diff --git a/router/src/routing/src/classic_greeting_forwarder.cc b/router/src/routing/src/classic_greeting_forwarder.cc index 79924256bd5c..2744345aa56c 100644 --- a/router/src/routing/src/classic_greeting_forwarder.cc +++ b/router/src/routing/src/classic_greeting_forwarder.cc @@ -840,8 +840,9 @@ ServerGreetor::client_greeting_full() { static stdx::expected get_dest_ssl_ctx( MySQLRoutingContext &ctx, const std::string &id) { return mysql_harness::make_tcp_address(id).and_then( - [&ctx](const auto &addr) -> stdx::expected { - return ctx.dest_ssl_ctx(addr.address())->get(); + [&ctx, + &id](const auto &addr) -> stdx::expected { + return ctx.dest_ssl_ctx(id, addr.address())->get(); }); } diff --git a/router/src/routing/src/context.h b/router/src/routing/src/context.h index 00fdadeec874..7ce278823648 100644 --- a/router/src/routing/src/context.h +++ b/router/src/routing/src/context.h @@ -134,15 +134,17 @@ class MySQLRoutingContext { /** * get the SSL context for the server side of the route. * - * @param dest_id id of the destination + * @param dest_id unique id of the destination + * @param hostname name of the destination host * * @returns a TlsClientContext for the destination. * @retval nullptr if creating tls-context failed. */ - TlsClientContext *dest_ssl_ctx(const std::string &dest_id) { + TlsClientContext *dest_ssl_ctx(const std::string &dest_id, + const std::string &hostname) { if (destination_tls_context_ == nullptr) return nullptr; - return destination_tls_context_->get(dest_id); + return destination_tls_context_->get(dest_id, hostname); } SharedQuarantineHandler &shared_quarantine() { diff --git a/router/src/routing/src/destination_ssl_context.cc b/router/src/routing/src/destination_ssl_context.cc index 4c51da562861..53a7df389c21 100644 --- a/router/src/routing/src/destination_ssl_context.cc +++ b/router/src/routing/src/destination_ssl_context.cc @@ -68,7 +68,8 @@ void DestinationTlsContext::ciphers(const std::string &ciphers) { ciphers_ = ciphers; } -TlsClientContext *DestinationTlsContext::get(const std::string &dest_id) { +TlsClientContext *DestinationTlsContext::get(const std::string &dest_id, + const std::string &hostname) { std::lock_guard lk(mtx_); const auto it = tls_contexts_.find(dest_id); @@ -86,7 +87,7 @@ TlsClientContext *DestinationTlsContext::get(const std::string &dest_id) { tls_ctx->verify(TlsVerify::NONE); break; case SslVerify::kVerifyIdentity: - tls_ctx->verify_hostname(dest_id); + tls_ctx->verify_hostname(hostname); [[fallthrough]]; case SslVerify::kVerifyCa: tls_ctx->ssl_ca(ca_file_, ca_path_); diff --git a/router/src/routing/src/destination_ssl_context.h b/router/src/routing/src/destination_ssl_context.h index d41657aab435..ff7881092441 100644 --- a/router/src/routing/src/destination_ssl_context.h +++ b/router/src/routing/src/destination_ssl_context.h @@ -94,9 +94,11 @@ class ROUTING_EXPORT DestinationTlsContext { * If a TlsClientContext for the destination exists, a pointer to it is * returned. * - * @param dest_id identified of a destination + * @param dest_id unique identifier of a destination + * @param hostname name of the destination host */ - TlsClientContext *get(const std::string &dest_id); + TlsClientContext *get(const std::string &dest_id, + const std::string &hostname); private: SslVerify ssl_verify_{SslVerify::kDisabled}; diff --git a/router/src/routing/src/x_connection.cc b/router/src/routing/src/x_connection.cc index 25a55cd7c0f6..a97f751c5cfb 100644 --- a/router/src/routing/src/x_connection.cc +++ b/router/src/routing/src/x_connection.cc @@ -1195,8 +1195,9 @@ void MysqlRoutingXConnection::forward_tls_init() { static stdx::expected get_dest_ssl_ctx( MySQLRoutingContext &ctx, const std::string &id) { return mysql_harness::make_tcp_address(id).and_then( - [&ctx](const auto &addr) -> stdx::expected { - return ctx.dest_ssl_ctx(addr.address())->get(); + [&ctx, + &id](const auto &addr) -> stdx::expected { + return ctx.dest_ssl_ctx(id, addr.address())->get(); }); }