Commit 7bf903ea authored by gluh@gluh.(none)'s avatar gluh@gluh.(none)

Error code for ssl connection

Fix bug when server hang(with SSL, with modified libmysql)
Add options master-ssl-capath and master-ssl-cipher
Add some error checking(SSL) 
parent 808d87f8
...@@ -61,3 +61,4 @@ extern const char *client_errors[]; /* Error messages */ ...@@ -61,3 +61,4 @@ extern const char *client_errors[]; /* Error messages */
#define CR_PROBE_SLAVE_HOSTS 2023 #define CR_PROBE_SLAVE_HOSTS 2023
#define CR_PROBE_SLAVE_CONNECT 2024 #define CR_PROBE_SLAVE_CONNECT 2024
#define CR_PROBE_MASTER_CONNECT 2025 #define CR_PROBE_MASTER_CONNECT 2025
#define CR_SSL_CONNECTION_ERROR 2026
...@@ -174,7 +174,7 @@ struct st_VioSSLConnectorFd ...@@ -174,7 +174,7 @@ struct st_VioSSLConnectorFd
SSL_METHOD* ssl_method_; SSL_METHOD* ssl_method_;
}; };
void sslaccept(struct st_VioSSLAcceptorFd*, Vio*, long timeout); int sslaccept(struct st_VioSSLAcceptorFd*, Vio*, long timeout);
int sslconnect(struct st_VioSSLConnectorFd*, Vio*, long timeout); int sslconnect(struct st_VioSSLConnectorFd*, Vio*, long timeout);
struct st_VioSSLConnectorFd struct st_VioSSLConnectorFd
...@@ -231,7 +231,6 @@ struct st_vio ...@@ -231,7 +231,6 @@ struct st_vio
#ifdef HAVE_OPENSSL #ifdef HAVE_OPENSSL
SSL* ssl_; SSL* ssl_;
my_bool open_;
#endif /* HAVE_OPENSSL */ #endif /* HAVE_OPENSSL */
#endif /* HAVE_VIO */ #endif /* HAVE_VIO */
}; };
......
...@@ -49,7 +49,8 @@ const char *client_errors[]= ...@@ -49,7 +49,8 @@ const char *client_errors[]=
"Error on SHOW SLAVE STATUS:", "Error on SHOW SLAVE STATUS:",
"Error on SHOW SLAVE HOSTS:", "Error on SHOW SLAVE HOSTS:",
"Error connecting to slave:", "Error connecting to slave:",
"Error connecting to master:" "Error connecting to master:",
"SSL connection error"
}; };
/* Start of code added by Roberto M. Serqueira - martinsc@uol.com.br - 05.24.2001 */ /* Start of code added by Roberto M. Serqueira - martinsc@uol.com.br - 05.24.2001 */
...@@ -82,7 +83,8 @@ const char *client_errors[]= ...@@ -82,7 +83,8 @@ const char *client_errors[]=
"Error on SHOW SLAVE STATUS:", "Error on SHOW SLAVE STATUS:",
"Error on SHOW SLAVE HOSTS:", "Error on SHOW SLAVE HOSTS:",
"Error connecting to slave:", "Error connecting to slave:",
"Error connecting to master:" "Error connecting to master:",
"SSL connection error"
}; };
#else /* ENGLISH */ #else /* ENGLISH */
...@@ -113,7 +115,8 @@ const char *client_errors[]= ...@@ -113,7 +115,8 @@ const char *client_errors[]=
"Error on SHOW SLAVE STATUS:", "Error on SHOW SLAVE STATUS:",
"Error on SHOW SLAVE HOSTS:", "Error on SHOW SLAVE HOSTS:",
"Error connecting to slave:", "Error connecting to slave:",
"Error connecting to master:" "Error connecting to master:",
"SSL connection error"
}; };
#endif #endif
......
