Refresh certificates used for handshaking when they change on disk

bindings/flow/fdb_flow.actor.cpp

@@ -25,6 +25,7 @@
 
 #include "flow/DeterministicRandom.h"
 #include "flow/SystemMonitor.h"
+#include "flow/TLSConfig.actor.h"
 #include "flow/actorcompiler.h" // This must be the last #include.
 
 using namespace FDB;
@@ -82,7 +83,7 @@ void fdb_flow_test() {
 	fdb->setupNetwork();
 	startThread(networkThread, fdb);
 
-	g_network = newNet2(false);
+	g_network = newNet2(TLSConfig());
 
 	openTraceFile(NetworkAddress(), 1000000, 1000000, ".");
 	systemMonitor();

bindings/flow/tester/Tester.actor.cpp

@@ -28,6 +28,7 @@
 #include "bindings/flow/FDBLoanerTypes.h"
 #include "fdbrpc/fdbrpc.h"
 #include "flow/DeterministicRandom.h"
+#include "flow/TLSConfig.actor.h"
 #include "flow/actorcompiler.h" // This must be the last #include.
 
 // Otherwise we have to type setupNetwork(), FDB::open(), etc.
@@ -1748,7 +1749,7 @@ ACTOR void startTest(std::string clusterFilename, StringRef prefix, int apiVersi
 		populateOpsThatCreateDirectories(); // FIXME
 
 		// This is "our" network
-		g_network = newNet2(false);
+		g_network = newNet2(TLSConfig());
 
 		ASSERT(!API::isAPIVersionSelected());
 		try {
@@ -1791,7 +1792,7 @@ ACTOR void startTest(std::string clusterFilename, StringRef prefix, int apiVersi
 
 ACTOR void _test_versionstamp() {
 	try {
-		g_network = newNet2(false);
+		g_network = newNet2(TLSConfig());
 
 		API *fdb = FDB::API::selectAPIVersion(620);
 

fdbbackup/backup.actor.cpp

@@ -27,6 +27,7 @@
 #include "flow/IRandom.h"
 #include "flow/genericactors.actor.h"
 #include "flow/SignalSafeUnwind.h"
+#include "flow/TLSConfig.actor.h"
 
 #include "fdbclient/FDBTypes.h"
 #include "fdbclient/BackupAgent.actor.h"
@@ -3071,22 +3072,22 @@ int main(int argc, char* argv[]) {
 					blobCredentials.push_back(args->OptionArg());
 					break;
 #ifndef TLS_DISABLED
-				case TLSParams::OPT_TLS_PLUGIN:
+				case TLSConfig::OPT_TLS_PLUGIN:
 					args->OptionArg();
 					break;
-				case TLSParams::OPT_TLS_CERTIFICATES:
+				case TLSConfig::OPT_TLS_CERTIFICATES:
 					tlsCertPath = args->OptionArg();
 					break;
-				case TLSParams::OPT_TLS_PASSWORD:
+				case TLSConfig::OPT_TLS_PASSWORD:
 					tlsPassword = args->OptionArg();
 					break;
-				case TLSParams::OPT_TLS_CA_FILE:
+				case TLSConfig::OPT_TLS_CA_FILE:
 					tlsCAPath = args->OptionArg();
 					break;
-				case TLSParams::OPT_TLS_KEY:
+				case TLSConfig::OPT_TLS_KEY:
 					tlsKeyPath = args->OptionArg();
 					break;
-				case TLSParams::OPT_TLS_VERIFY_PEERS:
+				case TLSConfig::OPT_TLS_VERIFY_PEERS:
 					tlsVerifyPeers = args->OptionArg();
 					break;
 #endif

fdbcli/fdbcli.actor.cpp

@@ -35,6 +35,7 @@
 #include "flow/SignalSafeUnwind.h"
 #include "fdbrpc/Platform.h"
 
+#include "flow/TLSConfig.actor.h"
 #include "flow/SimpleOpt.h"
 
