You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by ch...@apache.org on 2020/09/08 20:59:24 UTC
[qpid-dispatch] branch master updated: DISPATCH-1766: Remove stale
code processing 'listener trustedCertsFile'
This is an automated email from the ASF dual-hosted git repository.
chug pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/qpid-dispatch.git
The following commit(s) were added to refs/heads/master by this push:
new b44abcb DISPATCH-1766: Remove stale code processing 'listener trustedCertsFile'
b44abcb is described below
commit b44abcbc0143c9eed8f7d0529ad2f8f59100dc7d
Author: Chuck Rolke <ch...@apache.org>
AuthorDate: Tue Sep 8 16:52:08 2020 -0400
DISPATCH-1766: Remove stale code processing 'listener trustedCertsFile'
This attribute is in the schema but it has been replaced with
'sslProfile caCertFile'.
* Deprecate 'listener trustedCertsFile' in schema.
* If the attribute is set then print a warning that the setting
has no effect.
This closes #840
---
console/react/test_data/schema.js | 5 -----
include/qpid/dispatch/server.h | 9 ---------
python/qpid_dispatch/management/qdrouter.json | 2 +-
src/connection_manager.c | 14 +++++++-------
src/http-libwebsockets.c | 2 +-
src/server.c | 9 ++-------
6 files changed, 11 insertions(+), 30 deletions(-)
diff --git a/console/react/test_data/schema.js b/console/react/test_data/schema.js
index df33351..bdae10a 100644
--- a/console/react/test_data/schema.js
+++ b/console/react/test_data/schema.js
@@ -897,11 +897,6 @@ export default {
description:
"yes: Require the connection to the peer to be encrypted; no: Permit non-encrypted communication with the peer"
},
- trustedCertsFile: {
- type: "path",
- description:
- "This optional setting can be used to reduce the set of available CAs for client authentication. If used, this setting must provide the absolute path to a PEM file that contains the trusted certificates."
- },
role: {
default: "normal",
type: ["normal", "inter-router", "route-container", "edge"],
diff --git a/include/qpid/dispatch/server.h b/include/qpid/dispatch/server.h
index aa8fcc4..092c4de 100644
--- a/include/qpid/dispatch/server.h
+++ b/include/qpid/dispatch/server.h
@@ -193,7 +193,6 @@ typedef struct qd_server_config_t {
char *ssl_uid_name_mapping_file;
char *ssl_password;
char *ssl_trusted_certificate_db;
- char *ssl_trusted_certificates;
char *ssl_ciphers;
char *ssl_protocols;
} sasl_plugin_config;
@@ -315,14 +314,6 @@ typedef struct qd_server_config_t {
char *ssl_trusted_certificate_db;
/**
- * Path to an optional file containing the PEM-formatted set of certificates of
- * trusted CAs for a particular connection/listener. This must be a subset of the
- * set of certificates in the ssl_trusted_certificate_db. If this is left NULL,
- * the entire set within the db will be used.
- */
- char *ssl_trusted_certificates;
-
- /**
* Iff true, require that the peer's certificate be supplied and that it be authentic
* according to the set of trusted CAs.
