diff --git a/include/errmsg.h b/include/errmsg.h index 76a57f47611..842d53c9303 100644 --- a/include/errmsg.h +++ b/include/errmsg.h @@ -61,3 +61,4 @@ extern const char *client_errors[]; /* Error messages */ #define CR_PROBE_SLAVE_HOSTS 2023 #define CR_PROBE_SLAVE_CONNECT 2024 #define CR_PROBE_MASTER_CONNECT 2025 +#define CR_SSL_CONNECTION_ERROR 2026 diff --git a/include/violite.h b/include/violite.h index f4f40dcb64b..6c8ad1f4b69 100644 --- a/include/violite.h +++ b/include/violite.h @@ -174,7 +174,7 @@ struct st_VioSSLConnectorFd SSL_METHOD* ssl_method_; }; -void sslaccept(struct st_VioSSLAcceptorFd*, Vio*, long timeout); +int sslaccept(struct st_VioSSLAcceptorFd*, Vio*, long timeout); int sslconnect(struct st_VioSSLConnectorFd*, Vio*, long timeout); struct st_VioSSLConnectorFd @@ -231,7 +231,6 @@ struct st_vio #ifdef HAVE_OPENSSL SSL* ssl_; - my_bool open_; #endif /* HAVE_OPENSSL */ #endif /* HAVE_VIO */ }; diff --git a/libmysql/errmsg.c b/libmysql/errmsg.c index 3fdb9c0ddc6..47d19281a04 100644 --- a/libmysql/errmsg.c +++ b/libmysql/errmsg.c @@ -49,7 +49,8 @@ const char *client_errors[]= "Error on SHOW SLAVE STATUS:", "Error on SHOW SLAVE HOSTS:", "Error connecting to slave:", - "Error connecting to master:" + "Error connecting to master:", + "SSL connection error" }; /* Start of code added by Roberto M. Serqueira - martinsc@uol.com.br - 05.24.2001 */ @@ -82,7 +83,8 @@ const char *client_errors[]= "Error on SHOW SLAVE STATUS:", "Error on SHOW SLAVE HOSTS:", "Error connecting to slave:", - "Error connecting to master:" + "Error connecting to master:", + "SSL connection error" }; #else /* ENGLISH */ @@ -113,7 +115,8 @@ const char *client_errors[]= "Error on SHOW SLAVE STATUS:", "Error on SHOW SLAVE HOSTS:", "Error connecting to slave:", - "Error connecting to master:" + "Error connecting to master:", + "SSL connection error" }; #endif diff --git a/libmysql/libmysql.c b/libmysql/libmysql.c index c1d8dd6283f..c9fb2f84a3c 100644 --- a/libmysql/libmysql.c +++ b/libmysql/libmysql.c @@ -1872,15 +1872,18 @@ mysql_real_connect(MYSQL *mysql,const char *host, const char *user, options->ssl_capath, options->ssl_cipher))) { - /* TODO: Change to SSL error */ - net->last_errno= CR_SERVER_LOST; + net->last_errno= CR_SSL_CONNECTION_ERROR; strmov(net->last_error,ER(net->last_errno)); goto error; } DBUG_PRINT("info", ("IO layer change in progress...")); - /* TODO: Add proper error checking here, with return error message */ - sslconnect((struct st_VioSSLConnectorFd*)(mysql->connector_fd), - mysql->net.vio, (long) (mysql->options.connect_timeout)); + if(sslconnect((struct st_VioSSLConnectorFd*)(mysql->connector_fd), + mysql->net.vio, (long) (mysql->options.connect_timeout))) + { + net->last_errno= CR_SSL_CONNECTION_ERROR; + strmov(net->last_error,ER(net->last_errno)); + goto error; + } DBUG_PRINT("info", ("IO layer change done!")); } #endif /* HAVE_OPENSSL */ diff --git a/sql/mysqld.cc b/sql/mysqld.cc index 9e0dfe17f1b..78ef5886e21 100644 --- a/sql/mysqld.cc +++ b/sql/mysqld.cc @@ -339,7 +339,7 @@ volatile ulong cached_thread_count=0; my_string master_user = (char*) "test", master_password = 0, master_host=0, master_info_file = (char*) "master.info", relay_log_info_file = (char*) "relay-log.info", - master_ssl_key=0, master_ssl_cert=0; + master_ssl_key=0, master_ssl_cert=0, master_ssl_capath=0, master_ssl_cipher=0; my_string report_user = 0, report_password = 0, report_host=0; const char *localhost=LOCAL_HOST; @@ -2819,8 +2819,9 @@ enum options { OPT_MASTER_PASSWORD, OPT_MASTER_PORT, OPT_MASTER_INFO_FILE, OPT_MASTER_CONNECT_RETRY, OPT_MASTER_RETRY_COUNT, - OPT_MASTER_SSL, OPT_MASTER_SSL_KEY, - OPT_MASTER_SSL_CERT, + OPT_MASTER_SSL, OPT_MASTER_SSL_KEY, + OPT_MASTER_SSL_CERT, OPT_MASTER_SSL_CAPATH, + OPT_MASTER_SSL_CIPHER, OPT_SQL_BIN_UPDATE_SAME, OPT_REPLICATE_DO_DB, OPT_REPLICATE_IGNORE_DB, OPT_LOG_SLAVE_UPDATES, OPT_BINLOG_DO_DB, OPT_BINLOG_IGNORE_DB, @@ -3129,6 +3130,14 @@ struct my_option my_long_options[] = "Master SSL certificate file name. Only applies if you have enabled master-ssl.", (gptr*) &master_ssl_cert, (gptr*) &master_ssl_cert, 0, GET_STR, OPT_ARG, 0, 0, 0, 0, 0, 0}, + {"master-ssl-capath", OPT_MASTER_SSL_CAPATH, + "Master SSL CA path. Only applies if you have enabled master-ssl.", + (gptr*) &master_ssl_capath, (gptr*) &master_ssl_capath, 0, GET_STR, OPT_ARG, + 0, 0, 0, 0, 0, 0}, + {"master-ssl-cipher", OPT_MASTER_SSL_CIPHER, + "Master SSL cipher. Only applies if you have enabled master-ssl.", + (gptr*) &master_ssl_cipher, (gptr*) &master_ssl_capath, 0, GET_STR, OPT_ARG, + 0, 0, 0, 0, 0, 0}, {"myisam-recover", OPT_MYISAM_RECOVER, "Syntax: myisam-recover[=option[,option...]], where option can be DEFAULT, BACKUP or FORCE.", (gptr*) &myisam_recover_options_str, (gptr*) &myisam_recover_options_str, 0, diff --git a/sql/sql_parse.cc b/sql/sql_parse.cc index 7416506fd02..924fe76fe21 100644 --- a/sql/sql_parse.cc +++ b/sql/sql_parse.cc @@ -554,7 +554,13 @@ check_connections(THD *thd) { /* Do the SSL layering. */ DBUG_PRINT("info", ("IO layer change in progress...")); - sslaccept(ssl_acceptor_fd, net->vio, thd->variables.net_wait_timeout); + if (sslaccept(ssl_acceptor_fd, net->vio, thd->variables.net_wait_timeout)) + { + DBUG_PRINT("error", ("Failed to read user information (pkt_len= %lu)", + pkt_len)); + inc_host_errors(&thd->remote.sin_addr); + return(ER_HANDSHAKE_ERROR); + } DBUG_PRINT("info", ("Reading user information over SSL layer")); if ((pkt_len=my_net_read(net)) == packet_error || pkt_len < NORMAL_HANDSHAKE_SIZE) diff --git a/vio/viossl.c b/vio/viossl.c index 56d3da8a1ac..cf1c98b5382 100644 --- a/vio/viossl.c +++ b/vio/viossl.c @@ -249,35 +249,48 @@ void vio_ssl_in_addr(Vio *vio, struct in_addr *in) /* - TODO: Add documentation and error handling + TODO: Add documentation */ -void sslaccept(struct st_VioSSLAcceptorFd* ptr, Vio* vio, long timeout) +int sslaccept(struct st_VioSSLAcceptorFd* ptr, Vio* vio, long timeout) { char *str; char buf[1024]; X509* client_cert; my_bool unused; + my_bool net_blocking; + enum enum_vio_type old_type; DBUG_ENTER("sslaccept"); DBUG_PRINT("enter", ("sd=%d ptr=%p", vio->sd,ptr)); + old_type= vio->type; + net_blocking = vio_is_blocking(vio); vio_blocking(vio, 1, &unused); /* Must be called before reset */ vio_reset(vio,VIO_TYPE_SSL,vio->sd,0,FALSE); vio->ssl_=0; - vio->open_=FALSE; if (!