Skip to content

M
mariadb
Commit e1b41812 authored by msvensson@neptunus.(none)'s avatar msvensson@neptunus.(none)
Browse files
Options

Load CA certs before setting local certs. 

Make it possible to get the yaSSL error message printed in the DBUG log file.
parent 99475e7f
Show whitespace changes
Inline Side-by-side
Showing with 29 additions and 18 deletions
vio/viossl.c
View file @ e1b41812
...@@ -51,20 +51,30 @@ static int SSL_set_fd_bsd(SSL *s, int fd) ...@@ -51,20 +51,30 @@ static int SSL_set_fd_bsd(SSL *s, int fd)
static void static void
report_errors() report_errors(SSL* ssl)
{ {
unsigned long l; unsigned long l;
const char *file; const char *file;
const char *data; const char *data;
int line,flags; int line,flags;
char buf[512];
DBUG_ENTER("report_errors"); DBUG_ENTER("report_errors");
while ((l= ERR_get_error_line_data(&file,&line,&data,&flags))) while ((l= ERR_get_error_line_data(&file,&line,&data,&flags)))
{ {
char buf[512];
DBUG_PRINT("error", ("OpenSSL: %s:%s:%d:%s\n", ERR_error_string(l,buf), DBUG_PRINT("error", ("OpenSSL: %s:%s:%d:%s\n", ERR_error_string(l,buf),
file,line,(flags&ERR_TXT_STRING)?data:"")) ; file,line,(flags&ERR_TXT_STRING)?data:"")) ;
} }
#ifdef HAVE_YASSL
/*
The above calls to ERR_* doesn't return any messages when we
are using yaSSL since error is stored in the SSL object we used.
*/
if (ssl)
DBUG_PRINT("error", ("yaSSL: %s", ERR_error_string(SSL_get_error(ssl, l), buf)));
#endif
DBUG_PRINT("info", ("errno: %d", socket_errno)); DBUG_PRINT("info", ("errno: %d", socket_errno));
DBUG_VOID_RETURN; DBUG_VOID_RETURN;
} }
...@@ -81,7 +91,7 @@ int vio_ssl_read(Vio *vio, gptr buf, int size) ...@@ -81,7 +91,7 @@ int vio_ssl_read(Vio *vio, gptr buf, int size)
{ {
int err= SSL_get_error((SSL*) vio->ssl_arg, r); int err= SSL_get_error((SSL*) vio->ssl_arg, r);
DBUG_PRINT("error",("SSL_read(): %d SSL_get_error(): %d", r, err)); DBUG_PRINT("error",("SSL_read(): %d SSL_get_error(): %d", r, err));
report_errors(); report_errors((SSL*) vio->ssl_arg);
} }
DBUG_PRINT("exit", ("%d", r)); DBUG_PRINT("exit", ("%d", r));
DBUG_RETURN(r); DBUG_RETURN(r);
...@@ -95,7 +105,7 @@ int vio_ssl_write(Vio *vio, const gptr buf, int size) ...@@ -95,7 +105,7 @@ int vio_ssl_write(Vio *vio, const gptr buf, int size)
DBUG_PRINT("enter", ("sd: %d, buf: 0x%p, size: %d", vio->sd, buf, size)); DBUG_PRINT("enter", ("sd: %d, buf: 0x%p, size: %d", vio->sd, buf, size));
if ((r= SSL_write((SSL*) vio->ssl_arg, buf, size)) < 0) if ((r= SSL_write((SSL*) vio->ssl_arg, buf, size)) < 0)
report_errors(); report_errors((SSL*) vio->ssl_arg);
DBUG_PRINT("exit", ("%d", r)); DBUG_PRINT("exit", ("%d", r));
DBUG_RETURN(r); DBUG_RETURN(r);
} }
...@@ -148,7 +158,7 @@ int sslaccept(struct st_VioSSLFd *ptr, Vio *vio, long timeout) ...@@ -148,7 +158,7 @@ int sslaccept(struct st_VioSSLFd *ptr, Vio *vio, long timeout)
if (!(ssl= SSL_new(ptr->ssl_context))) if (!(ssl= SSL_new(ptr->ssl_context)))
{ {
DBUG_PRINT("error", ("SSL_new failure")); DBUG_PRINT("error", ("SSL_new failure"));
report_errors(); report_errors(ssl);
vio_reset(vio, old_type,vio->sd,0,FALSE); vio_reset(vio, old_type,vio->sd,0,FALSE);
vio_blocking(vio, net_blocking, &unused); vio_blocking(vio, net_blocking, &unused);
DBUG_RETURN(1); DBUG_RETURN(1);
...@@ -162,7 +172,7 @@ int sslaccept(struct st_VioSSLFd *ptr, Vio *vio, long timeout) ...@@ -162,7 +172,7 @@ int sslaccept(struct st_VioSSLFd *ptr, Vio *vio, long timeout)
if (SSL_do_handshake(ssl) < 1) if (SSL_do_handshake(ssl) < 1)
{ {
DBUG_PRINT("error", ("SSL_do_handshake failure")); DBUG_PRINT("error", ("SSL_do_handshake failure"));
report_errors(); report_errors(ssl);
SSL_free(ssl); SSL_free(ssl);
