diff --git a/esp/bindings/http/platform/httpprot.cpp b/esp/bindings/http/platform/httpprot.cpp index d4b2b69285e..e4e6af64ec1 100644 --- a/esp/bindings/http/platform/httpprot.cpp +++ b/esp/bindings/http/platform/httpprot.cpp @@ -216,32 +216,38 @@ CSecureHttpProtocol::CSecureHttpProtocol(IPropertyTree* cfg) { m_config.setown(cfg); - //ensure keys are specified. Passphrase is optional - StringBuffer sb; - cfg->getProp("certificate", sb); - if(sb.length() == 0) - { - throw MakeStringException(-1, "certificate file not specified in config file"); - } + IEspPlugin *pplg = loadPlugin(SSLIB); + if (!pplg) + throw MakeStringException(-1, "dll/shared-object %s can't be loaded", SSLIB); - cfg->getProp("privatekey", sb.clear()); - if(sb.length() == 0) + const char *issuer = cfg->queryProp("issuer"); + if (!isEmptyString(issuer)) { - throw MakeStringException(-1, "private key file not specified in config file"); + const char *trustedPeers = nullptr; + if (cfg->hasProp("verify")) + trustedPeers = cfg->queryProp("verify/trusted_peers"); + createSecureSocketContextSecretSrv_t xproc = (createSecureSocketContextSecretSrv_t) pplg->getProcAddress("createSecureSocketContextSecretSrv"); + if (!xproc) + throw MakeStringException(-1, "procedure createSecureSocketContextSecretSrv can't be loaded"); + m_ssctx.setown(xproc(issuer, trustedPeers, false)); } - - createSecureSocketContextEx2_t xproc = NULL; - IEspPlugin *pplg = loadPlugin(SSLIB); - if (pplg) - xproc = (createSecureSocketContextEx2_t) pplg->getProcAddress("createSecureSocketContextEx2"); else - throw MakeStringException(-1, "dll/shared-object %s can't be loaded", SSLIB); - - - if (xproc) + { + //ensure keys are specified. Passphrase is optional + StringBuffer sb; + cfg->getProp("certificate", sb); + if(sb.isEmpty()) + throw MakeStringException(-1, "certificate file not specified in config file"); + + cfg->getProp("privatekey", sb.clear()); + if(sb.isEmpty()) + throw MakeStringException(-1, "private key file not specified in config file"); + + createSecureSocketContextEx2_t xproc = (createSecureSocketContextEx2_t) pplg->getProcAddress("createSecureSocketContextEx2"); + if (!xproc) + throw MakeStringException(-1, "procedure createSecureSocketContextEx2 can't be loaded"); m_ssctx.setown(xproc(cfg, ServerSocket)); - else - throw MakeStringException(-1, "procedure createSecureSocketContextEx2 can't be loaded"); + } } } diff --git a/helm/hpcc/templates/esp.yaml b/helm/hpcc/templates/esp.yaml index c4457d89f20..85f64e1c5ae 100644 --- a/helm/hpcc/templates/esp.yaml +++ b/helm/hpcc/templates/esp.yaml @@ -45,6 +45,7 @@ data: tls: {{ include "hpcc.isIssuerEnabled" (dict "root" .root "issuerKeyName" $issuerKeyName) }} {{- end }} tls_config: + issuer: {{ $issuerKeyName }} {{- if $externalCert }} certificate: /opt/HPCCSystems/secrets/certificates/{{ $issuerKeyName }}/tls.crt privatekey: /opt/HPCCSystems/secrets/certificates/{{ $issuerKeyName }}/tls.key diff --git a/system/mp/mpcomm.cpp b/system/mp/mpcomm.cpp index 483f79765e5..299f674e1fb 100644 --- a/system/mp/mpcomm.cpp +++ b/system/mp/mpcomm.cpp @@ -2132,7 +2132,7 @@ CMPConnectThread::CMPConnectThread(CMPServer *_parent, unsigned port, bool _list #if defined(_USE_OPENSSL) if (parent->useTLS) - secureContextServer.setown(createSecureSocketContextSecretSrv("local", true)); + secureContextServer.setown(createSecureSocketContextSecretSrv("local", nullptr, true)); #endif } diff --git a/system/security/securesocket/securesocket.cpp b/system/security/securesocket/securesocket.cpp index 7c61a6c9a5f..cf35bd3ef40 100644 --- a/system/security/securesocket/securesocket.cpp +++ b/system/security/securesocket/securesocket.cpp @@ -2011,14 +2011,15 @@ SECURESOCKET_API ISecureSocketContext* createSecureSocketContextSecret(const cha } -SECURESOCKET_API