(vio->ssl_ = SSL_new(ptr->ssl_context_))) { DBUG_PRINT("error", ("SSL_new failure")); report_errors(); - DBUG_VOID_RETURN; + vio_reset(vio, old_type,vio->sd,0,FALSE); + vio_blocking(vio, net_blocking, &unused); + DBUG_RETURN(1); } DBUG_PRINT("info", ("ssl_=%p timeout=%ld",vio->ssl_, timeout)); SSL_clear(vio->ssl_); SSL_SESSION_set_timeout(SSL_get_session(vio->ssl_), timeout); SSL_set_fd(vio->ssl_,vio->sd); SSL_set_accept_state(vio->ssl_); - SSL_do_handshake(vio->ssl_); - vio->open_ = TRUE; + if (SSL_do_handshake(vio->ssl_) < 1) + { + DBUG_PRINT("error", ("SSL_do_handshake failure")); + report_errors(); + SSL_free(vio->ssl_); + vio->ssl_=0; + vio_reset(vio, old_type,vio->sd,0,FALSE); + vio_blocking(vio, net_blocking, &unused); + DBUG_RETURN(1); + } #ifndef DBUF_OFF DBUG_PRINT("info",("SSL_get_cipher_name() = '%s'" ,SSL_get_cipher_name(vio->ssl_))); @@ -309,7 +322,7 @@ void sslaccept(struct st_VioSSLAcceptorFd* ptr, Vio* vio, long timeout) } #endif - DBUG_VOID_RETURN; + DBUG_RETURN(0); } @@ -318,17 +331,22 @@ int sslconnect(struct st_VioSSLConnectorFd* ptr, Vio* vio, long timeout) char *str; X509* server_cert; my_bool unused; + my_bool net_blocking; + enum enum_vio_type old_type; DBUG_ENTER("sslconnect"); DBUG_PRINT("enter", ("sd=%d ptr=%p ctx: %p", vio->sd,ptr,ptr->ssl_context_)); + old_type= vio->type; + net_blocking = vio_is_blocking(vio); vio_blocking(vio, 1, &unused); /* Must be called before reset */ vio_reset(vio,VIO_TYPE_SSL,vio->sd,0,FALSE); vio->ssl_=0; - vio->open_=FALSE; if (!(vio->ssl_ = SSL_new(ptr->ssl_context_))) { DBUG_PRINT("error", ("SSL_new failure")); report_errors(); + vio_reset(vio, old_type,vio->sd,0,FALSE); + vio_blocking(vio, net_blocking, &unused); DBUG_RETURN(1); } DBUG_PRINT("info", ("ssl_=%p timeout=%ld",vio->ssl_, timeout)); @@ -336,8 +354,16 @@ int sslconnect(struct st_VioSSLConnectorFd* ptr, Vio* vio, long timeout) SSL_SESSION_set_timeout(SSL_get_session(vio->ssl_), timeout); SSL_set_fd (vio->ssl_, vio->sd); SSL_set_connect_state(vio->ssl_); - SSL_do_handshake(vio->ssl_); - vio->open_ = TRUE; + if (SSL_do_handshake(vio->ssl_) < 1) + { + DBUG_PRINT("error", ("SSL_do_handshake failure")); + report_errors(); + SSL_free(vio->ssl_); + vio->ssl_=0; + vio_reset(vio, old_type,vio->sd,0,FALSE); + vio_blocking(vio, net_blocking, &unused); + DBUG_RETURN(1); + } #ifndef DBUG_OFF DBUG_PRINT("info",("SSL_get_cipher_name() = '%s'" ,SSL_get_cipher_name(vio->ssl_))); diff --git a/vio/viosslfactories.c b/vio/viosslfactories.c index 9e7a1475951..31bc457d1ae 100644 --- a/vio/viosslfactories.c +++ b/vio/viosslfactories.c @@ -93,7 +93,10 @@ vio_set_cert_stuff(SSL_CTX *ctx, const char *cert_file, const char *key_file) { DBUG_PRINT("error",("unable to get certificate from '%s'\n",cert_file)); /* FIX stderr */ + fprintf(stderr,"Error when connection to server using SSL:"); ERR_print_errors_fp(stderr); + fprintf(stderr,"Unable to get certificate from '%s'\n", cert_file); + fflush(stderr); DBUG_RETURN(0); } if (key_file == NULL) @@ -103,7 +106,10 @@ vio_set_cert_stuff(SSL_CTX *ctx, const char *cert_file, const char *key_file) { DBUG_PRINT("error", ("unable to get private key from '%s'\n",key_file)); /* FIX stderr */ + fprintf(stderr,"Error when connection to server using SSL:"); ERR_print_errors_fp(stderr); + fprintf(stderr,"Unable to get private key from '%s'\n", cert_file); + fflush(stderr); DBUG_RETURN(0); }