Load CA certs before setting local certs.
Make it possible to get the yaSSL error message printed in the DBUG log file. vio/viossl.c: Add possibility to print out the error from yaSSL. vio/viosslfactories.c: Load the CA certs before loading the certs for this client or server. Improved comments.
This commit is contained in:
unknown
parent
a524c8ebe9
commit
e5b7c41df9
26
vio/viossl.c
26
vio/viossl.c
@ -51,20 +51,30 @@ static int SSL_set_fd_bsd(SSL *s, int fd)
|
||||
|
||||
|
||||
static void
|
||||
report_errors()
|
||||
report_errors(SSL* ssl)
|
||||
{
|
||||
unsigned long l;
|
||||
const char *file;
|
||||
const char *data;
|
||||
int line,flags;
|
||||
char buf[512];
|
||||
|
||||
DBUG_ENTER("report_errors");
|
||||
|
||||
while ((l= ERR_get_error_line_data(&file,&line,&data,&flags)))
|
||||
{
|
||||
char buf[512];
|
||||
DBUG_PRINT("error", ("OpenSSL: %s:%s:%d:%s\n", ERR_error_string(l,buf),
|
||||
file,line,(flags&ERR_TXT_STRING)?data:"")) ;
|
||||
}
|
||||
|
||||
#ifdef HAVE_YASSL
|
||||
/*
|
||||
The above calls to ERR_* doesn't return any messages when we
|
||||
are using yaSSL since error is stored in the SSL object we used.
|
||||
*/
|
||||
if (ssl)
|
||||
DBUG_PRINT("error", ("yaSSL: %s", ERR_error_string(SSL_get_error(ssl, l), buf)));
|
||||
#endif
|
||||
DBUG_PRINT("info", ("errno: %d", socket_errno));
|
||||
DBUG_VOID_RETURN;
|
||||
}
|
||||
@ -81,7 +91,7 @@ int vio_ssl_read(Vio *vio, gptr buf, int size)
|
||||
{
|
||||
int err= SSL_get_error((SSL*) vio->ssl_arg, r);
|
||||
DBUG_PRINT("error",("SSL_read(): %d SSL_get_error(): %d", r, err));
|
||||
report_errors();
|
||||
report_errors((SSL*) vio->ssl_arg);
|
||||
}
|
||||
DBUG_PRINT("exit", ("%d", r));
|
||||
DBUG_RETURN(r);
|
||||
@ -95,7 +105,7 @@ int vio_ssl_write(Vio *vio, const gptr buf, int size)
|
||||
DBUG_PRINT("enter", ("sd: %d, buf: 0x%p, size: %d", vio->sd, buf, size));
|
||||
|
||||
if ((r= SSL_write((SSL*) vio->ssl_arg, buf, size)) < 0)
|
||||
report_errors();
|
||||
report_errors((SSL*) vio->ssl_arg);
|
||||
DBUG_PRINT("exit", ("%d", r));
|
||||
DBUG_RETURN(r);
|
||||
}
|
||||
@ -148,7 +158,7 @@ int sslaccept(struct st_VioSSLFd *ptr, Vio *vio, long timeout)
|
||||
if (!(ssl= SSL_new(ptr->ssl_context)))
|
||||
{
|
||||
DBUG_PRINT("error", ("SSL_new failure"));
|
||||
report_errors();
|
||||
report_errors(ssl);
|
||||
vio_reset(vio, old_type,vio->sd,0,FALSE);
|
||||
vio_blocking(vio, net_blocking, &unused);
|
||||
DBUG_RETURN(1);
|
||||
@ -162,7 +172,7 @@ int sslaccept(struct st_VioSSLFd *ptr, Vio *vio, long timeout)
|
||||
if (SSL_do_handshake(ssl) < 1)
|
||||
{
|
||||
DBUG_PRINT("error", ("SSL_do_handshake failure"));
|
||||
report_errors();
|
||||
report_errors(ssl);
