Skip to content

Commit

Permalink
Provide specific f. to fix client ssl options
Browse files Browse the repository at this point in the history
Provides a specific function to fix client ssl options, i.e.: apply all
fixes that are applied for TLS listeneres and clients on previous
versions but also sets `cacerts` option to CA certificates obtained by
`public_key:cacerts_get`, only when no `cacertfile` or `cacerts` are
provided.
  • Loading branch information
LoisSotoLopez committed Oct 10, 2024
1 parent 2eeac4b commit d0d1d56
Show file tree
Hide file tree
Showing 5 changed files with 40 additions and 4 deletions.
3 changes: 2 additions & 1 deletion deps/amqp10_client/src/amqp10_client_frame_reader.erl
Original file line number Diff line number Diff line change
Expand Up @@ -105,7 +105,8 @@ init([Sup, ConnConfig]) when is_map(ConnConfig) ->
{ok, expecting_connection_pid, State}
end.

connect(Address, Port, #{tls_opts := {secure_port, Opts}}) ->
connect(Address, Port, #{tls_opts := {secure_port, Opts0}}) ->
Opts = rabbit_ssl_options:fix_client(Opts0),
case ssl:connect(Address, Port, ?RABBIT_TCP_OPTS ++ Opts) of
{ok, S} ->
{ssl, S};
Expand Down
2 changes: 1 addition & 1 deletion deps/amqp_client/src/amqp_network_connection.erl
Original file line number Diff line number Diff line change
Expand Up @@ -137,7 +137,7 @@ do_connect({Addr, Family},
[Family | ?RABBIT_TCP_OPTS] ++ ExtraOpts,
Timeout) of
{ok, Sock} ->
SslOpts = rabbit_ssl_options:fix(
SslOpts = rabbit_ssl_options:fix_client(
orddict:to_list(
orddict:merge(fun (_, _A, B) -> B end,
orddict:from_list(GlobalSslOpts),
Expand Down
35 changes: 35 additions & 0 deletions deps/rabbit_common/src/rabbit_ssl_options.erl
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@
-module(rabbit_ssl_options).

-export([fix/1]).
-export([fix_client/1]).


-define(BAD_SSL_PROTOCOL_VERSIONS, [
Expand All @@ -22,6 +23,40 @@ fix(Config) ->
fix_ssl_protocol_versions(
hibernate_after(Config))).

-spec fix_client(rabbit_types:infos()) -> rabbit_types:infos().
fix_client(Config) ->
fix_cacerts(
fix(Config)).

fix_cacerts(SslOptsConfig) ->
case application:get_env(rabbit, test_enable_cacerts, false) of
true ->
CACerts = proplists:get_value(cacerts, SslOptsConfig, undefined),
CACertfile = proplists:get_value(cacertfile, SslOptsConfig, undefined),
case {CACerts, CACertfile} of
{undefined, undefined} ->
rabbit_log:debug("CACERTS NOT FOUND IN SSLOPTSCONFIG"),
logger:debug("CACERTS NOT FOUND IN SSLOPTSCONFIG", []),
try public_key:cacerts_get() of
CaCerts ->
rabbit_log:debug("GOT ~p CACERTS FROM OS", [length(CaCerts)]),
logger:debug("GOT ~p CACERTS FROM OS", [length(CaCerts)]),
[{cacerts, CaCerts} | SslOptsConfig]
catch
_ ->
rabbit_log:debug("FAILED TO GET CACERTS FROM OS"),
logger:debug("FAILED TO GET CACERTS FROM OS", []),
SslOptsConfig
end;
_CaCerts ->
rabbit_log:debug("CACERTS ALREADY IN SSLOPTSCONFIG"),
logger:debug("CACERTS ALREADY IN SSLOPTSCONFIG", []),
SslOptsConfig
end;
_ ->
SslOptsConfig
end.

fix_verify_fun(SslOptsConfig) ->
%% Starting with ssl 4.0.1 in Erlang R14B, the verify_fun function
%% takes 3 arguments and returns a tuple.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -205,7 +205,7 @@ do_http_req(Path0, Query) ->
ssl_options() ->
case application:get_env(rabbitmq_auth_backend_http, ssl_options) of
{ok, Opts0} when is_list(Opts0) ->
Opts1 = [{ssl, rabbit_networking:fix_ssl_options(Opts0)}],
Opts1 = [{ssl, rabbit_ssl_options:fix_client(Opts0)}],
case application:get_env(rabbitmq_auth_backend_http, ssl_hostname_verification) of
{ok, wildcard} ->
rabbit_log:debug("Enabling wildcard-aware hostname verification for HTTP client connections"),
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -761,7 +761,7 @@ ssl_conf() ->
end.

ssl_options() ->
Opts0 = rabbit_networking:fix_ssl_options(env(ssl_options)),
Opts0 = rabbit_ssl_options:fix_client(env(ssl_options)),
case env(ssl_hostname_verification, undefined) of
wildcard ->
rabbit_log_ldap:debug("Enabling wildcard-aware hostname verification for LDAP client connections"),
Expand Down

0 comments on commit d0d1d56

Please sign in to comment.