Bug#11745920/Bug#21287: "SSL connection error" is not helpful! (ssl-verify-server-cert=true vs localhos)

SSL errors on client and now more specific to aid end-user
with debugging. Also restructures error handling for
compliance with SSL docs.

6 files changed, 32 insertions, 21 deletions

diff --git a/vio/test-ssl.c b/vio/test-ssl.c
index 1e846727d00..4d158ae83f7 100644
--- a/vio/test-ssl.c
+++ b/vio/test-ssl.c
@@ -59,6 +59,9 @@ main(int argc, char**	argv)
   struct st_VioSSLFd* ssl_acceptor= 0;
   struct st_VioSSLFd* ssl_connector= 0;
   Vio* client_vio=0, *server_vio=0;
+  enum enum_ssl_init_error ssl_init_error;
+  unsigned long ssl_error;
+
   MY_INIT(argv[0]);
   DBUG_PROCESS(argv[0]);
   DBUG_PUSH(default_dbug_option);
@@ -91,16 +94,16 @@ main(int argc, char**	argv)
   ssl_acceptor = new_VioSSLAcceptorFd(server_key, server_cert, ca_file,
 				      ca_path, cipher);
   ssl_connector = new_VioSSLConnectorFd(client_key, client_cert, ca_file,
-					ca_path, cipher);
+					ca_path, cipher, &ssl_init_error);
 
   client_vio = (struct st_vio*)my_malloc(sizeof(struct st_vio),MYF(0));
   client_vio->sd = sv[0];
   client_vio->vioblocking(client_vio, 0, &unused);
-  sslconnect(ssl_connector,client_vio,60L);
+  sslconnect(ssl_connector,client_vio,60L,&ssl_error);
   server_vio = (struct st_vio*)my_malloc(sizeof(struct st_vio),MYF(0));
   server_vio->sd = sv[1];
   server_vio->vioblocking(client_vio, 0, &unused);
-  sslaccept(ssl_acceptor,server_vio,60L);
+  sslaccept(ssl_acceptor,server_vio,60L, &ssl_error);
 
   printf("Socketpair: %d , %d\n", client_vio->sd, server_vio->sd);
 
diff --git a/vio/test-sslclient.c b/vio/test-sslclient.c
index 643dcbf2c8e..9d8a741e313 100644
--- a/vio/test-sslclient.c
+++ b/vio/test-sslclient.c
@@ -50,6 +50,9 @@ main(	int	argc __attribute__((unused)),
 	Vio* client_vio=0;
 	int err;
 	char	xbuf[100]="Ohohhhhoh1234";
+        enum enum_ssl_init_error ssl_init_error;
+        unsigned long ssl_error;
+
 	MY_INIT(argv[0]);
         DBUG_PROCESS(argv[0]);
         DBUG_PUSH(default_dbug_option);
@@ -60,7 +63,8 @@ main(	int	argc __attribute__((unused)),
 	if (ca_path!=0)
 		printf("CApath          : %s\n", ca_path);
 
-	ssl_connector = new_VioSSLConnectorFd(client_key, client_cert, ca_file, ca_path, cipher);
+	ssl_connector = new_VioSSLConnectorFd(client_key, client_cert, ca_file, ca_path, cipher,
+                                              &ssl_init_error);
 	if(!ssl_connector) {
                  fatal_error("client:new_VioSSLConnectorFd failed");
 	}
@@ -81,7 +85,7 @@ main(	int	argc __attribute__((unused)),
 	/* ----------------------------------------------- */
 	/* Now we have TCP conncetion. Start SSL negotiation. */
 	read(client_vio->sd,xbuf, sizeof(xbuf));
-        sslconnect(ssl_connector,client_vio,60L);
+        sslconnect(ssl_connector,client_vio,60L,&ssl_error);
 	err = vio_read(client_vio,xbuf, sizeof(xbuf));
 	if (err<=0) {
 		my_free(ssl_connector);
diff --git a/vio/test-sslserver.c b/vio/test-sslserver.c
index 3123a4def2c..35cfa26bd00 100644
--- a/vio/test-sslserver.c
+++ b/vio/test-sslserver.c
@@ -52,6 +52,7 @@ do_ssl_stuff(	TH_ARGS*	args)
 	const char*	s = "Huhuhuhuuu";
 	Vio*		server_vio;
 	int		err;
+        unsigned long   ssl_error;
 	DBUG_ENTER("do_ssl_stuff");
 
 	server_vio = vio_new(args->sd, VIO_TYPE_TCPIP, TRUE);
@@ -60,7 +61,7 @@ do_ssl_stuff(	TH_ARGS*	args)
 	/* TCP connection is ready. Do server side SSL. */
 
 	err = write(server_vio->sd,(uchar*)s, strlen(s));
-	sslaccept(args->ssl_acceptor,server_vio,60L);
+	sslaccept(args->ssl_acceptor,server_vio,60L,&ssl_error);
 	err = server_vio->write(server_vio,(uchar*)s, strlen(s));
 	DBUG_VOID_RETURN;
 }
diff --git a/vio/viossl.c b/vio/viossl.c
index 5cb5f36f20d..290abf788c2 100644
--- a/vio/viossl.c
+++ b/vio/viossl.c
@@ -144,8 +144,9 @@ void vio_ssl_delete(Vio *vio)
 
 
 static int ssl_do(struct st_VioSSLFd *ptr, Vio *vio, long timeout,
-                  int (*connect_accept_func)(SSL*))
+                  int (*connect_accept_func)(SSL*), unsigned long *errptr)
 {
+  int r;
   SSL *ssl;
   my_bool unused;
   my_bool was_blocking;
@@ -160,7 +161,7 @@ static int ssl_do(struct st_VioSSLFd *ptr, Vio *vio, long timeout,
   if (!(ssl= SSL_new(ptr->ssl_context)))
   {
     DBUG_PRINT("error", ("SSL_new failure"));
-    report_errors(ssl);
+    *errptr= ERR_get_error();
     vio_blocking(vio, was_blocking, &unused);
     DBUG_RETURN(1);
   }
@@ -169,10 +170,10 @@ static int ssl_do(struct st_VioSSLFd *ptr, Vio *vio, long timeout,
   SSL_SESSION_set_timeout(SSL_get_session(ssl), timeout);
   SSL_set_fd(ssl, vio->sd);
 
