From d0d1d56898d363e39dac91d455d8eddee145244e Mon Sep 17 00:00:00 2001 From: Lois Soto Lopez Date: Thu, 10 Oct 2024 13:08:52 +0200 Subject: [PATCH] Provide specific f. to fix client ssl options Provides a specific function to fix client ssl options, i.e.: apply all fixes that are applied for TLS listeneres and clients on previous versions but also sets `cacerts` option to CA certificates obtained by `public_key:cacerts_get`, only when no `cacertfile` or `cacerts` are provided. --- .../src/amqp10_client_frame_reader.erl | 3 +- .../src/amqp_network_connection.erl | 2 +- deps/rabbit_common/src/rabbit_ssl_options.erl | 35 +++++++++++++++++++ .../src/rabbit_auth_backend_http.erl | 2 +- .../src/rabbit_auth_backend_ldap.erl | 2 +- 5 files changed, 40 insertions(+), 4 deletions(-) diff --git a/deps/amqp10_client/src/amqp10_client_frame_reader.erl b/deps/amqp10_client/src/amqp10_client_frame_reader.erl index 05d8823999b1..364748b16c85 100644 --- a/deps/amqp10_client/src/amqp10_client_frame_reader.erl +++ b/deps/amqp10_client/src/amqp10_client_frame_reader.erl @@ -105,7 +105,8 @@ init([Sup, ConnConfig]) when is_map(ConnConfig) -> {ok, expecting_connection_pid, State} end. -connect(Address, Port, #{tls_opts := {secure_port, Opts}}) -> +connect(Address, Port, #{tls_opts := {secure_port, Opts0}}) -> + Opts = rabbit_ssl_options:fix_client(Opts0), case ssl:connect(Address, Port, ?RABBIT_TCP_OPTS ++ Opts) of {ok, S} -> {ssl, S}; diff --git a/deps/amqp_client/src/amqp_network_connection.erl b/deps/amqp_client/src/amqp_network_connection.erl index a5ef739ea0f3..33a906819e09 100644 --- a/deps/amqp_client/src/amqp_network_connection.erl +++ b/deps/amqp_client/src/amqp_network_connection.erl @@ -137,7 +137,7 @@ do_connect({Addr, Family}, [Family | ?RABBIT_TCP_OPTS] ++ ExtraOpts, Timeout) of {ok, Sock} -> - SslOpts = rabbit_ssl_options:fix( + SslOpts = rabbit_ssl_options:fix_client( orddict:to_list( orddict:merge(fun (_, _A, B) -> B end, orddict:from_list(GlobalSslOpts), diff --git a/deps/rabbit_common/src/rabbit_ssl_options.erl b/deps/rabbit_common/src/rabbit_ssl_options.erl index ee0d1b4a3260..cc5883af0bef 100644 --- a/deps/rabbit_common/src/rabbit_ssl_options.erl +++ b/deps/rabbit_common/src/rabbit_ssl_options.erl @@ -8,6 +8,7 @@ -module(rabbit_ssl_options). -export([fix/1]). +-export([fix_client/1]). -define(BAD_SSL_PROTOCOL_VERSIONS, [ @@ -22,6 +23,40 @@ fix(Config) -> fix_ssl_protocol_versions( hibernate_after(Config))). +-spec fix_client(rabbit_types:infos()) -> rabbit_types:infos(). +fix_client(Config) -> + fix_cacerts( + fix(Config)). + +fix_cacerts(SslOptsConfig) -> + case application:get_env(rabbit, test_enable_cacerts, false) of + true -> + CACerts = proplists:get_value(cacerts, SslOptsConfig, undefined), + CACertfile = proplists:get_value(cacertfile, SslOptsConfig, undefined), + case {CACerts, CACertfile} of + {undefined, undefined} -> + rabbit_log:debug("CACERTS NOT FOUND IN SSLOPTSCONFIG"), + logger:debug("CACERTS NOT FOUND IN SSLOPTSCONFIG", []), + try public_key:cacerts_get() of + CaCerts -> + rabbit_log:debug("GOT ~p CACERTS FROM OS", [length(CaCerts)]), + logger:debug("GOT ~p CACERTS FROM OS", [length(CaCerts)]), + [{cacerts, CaCerts} | SslOptsConfig] + catch + _ -> + rabbit_log:debug("FAILED TO GET CACERTS FROM OS"), + logger:debug("FAILED TO GET CACERTS FROM OS", []), + SslOptsConfig + end; + _CaCerts -> + rabbit_log:debug("CACERTS ALREADY IN SSLOPTSCONFIG"), + logger:debug("CACERTS ALREADY IN SSLOPTSCONFIG", []), + SslOptsConfig + end; + _ -> + SslOptsConfig + end. + fix_verify_fun(SslOptsConfig) -> %% Starting with ssl 4.0.1 in Erlang R14B, the verify_fun function %% takes 3 arguments and returns a tuple. diff --git a/deps/rabbitmq_auth_backend_http/src/rabbit_auth_backend_http.erl b/deps/rabbitmq_auth_backend_http/src/rabbit_auth_backend_http.erl index c61aceeb8983..43f288f53129 100644 --- a/deps/rabbitmq_auth_backend_http/src/rabbit_auth_backend_http.erl +++ b/deps/rabbitmq_auth_backend_http/src/rabbit_auth_backend_http.erl @@ -205,7 +205,7 @@ do_http_req(Path0, Query) -> ssl_options() -> case application:get_env(rabbitmq_auth_backend_http, ssl_options) of {ok, Opts0} when is_list(Opts0) -> - Opts1 = [{ssl, rabbit_networking:fix_ssl_options(Opts0)}], + Opts1 = [{ssl, rabbit_ssl_options:fix_client(Opts0)}], case application:get_env(rabbitmq_auth_backend_http, ssl_hostname_verification) of {ok, wildcard} -> rabbit_log:debug("Enabling wildcard-aware hostname verification for HTTP client connections"), diff --git a/deps/rabbitmq_auth_backend_ldap/src/rabbit_auth_backend_ldap.erl b/deps/rabbitmq_auth_backend_ldap/src/rabbit_auth_backend_ldap.erl index bba6767a3ce4..ec6ca0098473 100644 --- a/deps/rabbitmq_auth_backend_ldap/src/rabbit_auth_backend_ldap.erl +++ b/deps/rabbitmq_auth_backend_ldap/src/rabbit_auth_backend_ldap.erl @@ -761,7 +761,7 @@ ssl_conf() -> end. ssl_options() -> - Opts0 = rabbit_networking:fix_ssl_options(env(ssl_options)), + Opts0 = rabbit_ssl_options:fix_client(env(ssl_options)), case env(ssl_hostname_verification, undefined) of wildcard -> rabbit_log_ldap:debug("Enabling wildcard-aware hostname verification for LDAP client connections"),