wrong error for bare --ssl on the server side

when neither --ssl-key nor --ssl-cert were set, the errror was "Private key does not match the certificate public key" changed to "Unable to get certificate"

wrong error for bare --ssl on the server side
when neither --ssl-key nor --ssl-cert were set, the errror was "Private key does not match the certificate public key" changed to "Unable to get certificate"
d33a8ab1 · Sergei Golubchik · d772c4fb · d33a8ab1
Commit d33a8ab1 authored Aug 23, 2023 by Sergei Golubchik
Hide whitespace changes
Inline Side-by-side

Showing with 17 additions and 8 deletions

vio/viosslfactories.c vio/viosslfactories.c +17 -8

No files found.
--- a/vio/viosslfactories.c
+++ b/vio/viosslfactories.c
@@ -103,14 +103,24 @@ vio_set_cert_stuff(SSL_CTX *ctx, const char *cert_file, const char *key_file,
  DBUG_PRINT("enter", ("ctx: %p cert_file: %s  key_file: %s",
 		       ctx, cert_file, key_file));

-  if (!cert_file &&  key_file)
+  if (!cert_file && !key_file)
+  {
+    if (!is_client)
+    {
+      *error= SSL_INITERR_CERT;
+      fprintf(stderr, "SSL error: %s\n", sslGetErrString(*error));
+      DBUG_RETURN(1);
+    }
+    DBUG_RETURN(0);
+  }
+
+  /* cert and key can be combined in one file */
+  if (!cert_file)
    cert_file= key_file;
-  
-  if (!key_file &&  cert_file)
+  else if (!key_file)
    key_file= cert_file;

-  if (cert_file &&
-      SSL_CTX_use_certificate_chain_file(ctx, cert_file) <= 0)
+  if (SSL_CTX_use_certificate_chain_file(ctx, cert_file) <= 0)
  {
    *error= SSL_INITERR_CERT;
    DBUG_PRINT("error",("%s from file '%s'", sslGetErrString(*error), cert_file));
@@ -121,8 +131,7 @@ vio_set_cert_stuff(SSL_CTX *ctx, const char *cert_file, const char *key_file,
    DBUG_RETURN(1);
  }

-  if (key_file &&
-      SSL_CTX_use_PrivateKey_file(ctx, key_file, SSL_FILETYPE_PEM) <= 0)
+  if (SSL_CTX_use_PrivateKey_file(ctx, key_file, SSL_FILETYPE_PEM) <= 0)
  {
    *error= SSL_INITERR_KEY;
    DBUG_PRINT("error", ("%s from file '%s'", sslGetErrString(*error), key_file));
@@ -137,7 +146,7 @@ vio_set_cert_stuff(SSL_CTX *ctx, const char *cert_file, const char *key_file,
    If certificate is used check if private key matches.
    Note, that server side has to use certificate.
  */
-  if ((cert_file || !is_client) && !SSL_CTX_check_private_key(ctx))
+  if (!SSL_CTX_check_private_key(ctx))
  {
    *error= SSL_INITERR_NOMATCH;
    DBUG_PRINT("error", ("%s",sslGetErrString(*error)));