database/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-07-24 19:42:23 +03:00
Code Activity

MDEV-29811 server advertises ssl even if it's unusable.

Browse Source 
Abort startup, if SSL setup fails.
Also, for the server always check that certificate matches private key
(even if ssl_cert is not set, OpenSSL will try to use default one)
This commit is contained in:
Vladislav Vaintroub
2022-10-21 19:50:07 +02:00
parent 34ff5ca895
commit 32158be720
4 changed files with 29 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
mysql-test/main/bad_startup_options.result Normal file
View File

@ -0,0 +1 @@
FOUND 1 /\[ERROR\] SSL error: Unable to get certificate/ in errorlog.err

19
mysql-test/main/bad_startup_options.test Normal file
View File

@ -0,0 +1,19 @@
--source include/not_embedded.inc
--source include/have_ssl_communication.inc
--source include/shutdown_mysqld.inc
# Try to start the server, with bad values for some options.
# Make sure, the starts fails, and expected message is in the error log
--let errorlog=$MYSQL_TMP_DIR/errorlog.err
--let SEARCH_FILE=$errorlog
# Bad ssl-cert
--error 1
--exec $MYSQLD --defaults-group-suffix=.1 --defaults-file=$MYSQLTEST_VARDIR/my.cnf --ssl-cert=bad --log-error=$errorlog
--let SEARCH_PATTERN=\[ERROR\] SSL error: Unable to get certificate
--source include/search_pattern_in_file.inc
--remove_file $SEARCH_FILE
--source include/start_mysqld.inc

7
sql/mysqld.cc
View File

@ -5037,10 +5037,9 @@ static void init_ssl()
DBUG_PRINT("info",("ssl_acceptor_fd: %p", ssl_acceptor_fd)); DBUG_PRINT("info",("ssl_acceptor_fd: %p", ssl_acceptor_fd));
if (!ssl_acceptor_fd) if (!ssl_acceptor_fd)
{ {
sql_print_warning("Failed to setup SSL"); sql_print_error("Failed to setup SSL");
sql_print_warning("SSL error: %s", sslGetErrString(error)); sql_print_error("SSL error: %s", sslGetErrString(error));
opt_use_ssl = 0; unireg_abort(1);
have_ssl= SHOW_OPTION_DISABLED;
} }
if (global_system_variables.log_warnings > 0) if (global_system_variables.log_warnings > 0)
{ {

11
vio/viosslfactories.c
View File

@ -97,7 +97,7 @@ sslGetErrString(enum enum_ssl_init_error e)
static int static int
vio_set_cert_stuff(SSL_CTX *ctx, const char *cert_file, const char *key_file, vio_set_cert_stuff(SSL_CTX *ctx, const char *cert_file, const char *key_file,
enum enum_ssl_init_error* error) my_bool is_client, enum enum_ssl_init_error* error)
{ {
DBUG_ENTER("vio_set_cert_stuff"); DBUG_ENTER("vio_set_cert_stuff");
DBUG_PRINT("enter", ("ctx: %p cert_file: %s key_file: %s", DBUG_PRINT("enter", ("ctx: %p cert_file: %s key_file: %s",
@ -134,10 +134,10 @@ vio_set_cert_stuff(SSL_CTX *ctx, const char *cert_file, const char *key_file,
} }
/* /*
If we are using DSA, we can copy the parameters from the private key If certificate is used check if private key matches.
Now we know that a key and cert have been set against the SSL context Note, that server side has to use certificate.
*/ */
if (cert_file && !SSL_CTX_check_private_key(ctx)) if ((cert_file != NULL || !is_client) && !SSL_CTX_check_private_key(ctx))
{ {
*error= SSL_INITERR_NOMATCH; *error= SSL_INITERR_NOMATCH;
DBUG_PRINT("error", ("%s",sslGetErrString(*error))); DBUG_PRINT("error", ("%s",sslGetErrString(*error)));
@ -288,7 +288,8 @@ new_VioSSLFd(const char *key_file, const char *cert_file,
#endif #endif
} }
if (vio_set_cert_stuff(ssl_fd->ssl_context, cert_file, key_file, error)) if (vio_set_cert_stuff(ssl_fd->ssl_context, cert_file, key_file,
is_client_method, error))
{ {
DBUG_PRINT("error", ("vio_set_cert_stuff failed")); DBUG_PRINT("error", ("vio_set_cert_stuff failed"));
goto err2; goto err2;