 #include "fdbcli/FlowLineNoise.h"
@@ -2541,22 +2542,22 @@ struct CLIOptions {
 
 #ifndef TLS_DISABLED
 			// TLS Options
-		    case TLSParams::OPT_TLS_PLUGIN:
+		    case TLSConfig::OPT_TLS_PLUGIN:
 			    args.OptionArg();
 			    break;
-		    case TLSParams::OPT_TLS_CERTIFICATES:
+		    case TLSConfig::OPT_TLS_CERTIFICATES:
 			    tlsCertPath = args.OptionArg();
 			    break;
-		    case TLSParams::OPT_TLS_CA_FILE:
+		    case TLSConfig::OPT_TLS_CA_FILE:
 			    tlsCAPath = args.OptionArg();
 			    break;
-		    case TLSParams::OPT_TLS_KEY:
+		    case TLSConfig::OPT_TLS_KEY:
 			    tlsKeyPath = args.OptionArg();
 			    break;
-		    case TLSParams::OPT_TLS_PASSWORD:
+		    case TLSConfig::OPT_TLS_PASSWORD:
 			    tlsPassword = args.OptionArg();
 			    break;
-		    case TLSParams::OPT_TLS_VERIFY_PEERS:
+		    case TLSConfig::OPT_TLS_VERIFY_PEERS:
 			    tlsVerifyPeers = args.OptionArg();
 			    break;
 #endif

fdbclient/NativeAPI.actor.cpp

@@ -43,7 +43,7 @@
 #include "flow/Knobs.h"
 #include "flow/Platform.h"
 #include "flow/SystemMonitor.h"
-#include "flow/TLSPolicy.h"
+#include "flow/TLSConfig.actor.h"
 #include "flow/UnitTest.h"
 
 #if defined(CMAKE_BUILD) || !defined(WIN32)
@@ -67,16 +67,7 @@ using std::min;
 using std::pair;
 
 NetworkOptions networkOptions;
-TLSParams tlsParams;
-static Reference<TLSPolicy> tlsPolicy;
-
-static void initTLSPolicy() {
-#ifndef TLS_DISABLED
-	if (!tlsPolicy) {
-		tlsPolicy = Reference<TLSPolicy>(new TLSPolicy(TLSPolicy::Is::CLIENT));
-	}
-#endif
-}
+TLSConfig tlsConfig(TLSEndpointType::CLIENT);
 
 // The default values, TRACE_DEFAULT_ROLL_SIZE and TRACE_DEFAULT_MAX_LOGS_SIZE are located in Trace.h.
 NetworkOptions::NetworkOptions()
@@ -907,48 +898,40 @@ void setNetworkOption(FDBNetworkOptions::Option option, Optional<StringRef> valu
 			break;
 		case FDBNetworkOptions::TLS_CERT_PATH:
 			validateOptionValue(value, true);
-			tlsParams.tlsCertBytes = "";
-			tlsParams.tlsCertPath = value.get().toString();
+			tlsConfig.setCertificatePath(value.get().toString());
 			break;
 		case FDBNetworkOptions::TLS_CERT_BYTES: {
 			validateOptionValue(value, true);
-			tlsParams.tlsCertPath = "";
-			tlsParams.tlsCertBytes = value.get().toString();
+			tlsConfig.setCertificateBytes(value.get().toString());
 			break;
 		}
 		case FDBNetworkOptions::TLS_CA_PATH: {
 			validateOptionValue(value, true);
-			tlsParams.tlsCABytes = "";
-			tlsParams.tlsCAPath = value.get().toString();
+			tlsConfig.setCAPath(value.get().toString());
 			break;
 		}
 		case FDBNetworkOptions::TLS_CA_BYTES: {
 			validateOptionValue(value, true);
-			tlsParams.tlsCAPath = "";
-			tlsParams.tlsCABytes = value.get().toString();
+			tlsConfig.setCABytes(value.get().toString());
 			break;
 		}
 		case FDBNetworkOptions::TLS_PASSWORD:
 			validateOptionValue(value, true);
-			tlsParams.tlsPassword = value.get().toString();
+			tlsConfig.setPassword(value.get().toString());
 			break;
 		case FDBNetworkOptions::TLS_KEY_PATH:
 			validateOptionValue(value, true);
-			tlsParams.tlsKeyBytes = "";
-			tlsParams.tlsKeyPath = value.get().toString();
+			tlsConfig.setKeyPath(value.get().toString());
 			break;
 		case FDBNetworkOptions::TLS_KEY_BYTES: {
 			validateOptionValue(value, true);
-			tlsParams.tlsKeyPath = "";
-			tlsParams.tlsKeyBytes = value.get().toString();
+			tlsConfig.setKeyBytes(value.get().toString());
 			break;
 		}
 		case FDBNetworkOptions::TLS_VERIFY_PEERS:
 			validateOptionValue(value, true);
-			initTLSPolicy();
-#ifndef TLS_DISABLED
-			tlsPolicy->set_verify_peers({ value.get().toString() });
-#endif
+			tlsConfig.clearVerifyPeers();
+			tlsConfig.addVerifyPeers( value.get().toString() );
 			break;
 		case FDBNetworkOptions::CLIENT_BUGGIFY_ENABLE:
 			enableBuggify(true, BuggifyType::Client);
@@ -1007,9 +990,7 @@ void setupNetwork(uint64_t transportId, bool useMetrics) {
 	if (!networkOptions.logClientInfo.present())
 		networkOptions.logClientInfo = true;
 
