Provide specific f. to fix client ssl options

Provides a specific function to fix client ssl options, i.e.: apply all fixes that are applied for TLS listeneres and clients on previous versions but also sets `cacerts` option to CA certificates obtained by `public_key:cacerts_get`, only when no `cacertfile` or `cacerts` are provided.
2024-10-10 13:08:52 +02:00 · 2024-10-10 13:08:52 +02:00 · 3ff7e82c5c
parent f4e689310f
commit 3ff7e82c5c
5 changed files with 27 additions and 4 deletions
--- a/deps/amqp10_client/src/amqp10_client_frame_reader.erl
+++ b/deps/amqp10_client/src/amqp10_client_frame_reader.erl
@ -105,7 +105,8 @@ init([Sup, ConnConfig]) when is_map(ConnConfig) ->
            {ok, expecting_connection_pid, State}
    end.

-connect(Address, Port, #{tls_opts := {secure_port, Opts}}) ->
+connect(Address, Port, #{tls_opts := {secure_port, Opts0}}) ->
+    Opts = rabbit_ssl_options:fix_client(Opts0),
    case ssl:connect(Address, Port, ?RABBIT_TCP_OPTS ++ Opts) of
      {ok, S} ->
          {ssl, S};
--- a/deps/amqp_client/src/amqp_network_connection.erl
+++ b/deps/amqp_client/src/amqp_network_connection.erl
@ -137,7 +137,7 @@ do_connect({Addr, Family},
                         [Family | ?RABBIT_TCP_OPTS] ++ ExtraOpts,
                         Timeout) of
        {ok, Sock} ->
-            SslOpts = rabbit_ssl_options:fix(
+            SslOpts = rabbit_ssl_options:fix_client(
                        orddict:to_list(
                          orddict:merge(fun (_, _A, B) -> B end,
                                        orddict:from_list(GlobalSslOpts),
--- a/deps/rabbit_common/src/rabbit_ssl_options.erl
+++ b/deps/rabbit_common/src/rabbit_ssl_options.erl
@ -8,6 +8,7 @@
 -module(rabbit_ssl_options).

 -export([fix/1]).
+-export([fix_client/1]).


 -define(BAD_SSL_PROTOCOL_VERSIONS, [
@ -22,6 +23,27 @@ fix(Config) ->
      fix_ssl_protocol_versions(
        hibernate_after(Config))).

+-spec fix_client(rabbit_types:infos()) -> rabbit_types:infos().
+fix_client(Config) ->
+    fix_cacerts(
+        fix(Config)).
+
+fix_cacerts(SslOptsConfig) ->
+    CACerts = proplists:get_value(cacerts, SslOptsConfig, undefined),
+    CACertfile = proplists:get_value(cacertfile, SslOptsConfig, undefined),
+    case {CACerts, CACertfile} of
+        {undefined, undefined} ->
+            try public_key:cacerts_get() of
+                CaCerts ->
+                    [{cacerts, CaCerts} | SslOptsConfig]
+            catch
+                _ -> 
+                    SslOptsConfig
+            end;
+        _CaCerts ->
+            SslOptsConfig
+    end.
+
 fix_verify_fun(SslOptsConfig) ->
    %% Starting with ssl 4.0.1 in Erlang R14B, the verify_fun function
    %% takes 3 arguments and returns a tuple.
--- a/deps/rabbitmq_auth_backend_http/src/rabbit_auth_backend_http.erl
+++ b/deps/rabbitmq_auth_backend_http/src/rabbit_auth_backend_http.erl
@ -205,7 +205,7 @@ do_http_req(Path0, Query) ->
 ssl_options() ->
    case application:get_env(rabbitmq_auth_backend_http, ssl_options) of
        {ok, Opts0} when is_list(Opts0) ->
-            Opts1 = [{ssl, rabbit_networking:fix_ssl_options(Opts0)}],            
+            Opts1 = [{ssl, rabbit_ssl_options:fix_client(Opts0)}],            
            case application:get_env(rabbitmq_auth_backend_http, ssl_hostname_verification) of
                {ok, wildcard} ->
                    rabbit_log:debug("Enabling wildcard-aware hostname verification for HTTP client connections"),
--- a/deps/rabbitmq_auth_backend_ldap/src/rabbit_auth_backend_ldap.erl
+++ b/deps/rabbitmq_auth_backend_ldap/src/rabbit_auth_backend_ldap.erl
@ -761,7 +761,7 @@ ssl_conf() ->
    end.

 ssl_options() ->
-    Opts0 = rabbit_networking:fix_ssl_options(env(ssl_options)),
+    Opts0 = rabbit_ssl_options:fix_client(env(ssl_options)),
    case env(ssl_hostname_verification, undefined) of
        wildcard ->
            rabbit_log_ldap:debug("Enabling wildcard-aware hostname verification for LDAP client connections"),