...@@ -1872,15 +1872,18 @@ mysql_real_connect(MYSQL *mysql,const char *host, const char *user, ...@@ -1872,15 +1872,18 @@ mysql_real_connect(MYSQL *mysql,const char *host, const char *user,
options->ssl_capath, options->ssl_capath,
options->ssl_cipher))) options->ssl_cipher)))
{ {
/* TODO: Change to SSL error */ net->last_errno= CR_SSL_CONNECTION_ERROR;
net->last_errno= CR_SERVER_LOST;
strmov(net->last_error,ER(net->last_errno)); strmov(net->last_error,ER(net->last_errno));
goto error; goto error;
} }
DBUG_PRINT("info", ("IO layer change in progress...")); DBUG_PRINT("info", ("IO layer change in progress..."));
/* TODO: Add proper error checking here, with return error message */ if(sslconnect((struct st_VioSSLConnectorFd*)(mysql->connector_fd),
sslconnect((struct st_VioSSLConnectorFd*)(mysql->connector_fd), mysql->net.vio, (long) (mysql->options.connect_timeout)))
mysql->net.vio, (long) (mysql->options.connect_timeout)); {
net->last_errno= CR_SSL_CONNECTION_ERROR;
strmov(net->last_error,ER(net->last_errno));
goto error;
}
DBUG_PRINT("info", ("IO layer change done!")); DBUG_PRINT("info", ("IO layer change done!"));
} }
#endif /* HAVE_OPENSSL */ #endif /* HAVE_OPENSSL */
......
...@@ -339,7 +339,7 @@ volatile ulong cached_thread_count=0; ...@@ -339,7 +339,7 @@ volatile ulong cached_thread_count=0;
my_string master_user = (char*) "test", master_password = 0, master_host=0, my_string master_user = (char*) "test", master_password = 0, master_host=0,
master_info_file = (char*) "master.info", master_info_file = (char*) "master.info",
relay_log_info_file = (char*) "relay-log.info", relay_log_info_file = (char*) "relay-log.info",
master_ssl_key=0, master_ssl_cert=0; master_ssl_key=0, master_ssl_cert=0, master_ssl_capath=0, master_ssl_cipher=0;
my_string report_user = 0, report_password = 0, report_host=0; my_string report_user = 0, report_password = 0, report_host=0;
const char *localhost=LOCAL_HOST; const char *localhost=LOCAL_HOST;
...@@ -2815,7 +2815,8 @@ enum options { ...@@ -2815,7 +2815,8 @@ enum options {
OPT_MASTER_INFO_FILE, OPT_MASTER_CONNECT_RETRY, OPT_MASTER_INFO_FILE, OPT_MASTER_CONNECT_RETRY,
OPT_MASTER_RETRY_COUNT, OPT_MASTER_RETRY_COUNT,
OPT_MASTER_SSL, OPT_MASTER_SSL_KEY, OPT_MASTER_SSL, OPT_MASTER_SSL_KEY,
OPT_MASTER_SSL_CERT, OPT_MASTER_SSL_CERT, OPT_MASTER_SSL_CAPATH,
OPT_MASTER_SSL_CIPHER,
OPT_SQL_BIN_UPDATE_SAME, OPT_REPLICATE_DO_DB, OPT_SQL_BIN_UPDATE_SAME, OPT_REPLICATE_DO_DB,
OPT_REPLICATE_IGNORE_DB, OPT_LOG_SLAVE_UPDATES, OPT_REPLICATE_IGNORE_DB, OPT_LOG_SLAVE_UPDATES,
OPT_BINLOG_DO_DB, OPT_BINLOG_IGNORE_DB, OPT_BINLOG_DO_DB, OPT_BINLOG_IGNORE_DB,
...@@ -3124,6 +3125,14 @@ struct my_option my_long_options[] = ...@@ -3124,6 +3125,14 @@ struct my_option my_long_options[] =
