Merge pull request #9983 from vespa-engine/bjorncs/tls

Bjorncs/tls

2 files changed, 12 insertions, 17 deletions

diff --git a/security-tools/src/main/java/com/yahoo/vespa/security/tool/securityenv/Main.java b/security-tools/src/main/java/com/yahoo/vespa/security/tool/securityenv/Main.java
index ae18700246c..367d7b9dd83 100644
--- a/security-tools/src/main/java/com/yahoo/vespa/security/tool/securityenv/Main.java
+++ b/security-tools/src/main/java/com/yahoo/vespa/security/tool/securityenv/Main.java
@@ -51,17 +51,15 @@ public class Main {
 
             Map<OutputVariable, String> outputVariables = new TreeMap<>();
             Optional<TransportSecurityOptions> options = TransportSecurityUtils.getOptions(envVars);
-            if (options.isPresent()) {
+            MixedMode mixedMode = TransportSecurityUtils.getInsecureMixedMode(envVars);
+            if (options.isPresent() && mixedMode != MixedMode.PLAINTEXT_CLIENT_MIXED_SERVER) {
                 outputVariables.put(OutputVariable.TLS_ENABLED, "1");
                 options.get().getCaCertificatesFile()
                         .ifPresent(caCertFile -> outputVariables.put(OutputVariable.CA_CERTIFICATE, caCertFile.toString()));
-                MixedMode mixedMode = TransportSecurityUtils.getInsecureMixedMode(envVars);
-                if (mixedMode != MixedMode.PLAINTEXT_CLIENT_MIXED_SERVER) {
-                    options.get().getCertificatesFile()
-                            .ifPresent(certificateFile -> outputVariables.put(OutputVariable.CERTIFICATE, certificateFile.toString()));
-                    options.get().getPrivateKeyFile()
-                            .ifPresent(privateKeyFile -> outputVariables.put(OutputVariable.PRIVATE_KEY, privateKeyFile.toString()));
-                }
+                options.get().getCertificatesFile()
+                        .ifPresent(certificateFile -> outputVariables.put(OutputVariable.CERTIFICATE, certificateFile.toString()));
+                options.get().getPrivateKeyFile()
+                        .ifPresent(privateKeyFile -> outputVariables.put(OutputVariable.PRIVATE_KEY, privateKeyFile.toString()));
             }
             shell.writeOutputVariables(stdOut, outputVariables);
             EnumSet<OutputVariable> unusedVariables = outputVariables.isEmpty()
diff --git a/security-tools/src/main/sh/vespa-curl-wrapper b/security-tools/src/main/sh/vespa-curl-wrapper
index 7c2f31d7719..da857984c01 100755
--- a/security-tools/src/main/sh/vespa-curl-wrapper
+++ b/security-tools/src/main/sh/vespa-curl-wrapper
@@ -6,26 +6,23 @@
 
 set -e
 
-. $(vespa-security-env)
+eval $(vespa-security-env)
 
-CURL_PARAMETERS=$1
-CONFIGSERVER_URI_WITHOUT_SCHEME=$2
+CURL_PARAMETERS=("$@")
 
 if [ -n "${VESPA_TLS_ENABLED}" ]
 then
-  CONFIGSERVER_URI="https://${CONFIGSERVER_URI_WITHOUT_SCHEME}"
-else
-  CONFIGSERVER_URI="http://${CONFIGSERVER_URI_WITHOUT_SCHEME}"
+  CURL_PARAMETERS=("${CURL_PARAMETERS[@]/http:/https:}")
 fi
 
 if [ -n "${VESPA_TLS_CA_CERT}" ]
 then
-  CURL_PARAMETERS="--cacert \"${VESPA_TLS_CA_CERT}\" ${CURL_PARAMETERS}"
+  CURL_PARAMETERS=("--cacert" "${VESPA_TLS_CA_CERT}" "${CURL_PARAMETERS[@]}")
 fi
 
 if [[ -n "${VESPA_TLS_CERT}" && -n "${VESPA_TLS_PRIVATE_KEY}" ]]
 then
-  CURL_PARAMETERS="--cert \"${VESPA_TLS_CERT}\" --key \"${VESPA_TLS_PRIVATE_KEY}\" ${CURL_PARAMETERS}"
+  CURL_PARAMETERS=("--cert" "${VESPA_TLS_CERT}" "--key" "${VESPA_TLS_PRIVATE_KEY}" "${CURL_PARAMETERS[@]}")
 fi
 
-curl ${CURL_PARAMETERS} "${CONFIGSERVER_URI}"
+curl "${CURL_PARAMETERS[@]}"