Provide specific f. to fix client ssl options

Provides a specific function to fix client ssl options, i.e.: apply all fixes that are applied for TLS listeneres and clients on previous versions but also sets `cacerts` option to CA certificates obtained by `public_key:cacerts_get`, only when no `cacertfile` or `cacerts` are provided.
rabbitmq · Oct 21, 2024 · 3ff7e82 · 3ff7e82
1 parent f4e6893
commit 3ff7e82
Show file tree

Hide file tree

Showing 5 changed files with 27 additions and 4 deletions.
diff --git a/deps/amqp10_client/src/amqp10_client_frame_reader.erl b/deps/amqp10_client/src/amqp10_client_frame_reader.erl
@@ -105,7 +105,8 @@ init([Sup, ConnConfig]) when is_map(ConnConfig) ->
             {ok, expecting_connection_pid, State}
     end.
 
-connect(Address, Port, #{tls_opts := {secure_port, Opts}}) ->
+connect(Address, Port, #{tls_opts := {secure_port, Opts0}}) ->
+    Opts = rabbit_ssl_options:fix_client(Opts0),
     case ssl:connect(Address, Port, ?RABBIT_TCP_OPTS ++ Opts) of
       {ok, S} ->
           {ssl, S};

diff --git a/deps/amqp_client/src/amqp_network_connection.erl b/deps/amqp_client/src/amqp_network_connection.erl
@@ -137,7 +137,7 @@ do_connect({Addr, Family},
                          [Family | ?RABBIT_TCP_OPTS] ++ ExtraOpts,
                          Timeout) of
         {ok, Sock} ->
-            SslOpts = rabbit_ssl_options:fix(
+            SslOpts = rabbit_ssl_options:fix_client(
                         orddict:to_list(
                           orddict:merge(fun (_, _A, B) -> B end,
                                         orddict:from_list(GlobalSslOpts),

diff --git a/deps/rabbit_common/src/rabbit_ssl_options.erl b/deps/rabbit_common/src/rabbit_ssl_options.erl
@@ -8,6 +8,7 @@
 -module(rabbit_ssl_options).
 
 -export([fix/1]).
+-export([fix_client/1]).
 
 
 -define(BAD_SSL_PROTOCOL_VERSIONS, [
@@ -22,6 +23,27 @@ fix(Config) ->
       fix_ssl_protocol_versions(
         hibernate_after(Config))).
 
+-spec fix_client(rabbit_types:infos()) -> rabbit_types:infos().
+fix_client(Config) ->
+    fix_cacerts(
+        fix(Config)).
+
+fix_cacerts(SslOptsConfig) ->
+    CACerts = proplists:get_value(cacerts, SslOptsConfig, undefined),
+    CACertfile = proplists:get_value(cacertfile, SslOptsConfig, undefined),
+    case {CACerts, CACertfile} of
+        {undefined, undefined} ->
+            try public_key:cacerts_get() of
+                CaCerts ->
+                    [{cacerts, CaCerts} | SslOptsConfig]
+            catch
+                _ -> 
+                    SslOptsConfig
+            end;
+        _CaCerts ->
+            SslOptsConfig
+    end.
+
 fix_verify_fun(SslOptsConfig) ->
     %% Starting with ssl 4.0.1 in Erlang R14B, the verify_fun function
     %% takes 3 arguments and returns a tuple.

diff --git a/deps/rabbitmq_auth_backend_http/src/rabbit_auth_backend_http.erl b/deps/rabbitmq_auth_backend_http/src/rabbit_auth_backend_http.erl
@@ -205,7 +205,7 @@ do_http_req(Path0, Query) ->
 ssl_options() ->
     case application:get_env(rabbitmq_auth_backend_http, ssl_options) of
         {ok, Opts0} when is_list(Opts0) ->
-            Opts1 = [{ssl, rabbit_networking:fix_ssl_options(Opts0)}],            
+            Opts1 = [{ssl, rabbit_ssl_options:fix_client(Opts0)}],            
             case application:get_env(rabbitmq_auth_backend_http, ssl_hostname_verification) of
                 {ok, wildcard} ->
                     rabbit_log:debug("Enabling wildcard-aware hostname verification for HTTP client connections"),

diff --git a/deps/rabbitmq_auth_backend_ldap/src/rabbit_auth_backend_ldap.erl b/deps/rabbitmq_auth_backend_ldap/src/rabbit_auth_backend_ldap.erl
@@ -761,7 +761,7 @@ ssl_conf() ->
     end.
 
 ssl_options() ->
-    Opts0 = rabbit_networking:fix_ssl_options(env(ssl_options)),
+    Opts0 = rabbit_ssl_options:fix_client(env(ssl_options)),
     case env(ssl_hostname_verification, undefined) of
         wildcard ->
             rabbit_log_ldap:debug("Enabling wildcard-aware hostname verification for LDAP client connections"),