"Master SSL certificate file name. Only applies if you have enabled master-ssl.", "Master SSL certificate file name. Only applies if you have enabled master-ssl.",
(gptr*) &master_ssl_cert, (gptr*) &master_ssl_cert, 0, GET_STR, OPT_ARG, (gptr*) &master_ssl_cert, (gptr*) &master_ssl_cert, 0, GET_STR, OPT_ARG,
0, 0, 0, 0, 0, 0}, 0, 0, 0, 0, 0, 0},
{"master-ssl-capath", OPT_MASTER_SSL_CAPATH,
"Master SSL CA path. Only applies if you have enabled master-ssl.",
(gptr*) &master_ssl_capath, (gptr*) &master_ssl_capath, 0, GET_STR, OPT_ARG,
0, 0, 0, 0, 0, 0},
{"master-ssl-cipher", OPT_MASTER_SSL_CIPHER,
"Master SSL cipher. Only applies if you have enabled master-ssl.",
(gptr*) &master_ssl_cipher, (gptr*) &master_ssl_capath, 0, GET_STR, OPT_ARG,
0, 0, 0, 0, 0, 0},
{"myisam-recover", OPT_MYISAM_RECOVER, {"myisam-recover", OPT_MYISAM_RECOVER,
"Syntax: myisam-recover[=option[,option...]], where option can be DEFAULT, BACKUP or FORCE.", "Syntax: myisam-recover[=option[,option...]], where option can be DEFAULT, BACKUP or FORCE.",
(gptr*) &myisam_recover_options_str, (gptr*) &myisam_recover_options_str, 0, (gptr*) &myisam_recover_options_str, (gptr*) &myisam_recover_options_str, 0,
......
...@@ -554,7 +554,13 @@ check_connections(THD *thd) ...@@ -554,7 +554,13 @@ check_connections(THD *thd)
{ {
/* Do the SSL layering. */ /* Do the SSL layering. */
DBUG_PRINT("info", ("IO layer change in progress...")); DBUG_PRINT("info", ("IO layer change in progress..."));
sslaccept(ssl_acceptor_fd, net->vio, thd->variables.net_wait_timeout); if (sslaccept(ssl_acceptor_fd, net->vio, thd->variables.net_wait_timeout))
{
DBUG_PRINT("error", ("Failed to read user information (pkt_len= %lu)",
pkt_len));
inc_host_errors(&thd->remote.sin_addr);
return(ER_HANDSHAKE_ERROR);
}
DBUG_PRINT("info", ("Reading user information over SSL layer")); DBUG_PRINT("info", ("Reading user information over SSL layer"));
if ((pkt_len=my_net_read(net)) == packet_error || if ((pkt_len=my_net_read(net)) == packet_error ||
pkt_len < NORMAL_HANDSHAKE_SIZE) pkt_len < NORMAL_HANDSHAKE_SIZE)
......
...@@ -249,35 +249,48 @@ void vio_ssl_in_addr(Vio *vio, struct in_addr *in) ...@@ -249,35 +249,48 @@ void vio_ssl_in_addr(Vio *vio, struct in_addr *in)
/* /*
TODO: Add documentation and error handling TODO: Add documentation
*/ */
void sslaccept(struct st_VioSSLAcceptorFd* ptr, Vio* vio, long timeout) int sslaccept(struct st_VioSSLAcceptorFd* ptr, Vio* vio, long timeout)
{ {
char *str; char *str;
char buf[1024]; char buf[1024];
X509* client_cert; X509* client_cert;
my_bool unused; my_bool unused;
my_bool net_blocking;
enum enum_vio_type old_type;
DBUG_ENTER("sslaccept"); DBUG_ENTER("sslaccept");
DBUG_PRINT("enter", ("sd=%d ptr=%p", vio->sd,ptr)); DBUG_PRINT("enter", ("sd=%d ptr=%p", vio->sd,ptr));