*/
diff --git a/python/qpid_dispatch/management/qdrouter.json b/python/qpid_dispatch/management/qdrouter.json
index 616cf64..1d138c2 100644
--- a/python/qpid_dispatch/management/qdrouter.json
+++ b/python/qpid_dispatch/management/qdrouter.json
@@ -807,7 +807,7 @@
},
"trustedCertsFile": {
"type": "path",
- "description": "This optional setting can be used to reduce the set of available CAs for client authentication. If used, this setting must provide the absolute path to a PEM file that contains the trusted certificates.",
+ "description": "(DEPRECATED) Use sslProfile caCertFile instead.",
"deprecationName": "trustedCerts",
"create": true
},
diff --git a/src/connection_manager.c b/src/connection_manager.c
index ef27bca..a73287f 100644
--- a/src/connection_manager.c
+++ b/src/connection_manager.c
@@ -39,7 +39,6 @@ struct qd_config_ssl_profile_t {
char *name;
char *ssl_password;
char *ssl_trusted_certificate_db;
- char *ssl_trusted_certificates;
char *ssl_uid_format;
char *uid_name_mapping_file;
char *ssl_certificate_file;
@@ -180,7 +179,6 @@ void qd_server_config_free(qd_server_config_t *cf)
if (cf->ssl_protocols) free(cf->ssl_protocols);
if (cf->ssl_password) free(cf->ssl_password);
if (cf->ssl_trusted_certificate_db) free(cf->ssl_trusted_certificate_db);
- if (cf->ssl_trusted_certificates) free(cf->ssl_trusted_certificates);
if (cf->ssl_uid_format) free(cf->ssl_uid_format);
if (cf->ssl_uid_name_mapping_file) free(cf->ssl_uid_name_mapping_file);
@@ -192,7 +190,6 @@ void qd_server_config_free(qd_server_config_t *cf)
if (cf->sasl_plugin_config.ssl_protocols) free(cf->sasl_plugin_config.ssl_protocols);
if (cf->sasl_plugin_config.ssl_password) free(cf->sasl_plugin_config.ssl_password);
if (cf->sasl_plugin_config.ssl_trusted_certificate_db) free(cf->sasl_plugin_config.ssl_trusted_certificate_db);
- if (cf->sasl_plugin_config.ssl_trusted_certificates) free(cf->sasl_plugin_config.ssl_trusted_certificates);
if (cf->sasl_plugin_config.ssl_uid_format) free(cf->sasl_plugin_config.ssl_uid_format);
if (cf->sasl_plugin_config.ssl_uid_name_mapping_file) free(cf->sasl_plugin_config.ssl_uid_name_mapping_file);
@@ -395,6 +392,13 @@ static qd_error_t load_server_config(qd_dispatch_t *qd, qd_server_config_t *conf
config->multi_tenant = qd_entity_opt_bool(entity, "multiTenant", false); CHECK();
config->policy_vhost = qd_entity_opt_string(entity, "policyVhost", 0); CHECK();
config->conn_props = qd_entity_opt_map(entity, "openProperties"); CHECK();
+
+ const char *unused = qd_entity_opt_string(entity, "trustedCertsFile", 0);
+ if (unused) {
+ qd_log(qd->connection_manager->log_source, QD_LOG_WARNING,
+ "Configuration listener attribute 'trustedCertsFile' is not used. Specify sslProfile caCertFile instead.");
+ }
+
set_config_host(config, entity);
if (config->sasl_password) {
@@ -485,7 +489,6 @@ static qd_error_t load_server_config(qd_dispatch_t *qd, qd_server_config_t *conf
config->ssl_protocols = SSTRDUP(ssl_profile->ssl_protocols);
config->ssl_password = SSTRDUP(ssl_profile->ssl_password);
config->ssl_trusted_certificate_db = SSTRDUP(ssl_profile->ssl_trusted_certificate_db);
- config->ssl_trusted_certificates = SSTRDUP(ssl_profile->ssl_trusted_certificates);
config->ssl_uid_format = SSTRDUP(ssl_profile->ssl_uid_format);
config->ssl_uid_name_mapping_file = SSTRDUP(ssl_profile->uid_name_mapping_file);
}
@@ -510,7 +513,6 @@ static qd_error_t load_server_config(qd_dispatch_t *qd, qd_server_config_t *conf
