - name); - error = true; - } - if (require_cert) { if (ssl_cert == NULL) @@ -2803,7 +2794,7 @@ bool config_create_ssl(const char* name, listener_set_certificates(ssl, ssl_cert, ssl_key, ssl_ca_cert); - mxb_assert(access(ssl_ca_cert, F_OK) == 0); + mxb_assert(!ssl_ca_cert || access(ssl_ca_cert, F_OK) == 0); mxb_assert(!ssl_cert || access(ssl_cert, F_OK) == 0); mxb_assert(!ssl_key || access(ssl_key, F_OK) == 0); diff --git a/server/core/listener.cc b/server/core/listener.cc index 3bdc24692..c33836806 100644 --- a/server/core/listener.cc +++ b/server/core/listener.cc @@ -378,12 +378,18 @@ bool SSL_LISTENER_init(SSL_LISTENER* ssl) SSL_CTX_set_tmp_rsa_callback(ctx, tmp_rsa_callback); } - mxb_assert(ssl->ssl_ca_cert); - - /* Load the CA certificate into the SSL_CTX structure */ - if (!SSL_CTX_load_verify_locations(ctx, ssl->ssl_ca_cert, NULL)) + if (ssl->ssl_ca_cert) { - MXS_ERROR("Failed to set Certificate Authority file: %s", get_ssl_errors()); + /* Load the CA certificate into the SSL_CTX structure */ + if (!SSL_CTX_load_verify_locations(ctx, ssl->ssl_ca_cert, NULL)) + { + MXS_ERROR("Failed to set Certificate Authority file: %s", get_ssl_errors()); + rval = false; + } + } + else if (SSL_CTX_set_default_verify_paths(ctx) == 0) + { + MXS_ERROR("Failed to set default CA verify paths: %s", get_ssl_errors()); rval = false; }