hcq/MaxScale
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch '2.3' into 2.4

Browse Source
This commit is contained in:
Markus Mäkelä
2020-01-17 09:24:42 +02:00
parent b6dc67f1b9 b573fcf030
commit df3ae56952
3 changed files with 18 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
Documentation/Getting-Started/Configuration-Guide.md
View File

@ -1979,13 +1979,14 @@ This section describes configuration parameters for both servers and listeners
that control the TLS/SSL encryption method and the various certificate files that control the TLS/SSL encryption method and the various certificate files
involved in it. involved in it.
To enable TLS/SSL for a listener, you must set the `ssl` parameter to `true` To enable TLS/SSL for a listener, you must set the `ssl` parameter to
and provide the three files for `ssl_cert`, `ssl_key` and `ssl_ca_cert`. `true` and provide at least the `ssl_cert` and `ssl_key` parameters.
To enable TLS/SSL for a server, you must set the `ssl` parameter to `required` To enable TLS/SSL for a server, you must set the `ssl` parameter to
and provide at least the `ssl_ca_cert` parameter. If the backend database server `true`. If the backend database server has certificate verification
has certificate verification enabled, the `ssl_cert` and `ssl_key` parameters enabled, the `ssl_cert` and `ssl_key` parameters must also be defined.
must also be defined.
Custom CA certificates can be defined with the `ssl_ca_cert` parameter.
After this, MaxScale connections between the server and/or the client will be After this, MaxScale connections between the server and/or the client will be
encrypted. Note that the database must also be configured to use TLS/SSL encrypted. Note that the database must also be configured to use TLS/SSL

9
server/core/config.cc
View File

@ -2889,15 +2889,6 @@ bool config_create_ssl(const char* name,
if (value) if (value)
{ {
if (!params.contains(CN_SSL_CA_CERT))
{
MXS_ERROR("CA Certificate missing for '%s'."
"Please provide the path to the certificate authority "
"certificate by adding the ssl_ca_cert=<path> parameter",
name);
ok = false;
}
if (require_cert) if (require_cert)
{ {
if (!params.contains(CN_SSL_CERT)) if (!params.contains(CN_SSL_CERT))

10
server/core/ssl.cc
View File

@ -335,14 +335,20 @@ bool SSLContext::init()
SSL_CTX_set_tmp_rsa_callback(m_ctx, tmp_rsa_callback); SSL_CTX_set_tmp_rsa_callback(m_ctx, tmp_rsa_callback);
} }
mxb_assert(!m_cfg.ca.empty()); if (!m_cfg.ca.empty())
{
/* Load the CA certificate into the SSL_CTX structure */ /* Load the CA certificate into the SSL_CTX structure */
if (!SSL_CTX_load_verify_locations(m_ctx, m_cfg.ca.c_str(), NULL)) if (!SSL_CTX_load_verify_locations(m_ctx, m_cfg.ca.c_str(), NULL))
{ {
MXS_ERROR("Failed to set Certificate Authority file: %s", get_ssl_errors()); MXS_ERROR("Failed to set Certificate Authority file: %s", get_ssl_errors());
return false; return false;
} }
}
else if (SSL_CTX_set_default_verify_paths(m_ctx) == 0)
{
MXS_ERROR("Failed to set default CA verify paths: %s", get_ssl_errors());
return false;
}
if (!m_cfg.cert.empty() && !m_cfg.key.empty()) if (!m_cfg.cert.empty() && !m_cfg.key.empty())
{ {