MXS-2763: Log correct error for unsupported TLS versions

Previously when ssl_version was used with a value that is not supported on the system, an unknown parameter error was returned. This could be confusing and logging a proper error message should make it clear.
2019-11-11 12:34:31 +02:00 · 2019-11-11 12:34:31 +02:00 · f7f865d4c3
commit f7f865d4c3
parent 53ee7072ee
4 changed files with 16 additions and 27 deletions
--- a/include/maxscale/ssl.h
+++ b/include/maxscale/ssl.h
@ -31,13 +31,9 @@ struct dcb;

 typedef enum ssl_method_type
 {
-#ifndef OPENSSL_1_1
    SERVICE_TLS10,
-#endif
-#ifdef OPENSSL_1_0
    SERVICE_TLS11,
    SERVICE_TLS12,
-#endif
    SERVICE_SSL_MAX,
    SERVICE_TLS_MAX,
    SERVICE_SSL_TLS_MAX,
--- a/server/core/config.cc
+++ b/server/core/config.cc
@ -279,13 +279,9 @@ static const MXS_ENUM_VALUE ssl_values[] =
 static const MXS_ENUM_VALUE ssl_version_values[] =
 {
    {"MAX",    SERVICE_SSL_TLS_MAX},
-#ifndef OPENSSL_1_1
    {"TLSv10", SERVICE_TLS10      },
-#endif
-#ifdef OPENSSL_1_0
    {"TLSv11", SERVICE_TLS11      },
    {"TLSv12", SERVICE_TLS12      },
-#endif
    {NULL}
 };

--- a/server/core/listener.cc
+++ b/server/core/listener.cc
@ -188,14 +188,10 @@ int listener_set_ssl_version(SSL_LISTENER* ssl_listener, const char* version)
    {
        ssl_listener->ssl_method_type = SERVICE_SSL_TLS_MAX;
    }
-#ifndef OPENSSL_1_1
    else if (strcasecmp(version, "TLSV10") == 0)
    {
        ssl_listener->ssl_method_type = SERVICE_TLS10;
    }
-#else
-#endif
-#ifdef OPENSSL_1_0
    else if (strcasecmp(version, "TLSV11") == 0)
    {
        ssl_listener->ssl_method_type = SERVICE_TLS11;
@ -204,7 +200,6 @@ int listener_set_ssl_version(SSL_LISTENER* ssl_listener, const char* version)
    {
        ssl_listener->ssl_method_type = SERVICE_TLS12;
    }
-#endif
    else
    {
        return -1;
@ -278,22 +273,34 @@ bool SSL_LISTENER_init(SSL_LISTENER* ssl)

    switch (ssl->ssl_method_type)
    {
-#ifndef OPENSSL_1_1
    case SERVICE_TLS10:
+#ifndef OPENSSL_1_1
        ssl->method = (SSL_METHOD*)TLSv1_method();
+#else
+        MXS_ERROR("TLSv1.0 is not supported on this system.");
+        return false;
+#endif
        break;

-#endif
-#ifdef OPENSSL_1_0
+
    case SERVICE_TLS11:
+#ifdef OPENSSL_1_0
        ssl->method = (SSL_METHOD*)TLSv1_1_method();
+#else
+        MXS_ERROR("TLSv1.1 is not supported on this system.");
+        return false;
+#endif
        break;

    case SERVICE_TLS12:
+#ifdef OPENSSL_1_0
        ssl->method = (SSL_METHOD*)TLSv1_2_method();
+#else
+        MXS_ERROR("TLSv1.2 is not supported on this system.");
+        return false;
+#endif
        break;

-#endif
    /** Rest of these use the maximum available SSL/TLS methods */
    case SERVICE_SSL_MAX:
        ssl->method = (SSL_METHOD*)SSLv23_method();
--- a/server/core/ssl.cc
+++ b/server/core/ssl.cc
@ -201,19 +201,15 @@ const char* ssl_method_type_to_string(ssl_method_type_t method_type)
 {
    switch (method_type)
    {
-#ifndef OPENSSL_1_1
    case SERVICE_TLS10:
        return "TLSV10";

-#endif
-#ifdef OPENSSL_1_0
    case SERVICE_TLS11:
        return "TLSV11";

    case SERVICE_TLS12:
        return "TLSV12";

-#endif
    case SERVICE_SSL_MAX:
    case SERVICE_TLS_MAX:
    case SERVICE_SSL_TLS_MAX:
@ -230,14 +226,10 @@ ssl_method_type_t string_to_ssl_method_type(const char* str)
    {
        return SERVICE_SSL_TLS_MAX;
    }
-
-#ifndef OPENSSL_1_1
    else if (strcasecmp("TLSV10", str) == 0)
    {
        return SERVICE_TLS10;
    }
-#endif
-#ifdef OPENSSL_1_0
    else if (strcasecmp("TLSV11", str) == 0)
    {
        return SERVICE_TLS11;
@ -246,8 +238,6 @@ ssl_method_type_t string_to_ssl_method_type(const char* str)
    {
        return SERVICE_TLS12;
    }
-#endif
-
    return SERVICE_SSL_UNKNOWN;
 }