commit 9484fe308ae84274fd8b5a174fb4df6d17ab2eb5 Author: Laurynas Biveinis Date: Tue Feb 7 09:28:10 2017 +0200 Fix bug 75311 / 1660339 (Error for SSL cipher is unhelpful) Make sure to only pass ERR_get_error and not SSL_get_error result to ERR_error_string and ERR_error_string_n functions. diff --git a/mysql-test/r/ssl_bug75311.result b/mysql-test/r/ssl_bug75311.result new file mode 100644 index 00000000000..b60609952f2 --- /dev/null +++ b/mysql-test/r/ssl_bug75311.result @@ -0,0 +1,7 @@ +# +# Bug 75311: Error for SSL cipher is unhelpful +# +SHOW STATUS LIKE 'Ssl_cipher_list'; +Variable_name Value +Ssl_cipher_list DHE-RSA-AES256-SHA +ERROR 2026 (HY000): SSL connection error: ERROR diff --git a/mysql-test/t/ssl_bug75311-master.opt b/mysql-test/t/ssl_bug75311-master.opt new file mode 100644 index 00000000000..458a43a9bb5 --- /dev/null +++ b/mysql-test/t/ssl_bug75311-master.opt @@ -0,0 +1 @@ +--ssl-cipher=DHE-RSA-AES256-SHA diff --git a/mysql-test/t/ssl_bug75311.test b/mysql-test/t/ssl_bug75311.test new file mode 100644 index 00000000000..a32bfbf6553 --- /dev/null +++ b/mysql-test/t/ssl_bug75311.test @@ -0,0 +1,21 @@ +--source include/have_ssl_communication.inc + +--echo # +--echo # Bug 75311: Error for SSL cipher is unhelpful +--echo # + +--source include/count_sessions.inc + +--connect(con1,localhost,root,,,,,SSL) + +SHOW STATUS LIKE 'Ssl_cipher_list'; + +--disconnect con1 +--connection default + +# The first error string is returned by YaSSL, the second one by OpenSSL +--replace_result "Failed to set ciphers to use" ERROR "error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure" ERROR +--error 1 +--exec $MYSQL -uroot --ssl-mode=REQUIRED --ssl-cipher='AES128-SHA256' -e "SHOW STATUS LIKE 'Ssl_cipher'" 2>&1 + +--source include/wait_until_count_sessions.inc diff --git a/vio/viossl.cc b/vio/viossl.cc index c8fd3c4c7d6..8cd50882595 100644 --- a/vio/viossl.cc +++ b/vio/viossl.cc @@ -44,8 +44,7 @@ report_errors(SSL* ssl) } if (ssl) - DBUG_PRINT("error", ("error: %s", - ERR_error_string(SSL_get_error(ssl, l), buf))); + DBUG_PRINT("error", ("SSL_get_error: %d", SSL_get_error(ssl, l))); DBUG_PRINT("info", ("socket_errno: %d", socket_errno)); DBUG_VOID_RETURN; @@ -132,6 +131,8 @@ static my_bool ssl_should_retry(Vio *vio, int ret, /* Retrieve the result for the SSL I/O operation. */ ssl_error= SSL_get_error(ssl, ret); + *ssl_errno_holder= ERR_peek_error(); + /* Retrieve the result for the SSL I/O operation. */ switch (ssl_error) { @@ -156,8 +157,6 @@ static my_bool ssl_should_retry(Vio *vio, int ret, break; } - *ssl_errno_holder= ssl_error; - return should_retry; }