diff --git a/docs/src/source-types.md b/docs/src/source-types.md index 66c2e4f04..61cfb89c1 100644 --- a/docs/src/source-types.md +++ b/docs/src/source-types.md @@ -23,12 +23,13 @@ Cassandra: # When this field is provided TLS is used when the client connects to Shotover. # Removing this field will disable TLS. #tls: - # # Path to the certificate authority file, typically named with a .crt extension. - # certificate_authority_path: "tls/localhost_CA.crt" # # Path to the certificate file, typically named with a .crt extension. # certificate_path: "tls/localhost.crt" # # Path to the private key file, typically named with a .key extension. # private_key_path: "tls/localhost.key" + # # Path to the certificate authority file, typically named with a .crt extension. + # # When this field is provided client authentication will be enabled. + # #certificate_authority_path: "tls/localhost_CA.crt" # Timeout in seconds after which to terminate an idle connection. This field is optional, if not provided, idle connections will never be terminated. # timeout: 60 @@ -57,7 +58,8 @@ Redis: # # Path to the private key file, typically named with a .key extension. # private_key_path: "tls/redis.key" # # Path to the certificate authority file typically named ca.crt. - # certificate_authority_path: "tls/ca.crt" + # # When this field is provided client authentication will be enabled. + # #certificate_authority_path: "tls/ca.crt" # Timeout in seconds after which to terminate an idle connection. This field is optional, if not provided, idle connections will never be terminated. # timeout: 60 diff --git a/shotover-proxy/example-configs/cassandra-cluster-tls/topology.yaml b/shotover-proxy/example-configs/cassandra-cluster-tls/topology.yaml index d67de694c..4d7975747 100644 --- a/shotover-proxy/example-configs/cassandra-cluster-tls/topology.yaml +++ b/shotover-proxy/example-configs/cassandra-cluster-tls/topology.yaml @@ -4,7 +4,6 @@ sources: Cassandra: listen_addr: "127.0.0.1:9042" tls: - certificate_authority_path: "example-configs/docker-images/cassandra-tls-4.0.6/certs/localhost_CA.crt" certificate_path: "example-configs/docker-images/cassandra-tls-4.0.6/certs/localhost.crt" private_key_path: "example-configs/docker-images/cassandra-tls-4.0.6/certs/localhost.key" chain_config: diff --git a/shotover-proxy/example-configs/cassandra-tls/topology-with-key.yaml b/shotover-proxy/example-configs/cassandra-tls/topology-with-key.yaml index ba92e93b8..95a683465 100644 --- a/shotover-proxy/example-configs/cassandra-tls/topology-with-key.yaml +++ b/shotover-proxy/example-configs/cassandra-tls/topology-with-key.yaml @@ -4,7 +4,6 @@ sources: Cassandra: listen_addr: "127.0.0.1:9043" tls: - certificate_authority_path: "example-configs/docker-images/cassandra-tls-4.0.6/certs/localhost_CA.crt" certificate_path: "example-configs/docker-images/cassandra-tls-4.0.6/certs/localhost.crt" private_key_path: "example-configs/docker-images/cassandra-tls-4.0.6/certs/localhost.key" chain_config: diff --git a/shotover-proxy/example-configs/cassandra-tls/topology.yaml b/shotover-proxy/example-configs/cassandra-tls/topology.yaml index a629d63dd..a3dadc813 100644 --- a/shotover-proxy/example-configs/cassandra-tls/topology.yaml +++ b/shotover-proxy/example-configs/cassandra-tls/topology.yaml @@ -4,7 +4,6 @@ sources: Cassandra: listen_addr: "127.0.0.1:9043" tls: - certificate_authority_path: "example-configs/docker-images/cassandra-tls-4.0.6/certs/localhost_CA.crt" certificate_path: "example-configs/docker-images/cassandra-tls-4.0.6/certs/localhost.crt" private_key_path: "example-configs/docker-images/cassandra-tls-4.0.6/certs/localhost.key" chain_config: diff --git a/shotover-proxy/example-configs/redis-tls/topology.yaml b/shotover-proxy/example-configs/redis-tls/topology.yaml index 7efdc823a..0363f7ec2 100644 --- a/shotover-proxy/example-configs/redis-tls/topology.yaml +++ b/shotover-proxy/example-configs/redis-tls/topology.yaml @@ -7,7 +7,6 @@ sources: Redis: listen_addr: "127.0.0.1:6380" tls: - certificate_authority_path: "example-configs/redis-tls/certs/localhost_CA.crt" certificate_path: "example-configs/redis-tls/certs/localhost.crt" private_key_path: "example-configs/redis-tls/certs/localhost.key" chain_config: diff --git a/shotover/src/tls.rs b/shotover/src/tls.rs index e8dc363fc..d9aa849f5 100644 --- a/shotover/src/tls.rs +++ b/shotover/src/tls.rs @@ -16,7 +16,7 @@ use tokio_openssl::SslStream; #[derive(Serialize, Deserialize, Debug, Clone)] pub struct TlsAcceptorConfig { /// Path to the certificate authority in PEM format - pub certificate_authority_path: String, + pub certificate_authority_path: Option, /// Path to the certificate in PEM format pub certificate_path: String, /// Path to the private key in PEM format @@ -48,18 +48,20 @@ pub fn check_file_field(field_name: &str, file_path: &str) -> Result<()> { impl TlsAcceptor { pub fn new(tls_config: TlsAcceptorConfig) -> Result { // openssl's errors are really bad so we do our own checks so we can provide reasonable errors - check_file_field( - "certificate_authority_path", - &tls_config.certificate_authority_path, - )?; check_file_field("private_key_path", &tls_config.private_key_path)?; check_file_field("certificate_path", &tls_config.certificate_path)?; let mut builder = SslAcceptor::mozilla_intermediate(SslMethod::tls()) .map_err(openssl_stack_error_to_anyhow)?; - builder - .set_ca_file(tls_config.certificate_authority_path) - .map_err(openssl_stack_error_to_anyhow)?; + + if let Some(path) = tls_config.certificate_authority_path.as_ref() { + check_file_field("certificate_authority_path", path)?; + builder + .set_ca_file(path) + .map_err(openssl_stack_error_to_anyhow)?; + return Err(anyhow!("Client auth is not yet supported in shotover")); + } + builder .set_private_key_file(tls_config.private_key_path, SslFiletype::PEM) .map_err(openssl_stack_error_to_anyhow)?;