MDEV-29811 server advertises ssl even if it's unusable.

Abort startup, if SSL setup fails.
Also, for the server always check that certificate matches private key
(even if ssl_cert is not set, OpenSSL will try to use default one)

1 files changed, 6 insertions, 5 deletions

diff --git a/vio/viosslfactories.c b/vio/viosslfactories.c
index fe980322736..9b15e70294f 100644
--- a/vio/viosslfactories.c
+++ b/vio/viosslfactories.c
@@ -97,7 +97,7 @@ sslGetErrString(enum enum_ssl_init_error e)
 
 static int
 vio_set_cert_stuff(SSL_CTX *ctx, const char *cert_file, const char *key_file,
-                   enum enum_ssl_init_error* error)
+                   my_bool is_client, enum enum_ssl_init_error* error)
 {
   DBUG_ENTER("vio_set_cert_stuff");
   DBUG_PRINT("enter", ("ctx: %p cert_file: %s  key_file: %s",
@@ -134,10 +134,10 @@ vio_set_cert_stuff(SSL_CTX *ctx, const char *cert_file, const char *key_file,
   }
 
   /*
-    If we are using DSA, we can copy the parameters from the private key
-    Now we know that a key and cert have been set against the SSL context
+    If certificate is used check if private key matches.
+    Note, that server side has to use certificate.
   */
-  if (cert_file && !SSL_CTX_check_private_key(ctx))
+  if ((cert_file != NULL || !is_client) && !SSL_CTX_check_private_key(ctx))
   {
     *error= SSL_INITERR_NOMATCH;
     DBUG_PRINT("error", ("%s",sslGetErrString(*error)));
@@ -288,7 +288,8 @@ new_VioSSLFd(const char *key_file, const char *cert_file,
 #endif
   }
 
-  if (vio_set_cert_stuff(ssl_fd->ssl_context, cert_file, key_file, error))
+  if (vio_set_cert_stuff(ssl_fd->ssl_context, cert_file, key_file,
+                         is_client_method, error))
   {
     DBUG_PRINT("error", ("vio_set_cert_stuff failed"));
     goto err2;