SSL: Verbosely report SSL initialization errors

And don't ignore SSL_CTX_set_tmp_dh() failures
author: Sergei Golubchik <serg@mariadb.org> 2015-05-02 12:32:10 +0200
committer: Sergei Golubchik <serg@mariadb.org> 2015-05-03 11:22:12 +0200
commit: ef1eb9c6c072516eeacd66530bf9a292f27653c2 (patch)
tree: 1d39cfa5e72e1726221371c9e5bd93237413b757
parent: 601dcd492000830480ff446b25b17945bc660902 (diff)
download: mariadb-git-ef1eb9c6c072516eeacd66530bf9a292f27653c2.tar.gz
3 files changed, 34 insertions, 23 deletions
diff --git a/include/violite.h b/include/violite.h
index 68b2b6c5e52..401826c1172 100644
--- a/include/violite.h
+++ b/include/violite.h
@@ -150,7 +150,7 @@ enum enum_ssl_init_error
 {
   SSL_INITERR_NOERROR= 0, SSL_INITERR_CERT, SSL_INITERR_KEY, 
   SSL_INITERR_NOMATCH, SSL_INITERR_BAD_PATHS, SSL_INITERR_CIPHERS, 
-  SSL_INITERR_MEMFAIL, SSL_INITERR_LASTERR
+  SSL_INITERR_MEMFAIL, SSL_INITERR_DH, SSL_INITERR_LASTERR
 };
 const char* sslGetErrString(enum enum_ssl_init_error err);
 
diff --git a/sql/mysqld.cc b/sql/mysqld.cc
index 341f5412d67..1df6622b9e7 100644
--- a/sql/mysqld.cc
+++ b/sql/mysqld.cc
@@ -4557,7 +4557,6 @@ static void init_ssl()
 					  opt_ssl_cipher, &error,
                                           opt_ssl_crl, opt_ssl_crlpath);
     DBUG_PRINT("info",("ssl_acceptor_fd: 0x%lx", (long) ssl_acceptor_fd));
-    ERR_remove_state(0);
     if (!ssl_acceptor_fd)
     {
       sql_print_warning("Failed to setup SSL");
@@ -4565,6 +4564,14 @@ static void init_ssl()
       opt_use_ssl = 0;
       have_ssl= SHOW_OPTION_DISABLED;
     }
+    if (global_system_variables.log_warnings > 0)
+    {
+      ulong err;
+      while ((err= ERR_get_error()))
+        sql_print_warning("SSL error: %s", ERR_error_string(err, NULL));
+    }
+    else
+      ERR_remove_state(0);
   }
   else
   {
diff --git a/vio/viosslfactories.c b/vio/viosslfactories.c
index 139fdbe43f2..9a476eace71 100644
--- a/vio/viosslfactories.c
+++ b/vio/viosslfactories.c
@@ -61,7 +61,8 @@ ssl_error_string[] =
   "Private key does not match the certificate public key",
   "SSL_CTX_set_default_verify_paths failed",
   "Failed to set ciphers to use",
-  "SSL_CTX_new failed"
+  "SSL_CTX_new failed",
+  "SSL_CTX_set_tmp_dh failed"
 };
 
 const char*
@@ -171,16 +172,14 @@ new_VioSSLFd(const char *key_file, const char *cert_file,
 
   if (!(ssl_fd= ((struct st_VioSSLFd*)
                  my_malloc(sizeof(struct st_VioSSLFd),MYF(0)))))
-    DBUG_RETURN(0);
-
+    goto err0;
   if (!(ssl_fd->ssl_context= SSL_CTX_new(is_client_method ? 
                                          SSLv23_client_method() :
                                          SSLv23_server_method())))
   {
     *error= SSL_INITERR_MEMFAIL;
     DBUG_PRINT("error", ("%s", sslGetErrString(*error)));
-    my_free(ssl_fd);
-    DBUG_RETURN(0);
+    goto err1;
   }
 
   SSL_CTX_set_options(ssl_fd->ssl_context, ssl_ctx_options);
@@ -195,9 +194,7 @@ new_VioSSLFd(const char *key_file, const char *cert_file,
   {
     *error= SSL_INITERR_CIPHERS;
     DBUG_PRINT("error", ("%s", sslGetErrString(*error)));
-    SSL_CTX_free(ssl_fd->ssl_context);
-    my_free(ssl_fd);
-    DBUG_RETURN(0);
+    goto err2;
   }
 
   /* Load certs from the trusted ca */
@@ -211,9 +208,7 @@ new_VioSSLFd(const char *key_file, const char *cert_file,
       *error= SSL_INITERR_BAD_PATHS;
       DBUG_PRINT("error", ("SSL_CTX_load_verify_locations failed : %s", 
                  sslGetErrString(*error)));
-      SSL_CTX_free(ssl_fd->ssl_context);
-      my_free(ssl_fd);
-      DBUG_RETURN(0);
+      goto err2;
     }
 
     /* otherwise go use the defaults */
@@ -221,9 +216,7 @@ new_VioSSLFd(const char *key_file, const char *cert_file,
     {
       *error= SSL_INITERR_BAD_PATHS;
       DBUG_PRINT("error", ("%s", sslGetErrString(*error)));
-      SSL_CTX_free(ssl_fd->ssl_context);
-      my_free(ssl_fd);
-      DBUG_RETURN(0);
+      goto err2;
     }
   }
 
@@ -243,9 +236,7 @@ new_VioSSLFd(const char *key_file, const char *cert_file,
       DBUG_PRINT("warning", ("X509_STORE_load_locations for CRL failed"));
       *error= SSL_INITERR_BAD_PATHS;
       DBUG_PRINT("error", ("%s", sslGetErrString(*error)));
-      SSL_CTX_free(ssl_fd->ssl_context);
-      my_free(ssl_fd);
-      DBUG_RETURN(0);
+      goto err2;
     }
 #endif
   }
@@ -253,19 +244,32 @@ new_VioSSLFd(const char *key_file, const char *cert_file,
   if (vio_set_cert_stuff(ssl_fd->ssl_context, cert_file, key_file, error))
   {
     DBUG_PRINT("error", ("vio_set_cert_stuff failed"));
-    SSL_CTX_free(ssl_fd->ssl_context);
-    my_free(ssl_fd);
-    DBUG_RETURN(0);
+    goto err2;
   }
 
   /* DH stuff */
   dh=get_dh1024();
-  SSL_CTX_set_tmp_dh(ssl_fd->ssl_context, dh);
+  if (!SSL_CTX_set_tmp_dh(ssl_fd->ssl_context, dh))
+  {
+    *error= SSL_INITERR_DH;
+    goto err3;
+  }
+
   DH_free(dh);
 
   DBUG_PRINT("exit", ("OK 1"));
 
   DBUG_RETURN(ssl_fd);
+
+err3:
+  DH_free(dh);
+err2:
+  SSL_CTX_free(ssl_fd->ssl_context);
+err1:
+  my_free(ssl_fd);
+err0:
+  DBUG_EXECUTE("error", ERR_print_errors_fp(DBUG_FILE););
+  DBUG_RETURN(0);
 }
author	Sergei Golubchik <serg@mariadb.org>	2015-05-02 12:32:10 +0200
committer	Sergei Golubchik <serg@mariadb.org>	2015-05-03 11:22:12 +0200
commit	ef1eb9c6c072516eeacd66530bf9a292f27653c2 (patch)
tree	1d39cfa5e72e1726221371c9e5bd93237413b757
parent	601dcd492000830480ff446b25b17945bc660902 (diff)
download	mariadb-git-ef1eb9c6c072516eeacd66530bf9a292f27653c2.tar.gz