-	initTLSPolicy();
-
-	g_network = newNet2(false, useMetrics || networkOptions.traceDirectory.present(), tlsPolicy, tlsParams);
+	g_network = newNet2(tlsConfig, false, useMetrics || networkOptions.traceDirectory.present());
 	FlowTransport::createInstance(true, transportId);
 	Net2FileSystem::newFileSystem();
 }

fdbrpc/sim2.actor.cpp

@@ -30,6 +30,7 @@
 #include "fdbrpc/TraceFileIO.h"
 #include "flow/FaultInjection.h"
 #include "flow/network.h"
+#include "flow/TLSConfig.actor.h"
 #include "fdbrpc/Net2FileSystem.h"
 #include "fdbrpc/Replication.h"
 #include "fdbrpc/ReplicationUtils.h"
@@ -1599,7 +1600,7 @@ class Sim2 : public ISimulator, public INetworkConnections {
 	Sim2() : time(0.0), timerTime(0.0), taskCount(0), yielded(false), yield_limit(0), currentTaskID(TaskPriority::Zero) {
 		// Not letting currentProcess be NULL eliminates some annoying special cases
 		currentProcess = new ProcessInfo("NoMachine", LocalityData(Optional<Standalone<StringRef>>(), StringRef(), StringRef(), StringRef()), ProcessClass(), {NetworkAddress()}, this, "", "");
-		g_network = net2 = newNet2(false, true);
+		g_network = net2 = newNet2(TLSConfig(), false, true);
 		Net2FileSystem::newFileSystem();
 		check_yield(TaskPriority::Zero);
 	}

fdbserver/fdbserver.actor.cpp

@@ -57,7 +57,7 @@
 #include "fdbrpc/AsyncFileCached.actor.h"
 #include "fdbserver/CoroFlow.h"
 #include "flow/SignalSafeUnwind.h"
-#include "flow/TLSPolicy.h"
+#include "flow/TLSConfig.actor.h"
 #if defined(CMAKE_BUILD) || !defined(WIN32)
 #include "versions.h"
 #endif
@@ -961,8 +961,7 @@ int main(int argc, char* argv[]) {
 		int minTesterCount = 1;
 		bool testOnServers = false;
 