-  if (connect_accept_func(ssl) < 1)
+  if ((r= connect_accept_func(ssl)) < 1)
   {
     DBUG_PRINT("error", ("SSL_connect/accept failure"));
-    report_errors(ssl);
+    *errptr= SSL_get_error(ssl, r);
     SSL_free(ssl);
     vio_blocking(vio, was_blocking, &unused);
     DBUG_RETURN(1);
@@ -220,17 +221,17 @@ static int ssl_do(struct st_VioSSLFd *ptr, Vio *vio, long timeout,
 }
 
 
-int sslaccept(struct st_VioSSLFd *ptr, Vio *vio, long timeout)
+int sslaccept(struct st_VioSSLFd *ptr, Vio *vio, long timeout, unsigned long *errptr)
 {
   DBUG_ENTER("sslaccept");
-  DBUG_RETURN(ssl_do(ptr, vio, timeout, SSL_accept));
+  DBUG_RETURN(ssl_do(ptr, vio, timeout, SSL_accept, errptr));
 }
 
 
-int sslconnect(struct st_VioSSLFd *ptr, Vio *vio, long timeout)
+int sslconnect(struct st_VioSSLFd *ptr, Vio *vio, long timeout, unsigned long *errptr)
 {
   DBUG_ENTER("sslconnect");
-  DBUG_RETURN(ssl_do(ptr, vio, timeout, SSL_connect));
+  DBUG_RETURN(ssl_do(ptr, vio, timeout, SSL_connect, errptr));
 }
 
 
diff --git a/vio/viosslfactories.c b/vio/viosslfactories.c
index 4971dec37fb..4f4dd5758ba 100644
--- a/vio/viosslfactories.c
+++ b/vio/viosslfactories.c
@@ -165,7 +165,7 @@ static struct st_VioSSLFd *
 new_VioSSLFd(const char *key_file, const char *cert_file,
              const char *ca_file, const char *ca_path,
              const char *cipher, SSL_METHOD *method, 
-             enum enum_ssl_init_error* error)
+             enum enum_ssl_init_error *error)
 {
   DH *dh;
   struct st_VioSSLFd *ssl_fd;
@@ -249,11 +249,10 @@ new_VioSSLFd(const char *key_file, const char *cert_file,
 struct st_VioSSLFd *
 new_VioSSLConnectorFd(const char *key_file, const char *cert_file,
                       const char *ca_file, const char *ca_path,
-                      const char *cipher)
+                      const char *cipher, enum enum_ssl_init_error* error)
 {
   struct st_VioSSLFd *ssl_fd;
   int verify= SSL_VERIFY_PEER;
-  enum enum_ssl_init_error dummy;
 
   /*
     Turn off verification of servers certificate if both
@@ -263,7 +262,7 @@ new_VioSSLConnectorFd(const char *key_file, const char *cert_file,
     verify= SSL_VERIFY_NONE;
 
   if (!(ssl_fd= new_VioSSLFd(key_file, cert_file, ca_file,
-                             ca_path, cipher, TLSv1_client_method(), &dummy)))
+                             ca_path, cipher, TLSv1_client_method(), error)))
   {
     return 0;
   }
diff --git a/vio/viotest-ssl.c b/vio/viotest-ssl.c
index 5c68e861d2a..90489b46605 100644
--- a/vio/viotest-ssl.c
+++ b/vio/viotest-ssl.c
@@ -60,6 +60,9 @@ int main(int argc, char **argv)
   struct st_VioSSLConnectorFd* ssl_connector=0; 
   Vio* client_vio=0;
   Vio* server_vio=0;
+  enum enum_ssl_init_error ssl_init_error;
+  unsigned long ssl_error;
+
   MY_INIT(argv[0]);
   DBUG_PROCESS(argv[0]);
   DBUG_PUSH(default_dbug_option);
@@ -92,14 +95,14 @@ int main(int argc, char **argv)
   ssl_acceptor = new_VioSSLAcceptorFd(server_key, server_cert, ca_file,
 				      ca_path);
   ssl_connector = new_VioSSLConnectorFd(client_key, client_cert, ca_file,
-					ca_path);
+					ca_path, &ssl_init_error);
 
   client_vio = (Vio*)my_malloc(sizeof(struct st_vio),MYF(0));
   client_vio->sd = sv[0];
-  sslconnect(ssl_connector,client_vio);
+  sslconnect(ssl_connector,client_vio,&ssl_error);
   server_vio = (Vio*)my_malloc(sizeof(struct st_vio),MYF(0));
   server_vio->sd = sv[1];
-  sslaccept(ssl_acceptor,server_vio);
+  sslaccept(ssl_acceptor,server_vio,&ssl_error);
 
   printf("Socketpair: %d , %d\n", client_vio->sd, server_vio->sd);