old_type= vio->type;
net_blocking = vio_is_blocking(vio);
vio_blocking(vio, 1, &unused); /* Must be called before reset */ vio_blocking(vio, 1, &unused); /* Must be called before reset */
vio_reset(vio,VIO_TYPE_SSL,vio->sd,0,FALSE); vio_reset(vio,VIO_TYPE_SSL,vio->sd,0,FALSE);
vio->ssl_=0; vio->ssl_=0;
vio->open_=FALSE;
if (!(vio->ssl_ = SSL_new(ptr->ssl_context_))) if (!(vio->ssl_ = SSL_new(ptr->ssl_context_)))
{ {
DBUG_PRINT("error", ("SSL_new failure")); DBUG_PRINT("error", ("SSL_new failure"));
report_errors(); report_errors();
DBUG_VOID_RETURN; vio_reset(vio, old_type,vio->sd,0,FALSE);
vio_blocking(vio, net_blocking, &unused);
DBUG_RETURN(1);
} }
DBUG_PRINT("info", ("ssl_=%p timeout=%ld",vio->ssl_, timeout)); DBUG_PRINT("info", ("ssl_=%p timeout=%ld",vio->ssl_, timeout));
SSL_clear(vio->ssl_); SSL_clear(vio->ssl_);
SSL_SESSION_set_timeout(SSL_get_session(vio->ssl_), timeout); SSL_SESSION_set_timeout(SSL_get_session(vio->ssl_), timeout);
SSL_set_fd(vio->ssl_,vio->sd); SSL_set_fd(vio->ssl_,vio->sd);
SSL_set_accept_state(vio->ssl_); SSL_set_accept_state(vio->ssl_);
SSL_do_handshake(vio->ssl_); if (SSL_do_handshake(vio->ssl_) < 1)
vio->open_ = TRUE; {
DBUG_PRINT("error", ("SSL_do_handshake failure"));
report_errors();
SSL_free(vio->ssl_);
vio->ssl_=0;
vio_reset(vio, old_type,vio->sd,0,FALSE);
vio_blocking(vio, net_blocking, &unused);
DBUG_RETURN(1);
}
#ifndef DBUF_OFF #ifndef DBUF_OFF
DBUG_PRINT("info",("SSL_get_cipher_name() = '%s'" DBUG_PRINT("info",("SSL_get_cipher_name() = '%s'"
,SSL_get_cipher_name(vio->ssl_))); ,SSL_get_cipher_name(vio->ssl_)));
...@@ -309,7 +322,7 @@ void sslaccept(struct st_VioSSLAcceptorFd* ptr, Vio* vio, long timeout) ...@@ -309,7 +322,7 @@ void sslaccept(struct st_VioSSLAcceptorFd* ptr, Vio* vio, long timeout)
} }
#endif #endif
DBUG_VOID_RETURN; DBUG_RETURN(0);
} }
...@@ -318,17 +331,22 @@ int sslconnect(struct st_VioSSLConnectorFd* ptr, Vio* vio, long timeout) ...@@ -318,17 +331,22 @@ int sslconnect(struct st_VioSSLConnectorFd* ptr, Vio* vio, long timeout)
char *str; char *str;
X509* server_cert; X509* server_cert;
my_bool unused; my_bool unused;
my_bool net_blocking;
enum enum_vio_type old_type;
DBUG_ENTER("sslconnect"); DBUG_ENTER("sslconnect");
DBUG_PRINT("enter", ("sd=%d ptr=%p ctx: %p", vio->sd,ptr,ptr->ssl_context_)); DBUG_PRINT("enter", ("sd=%d ptr=%p ctx: %p", vio->sd,ptr,ptr->ssl_context_));
old_type= vio->type;
net_blocking = vio_is_blocking(vio);
vio_blocking(vio, 1, &unused); /* Must be called before reset */ vio_blocking(vio, 1, &unused); /* Must be called before reset */
vio_reset(vio,VIO_TYPE_SSL,vio->sd,0,FALSE); vio_reset(vio,VIO_TYPE_SSL,vio->sd,0,FALSE);
vio->ssl_=0; vio->ssl_=0;
vio->open_=FALSE;