ISecureSocketContext* createSecureSocketContextSecretSrv(const char *issuer, bool requireMtlsFlag) +SECURESOCKET_API ISecureSocketContext* createSecureSocketContextSecretSrv(const char *issuer, const char *optTrustedPeers, bool requireMtlsFlag) { if (requireMtlsFlag && !queryMtls()) - throw makeStringException(-100, "TLS secure communication requested but not configured"); + throw makeStringException(-100, "MTLS secure context required but not configured"); + + Owned info = getIssuerTlsSyncedConfig(issuer, optTrustedPeers, false); - Owned info = getIssuerTlsSyncedConfig(issuer); if (!info->isValid()) - throw makeStringException(-101, "TLS secure communication requested but not configured (2)"); + throw makeStringExceptionV(-101, "TLS issuer %s secure context requested but not configured (2)", issuer); return createSecureSocketContextSynced(info, ServerSocket); } @@ -2216,7 +2217,7 @@ class CSingletonSecureSocketConnection: public CSingletonSocketConnection state = Snone; cancelling = false; secureContextClient.setown(createSecureSocketContextSecret("local", ClientSocket)); - secureContextServer.setown(createSecureSocketContextSecretSrv("local", true)); + secureContextServer.setown(createSecureSocketContextSecretSrv("local", nullptr, true)); #ifdef _CONTAINERIZED tlsLogLevel = getComponentConfigSP()->getPropInt("logging/@detail", SSLogMin); if (tlsLogLevel >= ExtraneousMsgThreshold) // or InfoMsgThreshold ? diff --git a/system/security/securesocket/securesocket.hpp b/system/security/securesocket/securesocket.hpp index cc790676f7d..4d75bb56e75 100644 --- a/system/security/securesocket/securesocket.hpp +++ b/system/security/securesocket/securesocket.hpp @@ -84,13 +84,14 @@ typedef ISecureSocketContext* (*createSecureSocketContext_t)(SecureSocketType); typedef ISecureSocketContext* (*createSecureSocketContextEx_t)(const char* certFileOrBuf, const char* privKeyFileOrBuf, const char* passphrase, SecureSocketType); typedef ISecureSocketContext* (*createSecureSocketContextEx2_t)(IPropertyTree* config, SecureSocketType); typedef ISecureSocketContext* (*createSecureSocketContextSecret_t)(const char *mtlsSecretName, SecureSocketType); +typedef ISecureSocketContext* (*createSecureSocketContextSecretSrv_t)(const char *mtlsSecretName, const char *optTrustedPeers, bool requireMtlsConfig); extern "C" { //The following allow the creation of a secure socket context where the certificates will automatically be updated when they expire. SECURESOCKET_API ISecureSocketContext* createSecureSocketContextSynced(const ISyncedPropertyTree * config, SecureSocketType sockettype); // Will become the primary (only) factory method SECURESOCKET_API ISecureSocketContext* createSecureSocketContextSecret(const char *mtlsSecretName, SecureSocketType); -SECURESOCKET_API ISecureSocketContext* createSecureSocketContextSecretSrv(const char *mtlsSecretName, bool requireMtlsConfig); +SECURESOCKET_API ISecureSocketContext* createSecureSocketContextSecretSrv(const char *mtlsSecretName, const char *optTrustedPeers, bool requireMtlsConfig); SECURESOCKET_API ISecureSocketContext* createSecureSocketContextSSF(ISmartSocketFactory* ssf); //Helper function to aid migration to the functions above. This should eventually be removed. diff --git a/thorlcr/msort/tsorts1.cpp b/thorlcr/msort/tsorts1.cpp index e1f0c10cfb0..abe76aeeef9 100644 --- a/thorlcr/msort/tsorts1.cpp +++ b/thorlcr/msort/tsorts1.cpp @@ -315,7 +315,7 @@ protected: friend class CSortMerge; #if defined(_USE_OPENSSL) if (slave.queryTLS()) { - secureContextServer.setown(createSecureSocketContextSecretSrv("local", true)); + secureContextServer.setown(createSecureSocketContextSecretSrv("local", nullptr, true)); secureContextClients.setown(createSecureSocketContextSecret("local", ClientSocket)); } #endif