Wireup allowing insecure ssl

2019-02-04 16:21:25 -06:00 · 2019-02-04 16:21:25 -06:00 · 5b0dfb009c
commit 5b0dfb009c
parent 79df0d1c5d
3 changed files with 17 additions and 17 deletions
--- a/go/base/context.go
+++ b/go/base/context.go
@ -94,16 +94,16 @@ type MigrationContext struct {
 	AliyunRDS                bool
 	GoogleCloudPlatform      bool

-	config                ContextConfig
-	configMutex           *sync.Mutex
-	ConfigFile            string
-	CliUser               string
-	CliPassword           string
-	UseTLS                bool
-	TLSInsecureSkipVerify bool
-	TLSCACertificate      string
-	CliMasterUser         string
-	CliMasterPassword     string
+	config            ContextConfig
+	configMutex       *sync.Mutex
+	ConfigFile        string
+	CliUser           string
+	CliPassword       string
+	UseTLS            bool
+	TLSAllowInsecure  bool
+	TLSCACertificate  string
+	CliMasterUser     string
+	CliMasterPassword string

 	HeartbeatIntervalMilliseconds       int64
 	defaultNumRetries                   int64
@ -700,7 +700,7 @@ func (this *MigrationContext) ApplyCredentials() {

 func (this *MigrationContext) SetupTLS() error {
 	if this.UseTLS {
-		return this.InspectorConnectionConfig.UseTLS(this.TLSCACertificate)
+		return this.InspectorConnectionConfig.UseTLS(this.TLSCACertificate, this.TLSAllowInsecure)
 	}
 	return nil
 }
--- a/go/cmd/gh-ost/main.go
+++ b/go/cmd/gh-ost/main.go
@ -57,7 +57,7 @@ func main() {

 	flag.BoolVar(&migrationContext.UseTLS, "ssl", false, "Enable SSL encrypted connections to MySQL hosts")
 	flag.StringVar(&migrationContext.TLSCACertificate, "ssl-ca", "", "CA certificate in PEM format for TLS connections to MySQL hosts. Requires --ssl")
-	flag.StringVar(&migrationContext.TLSInsecureSkipVerify, "ssl-insecure", false, "Do not verify that the TLS connection is secure. Requires --ssl")
+	flag.BoolVar(&migrationContext.TLSAllowInsecure, "ssl-allow-insecure", false, "Skips verification of MySQL hosts' certificate chain and host name. Requires --ssl")

 	flag.StringVar(&migrationContext.DatabaseName, "database", "", "database name (mandatory)")
 	flag.StringVar(&migrationContext.OriginalTableName, "table", "", "table name (mandatory)")
@ -202,8 +202,8 @@ func main() {
 	if migrationContext.TLSCACertificate != "" && !migrationContext.UseTLS {
 		log.Fatalf("--ssl-ca requires --ssl")
 	}
-	if migrationContext.TLSInsecureSkipVerify && !migrationContext.UseTLS {
-		log.Fatalf("--ssl-insecure requires --ssl")
+	if migrationContext.TLSAllowInsecure && !migrationContext.UseTLS {
+		log.Fatalf("--ssl-allow-insecure requires --ssl")
 	}
 	if *replicationLagQuery != "" {
 		log.Warningf("--replication-lag-query is deprecated")
--- a/go/mysql/connection.go
+++ b/go/mysql/connection.go
@ -57,11 +57,11 @@ func (this *ConnectionConfig) Equals(other *ConnectionConfig) bool {
 	return this.Key.Equals(&other.Key) || this.ImpliedKey.Equals(other.ImpliedKey)
 }

-func (this *ConnectionConfig) UseTLS(caCertificatePath string) error {
+func (this *ConnectionConfig) UseTLS(caCertificatePath string, allowInsecure bool) error {
 	var rootCertPool *x509.CertPool
 	var err error

-	if !this.TLSInsecureSkipVerify {
+	if !allowInsecure {
 		if caCertificatePath == "" {
 			rootCertPool, err = x509.SystemCertPool()
 			if err != nil {
@ -81,7 +81,7 @@ func (this *ConnectionConfig) UseTLS(caCertificatePath string) error {

 	this.tlsConfig = &tls.Config{
 		RootCAs:            rootCertPool,
-		InsecureSkipVerify: this.TLSInsecureSkipVerify,
+		InsecureSkipVerify: allowInsecure,
 	}

 	return mysql.RegisterTLSConfig(this.Key.StringCode(), this.tlsConfig)