if (!(vio->ssl_ = SSL_new(ptr->ssl_context_))) if (!(vio->ssl_ = SSL_new(ptr->ssl_context_)))
{ {
DBUG_PRINT("error", ("SSL_new failure")); DBUG_PRINT("error", ("SSL_new failure"));
report_errors(); report_errors();
vio_reset(vio, old_type,vio->sd,0,FALSE);
vio_blocking(vio, net_blocking, &unused);
DBUG_RETURN(1); DBUG_RETURN(1);
} }
DBUG_PRINT("info", ("ssl_=%p timeout=%ld",vio->ssl_, timeout)); DBUG_PRINT("info", ("ssl_=%p timeout=%ld",vio->ssl_, timeout));
...@@ -336,8 +354,16 @@ int sslconnect(struct st_VioSSLConnectorFd* ptr, Vio* vio, long timeout) ...@@ -336,8 +354,16 @@ int sslconnect(struct st_VioSSLConnectorFd* ptr, Vio* vio, long timeout)
SSL_SESSION_set_timeout(SSL_get_session(vio->ssl_), timeout); SSL_SESSION_set_timeout(SSL_get_session(vio->ssl_), timeout);
SSL_set_fd (vio->ssl_, vio->sd); SSL_set_fd (vio->ssl_, vio->sd);
SSL_set_connect_state(vio->ssl_); SSL_set_connect_state(vio->ssl_);
SSL_do_handshake(vio->ssl_); if (SSL_do_handshake(vio->ssl_) < 1)
vio->open_ = TRUE; {
DBUG_PRINT("error", ("SSL_do_handshake failure"));
report_errors();
SSL_free(vio->ssl_);
vio->ssl_=0;
vio_reset(vio, old_type,vio->sd,0,FALSE);
vio_blocking(vio, net_blocking, &unused);
DBUG_RETURN(1);
}
#ifndef DBUG_OFF #ifndef DBUG_OFF
DBUG_PRINT("info",("SSL_get_cipher_name() = '%s'" DBUG_PRINT("info",("SSL_get_cipher_name() = '%s'"
,SSL_get_cipher_name(vio->ssl_))); ,SSL_get_cipher_name(vio->ssl_)));
......
...@@ -93,7 +93,10 @@ vio_set_cert_stuff(SSL_CTX *ctx, const char *cert_file, const char *key_file) ...@@ -93,7 +93,10 @@ vio_set_cert_stuff(SSL_CTX *ctx, const char *cert_file, const char *key_file)
{ {
DBUG_PRINT("error",("unable to get certificate from '%s'\n",cert_file)); DBUG_PRINT("error",("unable to get certificate from '%s'\n",cert_file));
/* FIX stderr */ /* FIX stderr */
fprintf(stderr,"Error when connection to server using SSL:");
ERR_print_errors_fp(stderr); ERR_print_errors_fp(stderr);
fprintf(stderr,"Unable to get certificate from '%s'\n", cert_file);
fflush(stderr);
DBUG_RETURN(0); DBUG_RETURN(0);
} }
if (key_file == NULL) if (key_file == NULL)
...@@ -103,7 +106,10 @@ vio_set_cert_stuff(SSL_CTX *ctx, const char *cert_file, const char *key_file) ...@@ -103,7 +106,10 @@ vio_set_cert_stuff(SSL_CTX *ctx, const char *cert_file, const char *key_file)
{ {
DBUG_PRINT("error", ("unable to get private key from '%s'\n",key_file)); DBUG_PRINT("error", ("unable to get private key from '%s'\n",key_file));
/* FIX stderr */ /* FIX stderr */
fprintf(stderr,"Error when connection to server using SSL:");
ERR_print_errors_fp(stderr); ERR_print_errors_fp(stderr);
fprintf(stderr,"Unable to get private key from '%s'\n", cert_file);
fflush(stderr);
DBUG_RETURN(0); DBUG_RETURN(0);
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment