MDEV-29811 server advertises ssl even if it's unusable.

Abort startup, if SSL setup fails. Also, for the server always check that certificate matches private key (even if ssl_cert is not set, OpenSSL will try to use default one)

MDEV-29811 server advertises ssl even if it's unusable.
Abort startup, if SSL setup fails. Also, for the server always check that certificate matches private key (even if ssl_cert is not set, OpenSSL will try to use default one)
32158be7 · Vladislav Vaintroub · 34ff5ca8 · 32158be7 · 32158be7 · 32158be7
Commit 32158be7 authored Oct 21, 2022 by Vladislav Vaintroub
4 changed files
--- a/mysql-test/main/bad_startup_options.result
+++ b/mysql-test/main/bad_startup_options.result
+FOUND 1 /\[ERROR\] SSL error: Unable to get certificate/ in errorlog.err
--- a/mysql-test/main/bad_startup_options.test
+++ b/mysql-test/main/bad_startup_options.test
+--source include/not_embedded.inc
+--source include/have_ssl_communication.inc
+
+--source include/shutdown_mysqld.inc
+
+# Try to start the server, with bad values for some options.
+# Make sure, the starts fails, and expected message is in the error log
+
+--let errorlog=$MYSQL_TMP_DIR/errorlog.err
+--let SEARCH_FILE=$errorlog
+
+# Bad ssl-cert
+--error 1
+--exec $MYSQLD --defaults-group-suffix=.1 --defaults-file=$MYSQLTEST_VARDIR/my.cnf --ssl-cert=bad --log-error=$errorlog
+--let SEARCH_PATTERN=\[ERROR\] SSL error: Unable to get certificate
+--source include/search_pattern_in_file.inc
+--remove_file $SEARCH_FILE
+
+--source include/start_mysqld.inc
--- a/sql/mysqld.cc
+++ b/sql/mysqld.cc
@@ -5037,10 +5037,9 @@ static void init_ssl()
    DBUG_PRINT("info",("ssl_acceptor_fd: %p", ssl_acceptor_fd));
    if (!ssl_acceptor_fd)
    {
-      sql_print_warning("Failed to setup SSL");
-      sql_print_warning("SSL error: %s", sslGetErrString(error));
-      opt_use_ssl = 0;
-      have_ssl= SHOW_OPTION_DISABLED;
+      sql_print_error("Failed to setup SSL");
+      sql_print_error("SSL error: %s", sslGetErrString(error));
+      unireg_abort(1);
    }
    if (global_system_variables.log_warnings > 0)
    {

--- a/vio/viosslfactories.c
+++ b/vio/viosslfactories.c
@@ -97,7 +97,7 @@ sslGetErrString(enum enum_ssl_init_error e)

 static int
 vio_set_cert_stuff(SSL_CTX *ctx, const char *cert_file, const char *key_file,
-                   enum enum_ssl_init_error* error)
+                   my_bool is_client, enum enum_ssl_init_error* error)
 {
  DBUG_ENTER("vio_set_cert_stuff");
  DBUG_PRINT("enter", ("ctx: %p cert_file: %s  key_file: %s",
@@ -134,10 +134,10 @@ vio_set_cert_stuff(SSL_CTX *ctx, const char *cert_file, const char *key_file,
  }

  /*
-    If we are using DSA, we can copy the parameters from the private key
-    Now we know that a key and cert have been set against the SSL context
+    If certificate is used check if private key matches.
+    Note, that server side has to use certificate.
  */
-  if (cert_file && !SSL_CTX_check_private_key(ctx))
+  if ((cert_file != NULL || !is_client) && !SSL_CTX_check_private_key(ctx))
  {
    *error= SSL_INITERR_NOMATCH;
    DBUG_PRINT("error", ("%s",sslGetErrString(*error)));
@@ -288,7 +288,8 @@ new_VioSSLFd(const char *key_file, const char *cert_file,
 #endif
  }

-  if (vio_set_cert_stuff(ssl_fd->ssl_context, cert_file, key_file, error))
+  if (vio_set_cert_stuff(ssl_fd->ssl_context, cert_file, key_file,
+                         is_client_method, error))
  {
    DBUG_PRINT("error", ("vio_set_cert_stuff failed"));
    goto err2;