vio->ssl_arg= 0; vio->ssl_arg= 0;
vio_reset(vio, old_type,vio->sd,0,FALSE); vio_reset(vio, old_type,vio->sd,0,FALSE);
...@@ -223,7 +233,7 @@ int sslconnect(struct st_VioSSLFd *ptr, Vio *vio, long timeout) ...@@ -223,7 +233,7 @@ int sslconnect(struct st_VioSSLFd *ptr, Vio *vio, long timeout)
if (!(ssl= SSL_new(ptr->ssl_context))) if (!(ssl= SSL_new(ptr->ssl_context)))
{ {
DBUG_PRINT("error", ("SSL_new failure")); DBUG_PRINT("error", ("SSL_new failure"));
report_errors(); report_errors(ssl);
vio_reset(vio, old_type, vio->sd, 0, FALSE); vio_reset(vio, old_type, vio->sd, 0, FALSE);
vio_blocking(vio, net_blocking, &unused); vio_blocking(vio, net_blocking, &unused);
DBUG_RETURN(1); DBUG_RETURN(1);
...@@ -237,7 +247,7 @@ int sslconnect(struct st_VioSSLFd *ptr, Vio *vio, long timeout) ...@@ -237,7 +247,7 @@ int sslconnect(struct st_VioSSLFd *ptr, Vio *vio, long timeout)
if (SSL_do_handshake(ssl) < 1) if (SSL_do_handshake(ssl) < 1)
{ {
DBUG_PRINT("error", ("SSL_do_handshake failure")); DBUG_PRINT("error", ("SSL_do_handshake failure"));
report_errors(); report_errors(ssl);
SSL_free(ssl); SSL_free(ssl);
vio->ssl_arg= 0; vio->ssl_arg= 0;
vio_reset(vio, old_type, vio->sd, 0, FALSE); vio_reset(vio, old_type, vio->sd, 0, FALSE);
......
vio/viosslfactories.c
View file @ e1b41812
...@@ -103,7 +103,7 @@ vio_set_cert_stuff(SSL_CTX *ctx, const char *cert_file, const char *key_file) ...@@ -103,7 +103,7 @@ vio_set_cert_stuff(SSL_CTX *ctx, const char *cert_file, const char *key_file)
/* FIX stderr */ /* FIX stderr */
fprintf(stderr,"Error when connection to server using SSL:"); fprintf(stderr,"Error when connection to server using SSL:");
ERR_print_errors_fp(stderr); ERR_print_errors_fp(stderr);
fprintf(stderr,"Unable to get private key from '%s'\n", cert_file); fprintf(stderr,"Unable to get private key from '%s'\n", key_file);
fflush(stderr); fflush(stderr);
DBUG_RETURN(1); DBUG_RETURN(1);
} }
...@@ -252,14 +252,7 @@ new_VioSSLFd(const char *key_file, const char *cert_file, ...@@ -252,14 +252,7 @@ new_VioSSLFd(const char *key_file, const char *cert_file,
DBUG_RETURN(0); DBUG_RETURN(0);
} }
if (vio_set_cert_stuff(ssl_fd->ssl_context, cert_file, key_file)) /* Load certs from the trusted ca */
{
DBUG_PRINT("error", ("vio_set_cert_stuff failed"));
report_errors();
my_free((void*)ssl_fd,MYF(0));
DBUG_RETURN(0);
}
if (SSL_CTX_load_verify_locations(ssl_fd->ssl_context, ca_file, ca_path) == 0) if (SSL_CTX_load_verify_locations(ssl_fd->ssl_context, ca_file, ca_path) == 0)
{ {
DBUG_PRINT("warning", ("SSL_CTX_load_verify_locations failed")); DBUG_PRINT("warning", ("SSL_CTX_load_verify_locations failed"));
...@@ -272,6 +265,14 @@ new_VioSSLFd(const char *key_file, const char *cert_file, ...@@ -272,6 +265,14 @@ new_VioSSLFd(const char *key_file, const char *cert_file,
} }
} }
if (vio_set_cert_stuff(ssl_fd->ssl_context, cert_file, key_file))
{
DBUG_PRINT("error", ("vio_set_cert_stuff failed"));
report_errors();
my_free((void*)ssl_fd,MYF(0));
DBUG_RETURN(0);
}
/* DH stuff */ /* DH stuff */
dh=get_dh512(); dh=get_dh512();
SSL_CTX_set_tmp_dh(ssl_fd->ssl_context, dh); SSL_CTX_set_tmp_dh(ssl_fd->ssl_context, dh);
...@@ -297,7 +298,7 @@ new_VioSSLConnectorFd(const char *key_file, const char *cert_file, ...@@ -297,7 +298,7 @@ new_VioSSLConnectorFd(const char *key_file, const char *cert_file,
return 0; return 0;
} }
/* Init the the VioSSLFd as a "connector" ie. the client side */ /* Init the VioSSLFd as a "connector" ie. the client side */
/* /*
The verify_callback function is used to control the behaviour The verify_callback function is used to control the behaviour
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7