commit f1750920bfa500f7162a877b355921a80aa9073a Author: Laurynas Biveinis Date: Tue Feb 7 09:28:10 2017 +0200 Fix bug 75311 / PS-1779 (Error for SSL cipher is unhelpful) Make sure to only pass ERR_get_error and not SSL_get_error result to ERR_error_string and ERR_error_string_n functions. diff --git a/mysql-test/r/ssl_bug75311.result b/mysql-test/r/ssl_bug75311.result new file mode 100644 index 00000000000..b60609952f2 --- /dev/null +++ b/mysql-test/r/ssl_bug75311.result @@ -0,0 +1,7 @@ +# +# Bug 75311: Error for SSL cipher is unhelpful +# +SHOW STATUS LIKE 'Ssl_cipher_list'; +Variable_name Value +Ssl_cipher_list DHE-RSA-AES256-SHA +ERROR 2026 (HY000): SSL connection error: ERROR diff --git a/mysql-test/suite/x/include/connection_tls_version.inc b/mysql-test/suite/x/include/connection_tls_version.inc index 6ecd0937dc9..140f58cce58 100644 --- a/mysql-test/suite/x/include/connection_tls_version.inc +++ b/mysql-test/suite/x/include/connection_tls_version.inc @@ -25,12 +25,12 @@ EOF --exec $MYSQLXTEST -ux_root --file=$xtest_file 2>&1 --let $XTESTPARAMS= -u user5_mysqlx --password='auth_string' --file=$xtest_file --ssl-cipher='DHE-RSA-AES256-SHA' -# each of the below regexps has 3 replaces -# 1: for openssl 1.0 -# 2: for openssl 1.1 -# 3: for wolfSSL ---let $ERROR1= /in main, line 0:ERROR: error:00000001:lib\(0\):func\(0\):reason\(1\)/Application terminated with expected error: protocol version mismatch/ /in main, line 0:ERROR: record layer version error/Application terminated with expected error: protocol version mismatch/ ---let $ERROR5= /in main, line 0:ERROR: error:00000005:lib\(0\):func\(0\):DH lib/Application terminated with expected error: socket layer receive error/ /in main, line 0:ERROR: error:00000001:lib\(0\):func\(0\):reason\(1\)/Application terminated with expected error: socket layer receive error/ /in main, line 0:ERROR: error state on socket/Application terminated with expected error: socket layer receive error/ +# each of the below regexps has 2 replaces +# 1: general OpenSSL +# 2: OpenSSL on Debian Stretch +--let $ERROR1= /in main, line 0:ERROR: error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:socket layer receive error/Application terminated with expected error/ /in main, line 0:ERROR: error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol/Application terminated with expected error/ /in main, line 0:ERROR: error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version/Application terminated with expected error/ /in main, line 0:ERROR: error:14171102:SSL routines:tls_process_server_hello:unsupported protocol/Application terminated with expected error/ /in main, line 0:ERROR: not in error state /Application terminated with expected error / + +--let $ERROR5= /in main, line 0:ERROR: error:00000000:lib\(0\):func\(0\):reason\(0\)/Application terminated with expected error: socket layer receive error/ /in main, line 0:ERROR: error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version/Application terminated with expected error: socket layer receive error/ /in main, line 0:ERROR: not in error state /Application terminated with expected error: socket layer receive error / --exec $MYSQLXTEST $XTESTPARAMS 2>&1 --exec $MYSQLXTEST --tls-version=TLSv1,TLSv1.1,TLSv1.2 $XTESTPARAMS 2>&1 @@ -54,14 +54,14 @@ EOF --exec $MYSQLXTEST --tls-version=TLSv1,TLSv1.2 $XTESTPARAMS 2>&1 --let $expected_error_extra= $ERROR1 ---let $expected_error_msg= protocol version mismatch \(code 2026\) +--let $expected_error_msg= unsupported protocol \(code 2026\) --source ../include/mysqlxtest_expected_error.inc --exec $MYSQLXTEST --tls-version=TLSv1.1,TLSv1.2 $XTESTPARAMS 2>&1 --exec $MYSQLXTEST --tls-version=TLSv1 $XTESTPARAMS 2>&1 --let $expected_error_extra= $ERROR1 ---let $expected_error_msg= protocol version mismatch \(code 2026\) +--let $expected_error_msg= unsupported protocol \(code 2026\) --source ../include/mysqlxtest_expected_error.inc --exec $MYSQLXTEST --tls-version=TLSv1.1 $XTESTPARAMS 2>&1 diff --git a/mysql-test/suite/x/r/connection_tls_version.result b/mysql-test/suite/x/r/connection_tls_version.result index 9a722a5daca..a2036a26981 100644 --- a/mysql-test/suite/x/r/connection_tls_version.result +++ b/mysql-test/suite/x/r/connection_tls_version.result @@ -164,7 +164,7 @@ Mysqlx.Ok { msg: "bye!" } ok -Application terminated with expected error: protocol version mismatch (code 2026) +Application terminated with expected error (code 2026) not ok CONNECTION_TYPE SSL/TLS @@ -179,7 +179,7 @@ Mysqlx.Ok { msg: "bye!" } ok -Application terminated with expected error: protocol version mismatch (code 2026) +Application terminated with expected error (code 2026) not ok Application terminated with expected error: TLS version is invalid (code 2026) not ok @@ -422,7 +422,7 @@ Mysqlx.Ok { msg: "bye!" } ok -Application terminated with expected error: protocol version mismatch (code 2026) +Application terminated with expected error (code 2026) not ok CONNECTION_TYPE SSL/TLS @@ -437,7 +437,7 @@ Mysqlx.Ok { msg: "bye!" } ok -Application terminated with expected error: protocol version mismatch (code 2026) +Application terminated with expected error (code 2026) not ok Application terminated with expected error: TLS version is invalid (code 2026) not ok diff --git a/mysql-test/t/ssl_bug75311-master.opt b/mysql-test/t/ssl_bug75311-master.opt new file mode 100644 index 00000000000..458a43a9bb5 --- /dev/null +++ b/mysql-test/t/ssl_bug75311-master.opt @@ -0,0 +1 @@ +--ssl-cipher=DHE-RSA-AES256-SHA diff --git a/mysql-test/t/ssl_bug75311.test b/mysql-test/t/ssl_bug75311.test new file mode 100644 index 00000000000..beb246cae74 --- /dev/null +++ b/mysql-test/t/ssl_bug75311.test @@ -0,0 +1,21 @@ +--source include/have_ssl.inc + +--echo # +--echo # Bug 75311: Error for SSL cipher is unhelpful +--echo # + +--source include/count_sessions.inc + +--connect(con1,localhost,root,,,,,SSL) + +SHOW STATUS LIKE 'Ssl_cipher_list'; + +--disconnect con1 +--connection default + +# The first error string is returned by YaSSL, the second one by OpenSSL, the third one by OpenSSL on Debian Stretch +--replace_result "Failed to set ciphers to use" ERROR "error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure" ERROR "error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure" ERROR +--error 1 +--exec $MYSQL -uroot --ssl-mode=REQUIRED --ssl-cipher='AES128-SHA256' -e "SHOW STATUS LIKE 'Ssl_cipher'" 2>&1 + +--source include/wait_until_count_sessions.inc diff --git a/vio/viossl.cc b/vio/viossl.cc index 2357c550984..75d9afc39c7 100644 --- a/vio/viossl.cc +++ b/vio/viossl.cc @@ -128,9 +128,7 @@ static void report_errors(SSL *ssl) { file, line, (flags & ERR_TXT_STRING) ? data : "")); } - if (ssl) - DBUG_PRINT("error", - ("error: %s", ERR_error_string(SSL_get_error(ssl, l), buf))); + if (ssl) DBUG_PRINT("error", ("SSL_get_error: %d", SSL_get_error(ssl, l))); DBUG_PRINT("info", ("socket_errno: %d", socket_errno)); DBUG_VOID_RETURN; @@ -210,6 +208,8 @@ static bool ssl_should_retry(Vio *vio, int ret, enum enum_vio_io_event *event, /* Retrieve the result for the SSL I/O operation. */ ssl_error = SSL_get_error(ssl, ret); + *ssl_errno_holder = ERR_peek_error(); + /* Retrieve the result for the SSL I/O operation. */ switch (ssl_error) { case SSL_ERROR_WANT_READ: @@ -230,8 +230,6 @@ static bool ssl_should_retry(Vio *vio, int ret, enum enum_vio_io_event *event, break; } - *ssl_errno_holder = ssl_error; - return should_retry; }