-		Reference<TLSPolicy> tlsPolicy = Reference<TLSPolicy>(new TLSPolicy(TLSPolicy::Is::SERVER));
-		TLSParams tlsParams;
+		TLSConfig tlsConfig(TLSEndpointType::SERVER);
 		std::vector<std::string> tlsVerifyPeers;
 		double fileIoTimeout = 0.0;
 		bool fileIoWarnOnly = false;
@@ -1331,23 +1330,23 @@ int main(int argc, char* argv[]) {
 					whitelistBinPaths = args.OptionArg();
 					break;
 #ifndef TLS_DISABLED
-				case TLSParams::OPT_TLS_PLUGIN:
+				case TLSConfig::OPT_TLS_PLUGIN:
 					args.OptionArg();
 					break;
-				case TLSParams::OPT_TLS_CERTIFICATES:
-					tlsParams.tlsCertPath = args.OptionArg();
+				case TLSConfig::OPT_TLS_CERTIFICATES:
+					tlsConfig.setCertificatePath(args.OptionArg());
 					break;
-				case TLSParams::OPT_TLS_PASSWORD:
-					tlsParams.tlsPassword = args.OptionArg();
+				case TLSConfig::OPT_TLS_PASSWORD:
+					tlsConfig.setPassword(args.OptionArg());
 					break;
-				case TLSParams::OPT_TLS_CA_FILE:
-					tlsParams.tlsCAPath = args.OptionArg();
+				case TLSConfig::OPT_TLS_CA_FILE:
+					tlsConfig.setCAPath(args.OptionArg());
 					break;
-				case TLSParams::OPT_TLS_KEY:
-					tlsParams.tlsKeyPath = args.OptionArg();
+				case TLSConfig::OPT_TLS_KEY:
+					tlsConfig.setKeyPath(args.OptionArg());
 					break;
-				case TLSParams::OPT_TLS_VERIFY_PEERS:
-					tlsVerifyPeers.push_back(args.OptionArg());
+				case TLSConfig::OPT_TLS_VERIFY_PEERS:
+					tlsConfig.addVerifyPeers(args.OptionArg());
 					break;
 #endif
 			}
@@ -1553,18 +1552,7 @@ int main(int argc, char* argv[]) {
 			startNewSimulator();
 			openTraceFile(NetworkAddress(), rollsize, maxLogsSize, logFolder, "trace", logGroup);
 		} else {
-#ifndef TLS_DISABLED
-			if ( tlsVerifyPeers.size() ) {
-				try {
-					tlsPolicy->set_verify_peers( tlsVerifyPeers );
-				} catch( Error &e ) {
-					fprintf(stderr, "ERROR: The format of the --tls_verify_peers option is incorrect.\n");
-					printHelpTeaser(argv[0]);
-					flushAndExit(FDB_EXIT_ERROR);
-				}
-			}
-#endif
-			g_network = newNet2(useThreadPool, true, tlsPolicy, tlsParams);
+			g_network = newNet2(tlsConfig, useThreadPool, true);
 			FlowTransport::createInstance(false, 1);
 
 			const bool expectsPublicAddress = (role == FDBD || role == NetworkTestServer || role == Restore);

flow/CMakeLists.txt

@@ -52,31 +52,31 @@ set(FLOW_SRCS
   SystemMonitor.h
   TDMetric.actor.h
   TDMetric.cpp
+  TLSConfig.actor.cpp
+  TLSConfig.actor.h
   ThreadHelper.actor.h
   ThreadHelper.cpp
   ThreadPrimitives.cpp
   ThreadPrimitives.h
   ThreadSafeQueue.h
   Trace.cpp
   Trace.h
-  TLSPolicy.h
-  TLSPolicy.cpp
   UnitTest.cpp
   UnitTest.h
-  XmlTraceLogFormatter.h
   XmlTraceLogFormatter.cpp
+  XmlTraceLogFormatter.h
   actorcompiler.h
   error_definitions.h
-  flat_buffers.h
   flat_buffers.cpp
+  flat_buffers.h
   flow.cpp
   flow.h
   genericactors.actor.cpp
   genericactors.actor.h
   network.cpp
   network.h
-  serialize.h
   serialize.cpp
+  serialize.h
   stacktrace.amalgamation.cpp
   stacktrace.h
   version.cpp)