Skip to content
This repository was archived by the owner on Feb 18, 2025. It is now read-only.

MySQLOrchestratorSSLSkipVerify to apply on backend TLS config #985

Merged
merged 7 commits into from
Nov 13, 2019
Merged

MySQLOrchestratorSSLSkipVerify to apply on backend TLS config #985

Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
06ee3a5
MySQLOrchestratorSSLSkipVerify to apply on backend TLS config
Sep 25, 2019
69c3ec2
only load cert files if cert files exist
Sep 25, 2019
023c9d7
fixed SetupMySQLTopologyTLS certification check
Sep 25, 2019
3466422
more accurate check
Sep 25, 2019
109cb71
more accurate check
Sep 25, 2019
47e993a
Merge branch 'master' into orchestrator-backend-skip-tls-verify
Nov 10, 2019
f01fd34
Merge branch 'master' into orchestrator-backend-skip-tls-verify
Nov 10, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 9 additions & 5 deletions go/db/tls.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -103,8 +103,8 @@ func SetupMySQLTopologyTLS(uri string) (string, error) {
}
tlsConfig.InsecureSkipVerify = config.Config.MySQLTopologySSLSkipVerify

if config.Config.MySQLTopologyUseMutualTLS ||
config.Config.MySQLTopologySSLCertFile != "" ||
if (config.Config.MySQLTopologyUseMutualTLS && !config.Config.MySQLTopologySSLSkipVerify) &&
config.Config.MySQLTopologySSLCertFile != "" &&
config.Config.MySQLTopologySSLPrivateKeyFile != "" {
if err = ssl.AppendKeyPair(tlsConfig, config.Config.MySQLTopologySSLCertFile, config.Config.MySQLTopologySSLPrivateKeyFile); err != nil {
return "", log.Errorf("Can't setup TLS key pairs for %s: %s", uri, err)
Expand All @@ -123,15 +123,19 @@ func SetupMySQLTopologyTLS(uri string) (string, error) {
// Modify the supplied URI to call the TLS config
func SetupMySQLOrchestratorTLS(uri string) (string, error) {
if !orchestratorTLSConfigured {
tlsConfig, err := ssl.NewTLSConfig(config.Config.MySQLOrchestratorSSLCAFile, true)
tlsConfig, err := ssl.NewTLSConfig(config.Config.MySQLOrchestratorSSLCAFile, !config.Config.MySQLOrchestratorSSLSkipVerify)
// Drop to TLS 1.0 for talking to MySQL
tlsConfig.MinVersion = tls.VersionTLS10
if err != nil {
return "", log.Fatalf("Can't create TLS configuration for Orchestrator connection %s: %s", uri, err)
}
tlsConfig.InsecureSkipVerify = config.Config.MySQLOrchestratorSSLSkipVerify
if err = ssl.AppendKeyPair(tlsConfig, config.Config.MySQLOrchestratorSSLCertFile, config.Config.MySQLOrchestratorSSLPrivateKeyFile); err != nil {
return "", log.Fatalf("Can't setup TLS key pairs for %s: %s", uri, err)
if (!config.Config.MySQLOrchestratorSSLSkipVerify) &&
config.Config.MySQLOrchestratorSSLCertFile != "" &&
config.Config.MySQLOrchestratorSSLPrivateKeyFile != "" {
if err = ssl.AppendKeyPair(tlsConfig, config.Config.MySQLOrchestratorSSLCertFile, config.Config.MySQLOrchestratorSSLPrivateKeyFile); err != nil {
return "", log.Fatalf("Can't setup TLS key pairs for %s: %s", uri, err)
}
}
if err = mysql.RegisterTLSConfig("orchestrator", tlsConfig); err != nil {
return "", log.Fatalf("Can't register mysql TLS config for orchestrator: %s", err)
Expand Down