config->sasl_plugin_config.ssl_protocols = SSTRDUP(auth_ssl_profile->ssl_protocols);
config->sasl_plugin_config.ssl_password = SSTRDUP(auth_ssl_profile->ssl_password);
config->sasl_plugin_config.ssl_trusted_certificate_db = SSTRDUP(auth_ssl_profile->ssl_trusted_certificate_db);
- config->sasl_plugin_config.ssl_trusted_certificates = SSTRDUP(auth_ssl_profile->ssl_trusted_certificates);
config->sasl_plugin_config.ssl_uid_format = SSTRDUP(auth_ssl_profile->ssl_uid_format);
config->sasl_plugin_config.ssl_uid_name_mapping_file = SSTRDUP(auth_ssl_profile->uid_name_mapping_file);
} else {
@@ -550,7 +552,6 @@ static bool config_ssl_profile_free(qd_connection_manager_t *cm, qd_config_ssl_p
free(ssl_profile->name);
free(ssl_profile->ssl_password);
free(ssl_profile->ssl_trusted_certificate_db);
- free(ssl_profile->ssl_trusted_certificates);
free(ssl_profile->ssl_uid_format);
free(ssl_profile->uid_name_mapping_file);
free(ssl_profile->ssl_certificate_file);
@@ -622,7 +623,6 @@ qd_config_ssl_profile_t *qd_dispatch_configure_ssl_profile(qd_dispatch_t *qd, qd
ssl_profile->ssl_ciphers = qd_entity_opt_string(entity, "ciphers", 0); CHECK();
ssl_profile->ssl_protocols = qd_entity_opt_string(entity, "protocols", 0); CHECK();
ssl_profile->ssl_trusted_certificate_db = qd_entity_opt_string(entity, "caCertFile", 0); CHECK();
- ssl_profile->ssl_trusted_certificates = qd_entity_opt_string(entity, "trustedCertsFile", 0); CHECK();
ssl_profile->ssl_uid_format = qd_entity_opt_string(entity, "uidFormat", 0); CHECK();
ssl_profile->uid_name_mapping_file = qd_entity_opt_string(entity, "uidNameMappingFile", 0); CHECK();
diff --git a/src/http-libwebsockets.c b/src/http-libwebsockets.c
index 4958dfd..29878a8 100644
--- a/src/http-libwebsockets.c
+++ b/src/http-libwebsockets.c
@@ -353,7 +353,7 @@ static void listener_start(qd_http_listener_t *hl, qd_http_server_t *hs) {
info.ssl_cert_filepath = config->ssl_certificate_file;
info.ssl_private_key_filepath = config->ssl_private_key_file;
info.ssl_private_key_password = config->ssl_password;
- info.ssl_ca_filepath = config->ssl_trusted_certificates ? config->ssl_trusted_certificates : config->ssl_trusted_certificate_db;
+ info.ssl_ca_filepath = config->ssl_trusted_certificate_db;
info.ssl_cipher_list = config->ssl_ciphers;
info.options |=
diff --git a/src/server.c b/src/server.c
index 0771be7..83ed00b 100644
--- a/src/server.c
+++ b/src/server.c
@@ -404,8 +404,6 @@ static qd_error_t listener_setup_ssl(qd_connection_t *ctx, const qd_server_confi
}
const char *trusted = config->ssl_trusted_certificate_db;
- if (config->ssl_trusted_certificates)
- trusted = config->ssl_trusted_certificates;
// do we force the peer to send a cert?
if (config->ssl_require_peer_authentication) {
@@ -1207,12 +1205,9 @@ static bool setup_ssl_sasl_and_open(qd_connection_t *ctx)
}
// peer must provide a cert
- const char *trusted = (config->ssl_trusted_certificates)
- ? config->ssl_trusted_certificates
- : config->ssl_trusted_certificate_db;
if (pn_ssl_domain_set_peer_authentication(domain,
- PN_SSL_VERIFY_PEER,
- trusted)) {
+ PN_SSL_VERIFY_PEER,
+ config->ssl_trusted_certificate_db)) {
qd_log(ct->server->log_source, QD_LOG_ERROR,
"SSL peer auth configuration failed for connection [C%"PRIu64"] to %s:%s",
ctx->connection_id, config->host, config->port);
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org