Implement start_ssl_listener, to complete ssl acceptor implementation

- Implement ssl_connection_upgrade/2 callback, to use in upgrading
a new tcp_connection to an ssl_connection.
- ssl_connection_upgrade then calls out to start_ssl_client to
setup start the ampq session. Right now, this is just a dummy
session, but when the async_recv patches are done, it will become
a full valid session.
- Abstract TCP options into a macro to help reuse.
- Currently, I'm hardcoding location for cacerts, certfile and private
key file. Before this is finalized, config parameters will be agreed,
and used to supply this information.

1 files changed, 58 insertions, 12 deletions

diff --git a/src/rabbit_networking.erl b/src/rabbit_networking.erl
index 99ea37d884..136b5b9c79 100644
--- a/src/rabbit_networking.erl
+++ b/src/rabbit_networking.erl
@@ -31,18 +31,34 @@
 
 -module(rabbit_networking).
 
--export([start/0, start_tcp_listener/2, stop_tcp_listener/2,
-         on_node_down/1, active_listeners/0, node_listeners/1,
-         connections/0, connection_info/1, connection_info/2,
-         connection_info_all/0, connection_info_all/1]).
+-export([start/0, start_tcp_listener/2, start_ssl_listener/2,
+        stop_tcp_listener/2, on_node_down/1, active_listeners/0, 
+        node_listeners/1, connections/0, connection_info/1, 
+        connection_info/2, connection_info_all/0, connection_info_all/1]).
 %%used by TCP-based transports, e.g. STOMP adapter
 -export([check_tcp_listener_address/3]).
 
--export([tcp_listener_started/2, tcp_listener_stopped/2, start_client/1]).
+-export([tcp_listener_started/2, ssl_connection_upgrade/2, 
+        tcp_listener_stopped/2, start_client/1, start_ssl_client/1]).
 
 -include("rabbit.hrl").
 -include_lib("kernel/include/inet.hrl").
 
+-define(RABBIT_TCP_OPTS, [
+        binary, 
+        {packet, raw}, % no packaging 
+        {reuseaddr, true}, % allow rebind without waiting 
+        %% {nodelay, true}, % TCP_NODELAY - disable Nagle's alg.  
+        %% {delay_send, true}, 
+        {exit_on_close, false}
+    ]).
+
+-define(RABBIT_SSL_OPTS, [
+        {verify, 0},
+        {cacertfile, "/etc/rabbitmq/cacerts.pem"},
+        {certfile, "/etc/rabbitmq/cert.pem"},
+        {keyfile, "/etc/rabbitmq/key.pem"}
+    ]).
 %%----------------------------------------------------------------------------
 
 -ifdef(use_specs).
@@ -95,25 +111,33 @@ check_tcp_listener_address(NamePrefix, Host, Port) ->
     Name = rabbit_misc:tcp_name(NamePrefix, IPAddress, Port),
     {IPAddress, Name}.
 
+
 start_tcp_listener(Host, Port) ->
     {IPAddress, Name} = check_tcp_listener_address(rabbit_tcp_listener_sup, Host, Port),
     {ok,_} = supervisor:start_child(
                rabbit_sup,
                {Name,
                 {tcp_listener_sup, start_link,
-                 [IPAddress, Port,
-                  [binary,
-                   {packet, raw}, % no packaging
-                   {reuseaddr, true}, % allow rebind without waiting
-                   %% {nodelay, true}, % TCP_NODELAY - disable Nagle's alg.
-                   %% {delay_send, true},
-                   {exit_on_close, false}],
+                 [IPAddress, Port, ?RABBIT_TCP_OPTS ,
                   {?MODULE, tcp_listener_started, []},
                   {?MODULE, tcp_listener_stopped, []},
                   {?MODULE, start_client, []}]},
                 transient, infinity, supervisor, [tcp_listener_sup]}),
     ok.
 
+start_ssl_listener(Host, Port) ->
+    {IPAddress, Name} = check_tcp_listener_address(rabbit_tcp_listener_sup, Host, Port),
+    {ok,_} = supervisor:start_child(
+               rabbit_sup,
+               {Name,
+                {tcp_listener_sup, start_link,
+                 [IPAddress, Port, ?RABBIT_TCP_OPTS,
+                  {?MODULE, tcp_listener_started, []},
+                  {?MODULE, tcp_listener_stopped, []},
+                  {?MODULE, ssl_connection_upgrade, [?RABBIT_SSL_OPTS]}]},
+                transient, infinity, supervisor, [tcp_listener_sup]}),
+    ok.
+
 stop_tcp_listener(Host, Port) ->
     {ok, IPAddress} = inet:getaddr(Host, inet),
     Name = rabbit_misc:tcp_name(rabbit_tcp_listener_sup, IPAddress, Port),
@@ -128,6 +152,7 @@ tcp_listener_started(IPAddress, Port) ->
                      host = tcp_host(IPAddress),
                      port = Port}).
 
+
 tcp_listener_stopped(IPAddress, Port) ->
     ok = mnesia:dirty_delete_object(
            #listener{node = node(),
@@ -150,6 +175,27 @@ start_client(Sock) ->
     Child ! {go, Sock},
     Child.
 
+ssl_connection_upgrade(SslOpts, Sock) ->
+    {ok, {PeerAddress, PeerPort}} = inet:peername(Sock),
+    PeerIp = inet_parse:ntoa(PeerAddress),
+
+    case ssl:ssl_accept(Sock, SslOpts) of
+        {ok, SslSock} ->
+            error_logger:info_msg("Upgraded TCP connection from ~s:~p to SSL/TLS~n", 
+                [PeerIp, PeerPort]),
+            start_ssl_client(SslSock);
+        {error, Reason} ->
+            error_logger:error_msg("Failed to upgrade TCP connection from ~s:~p to SSL~n", 
+                [PeerIp, PeerPort]),
+            {error, Reason}
+    end.
+
+start_ssl_client(Sock) ->
+    {ok, {PeerAddress, PeerPort}} = ssl:peername(Sock),
+    PeerIp = inet_parse:ntoa(PeerAddress),
+    error_logger:info_msg("Dummy session started for ssl client from ~s:~p~n",
+        [PeerIp, PeerPort]).
+
 connections() ->
     [Pid || {_, Pid, _, _} <- supervisor:which_children(
                                 rabbit_tcp_client_sup)].