|
||||
SSL_free(ssl);
|
||||
vio->ssl_arg= 0;
|
||||
vio_reset(vio, old_type,vio->sd,0,FALSE);
|
||||
@ -223,7 +233,7 @@ int sslconnect(struct st_VioSSLFd *ptr, Vio *vio, long timeout)
|
||||
if (!(ssl= SSL_new(ptr->ssl_context)))
|
||||
{
|
||||
DBUG_PRINT("error", ("SSL_new failure"));
|
||||
report_errors();
|
||||
report_errors(ssl);
|
||||
vio_reset(vio, old_type, vio->sd, 0, FALSE);
|
||||
vio_blocking(vio, net_blocking, &unused);
|
||||
DBUG_RETURN(1);
|
||||
@ -237,7 +247,7 @@ int sslconnect(struct st_VioSSLFd *ptr, Vio *vio, long timeout)
|
||||
if (SSL_do_handshake(ssl) < 1)
|
||||
{
|
||||
DBUG_PRINT("error", ("SSL_do_handshake failure"));
|
||||
report_errors();
|
||||
report_errors(ssl);
|
||||
SSL_free(ssl);
|
||||
vio->ssl_arg= 0;
|
||||
vio_reset(vio, old_type, vio->sd, 0, FALSE);
|
||||
|
||||
@ -103,7 +103,7 @@ vio_set_cert_stuff(SSL_CTX *ctx, const char *cert_file, const char *key_file)
|
||||
/* FIX stderr */
|
||||
fprintf(stderr,"Error when connection to server using SSL:");
|
||||
ERR_print_errors_fp(stderr);
|
||||
fprintf(stderr,"Unable to get private key from '%s'\n", cert_file);
|
||||
fprintf(stderr,"Unable to get private key from '%s'\n", key_file);
|
||||
fflush(stderr);
|
||||
DBUG_RETURN(1);
|
||||
}
|
||||
@ -252,14 +252,7 @@ new_VioSSLFd(const char *key_file, const char *cert_file,
|
||||
DBUG_RETURN(0);
|
||||
}
|
||||
|
||||
if (vio_set_cert_stuff(ssl_fd->ssl_context, cert_file, key_file))
|
||||
{
|
||||
DBUG_PRINT("error", ("vio_set_cert_stuff failed"));
|
||||
report_errors();
|
||||
my_free((void*)ssl_fd,MYF(0));
|
||||
DBUG_RETURN(0);
|
||||
}
|
||||
|
||||
/* Load certs from the trusted ca */
|
||||
if (SSL_CTX_load_verify_locations(ssl_fd->ssl_context, ca_file, ca_path) == 0)
|
||||
{
|
||||
DBUG_PRINT("warning", ("SSL_CTX_load_verify_locations failed"));
|
||||
@ -272,6 +265,14 @@ new_VioSSLFd(const char *key_file, const char *cert_file,
|
||||
}
|
||||
}
|
||||
|
||||
if (vio_set_cert_stuff(ssl_fd->ssl_context, cert_file, key_file))
|
||||
{
|
||||
DBUG_PRINT("error", ("vio_set_cert_stuff failed"));
|
||||
report_errors();
|
||||
my_free((void*)ssl_fd,MYF(0));
|
||||
DBUG_RETURN(0);
|
||||
}
|
||||
|
||||
/* DH stuff */
|
||||
dh=get_dh512();
|
||||
SSL_CTX_set_tmp_dh(ssl_fd->ssl_context, dh);
|
||||
@ -297,7 +298,7 @@ new_VioSSLConnectorFd(const char *key_file, const char *cert_file,
|
||||
return 0;
|
||||
}
|
||||
|
||||
/* Init the the VioSSLFd as a "connector" ie. the client side */
|
||||
/* Init the VioSSLFd as a "connector" ie. the client side */
|
||||
|
||||
/*
|
||||
The verify_callback function is used to control the behaviour
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user