[Commits] Rev 4347: improve OpenSSL error reporting in lp:~maria-captains/maria/5.5

Sergei Golubchik serg at mariadb.org
Tue Nov 11 21:03:53 EET 2014


At lp:~maria-captains/maria/5.5

------------------------------------------------------------
revno: 4347
revision-id: sergii at pisem.net-20141111190352-2dsrzu0hl0u97898
parent: sergii at pisem.net-20141110181739-qdtdu9rnyo0i81og
committer: Sergei Golubchik <sergii at pisem.net>
branch nick: 5.5
timestamp: Tue 2014-11-11 20:03:52 +0100
message:
  improve OpenSSL error reporting
  
  e.g. from "error:00000001:lib(0):func(0):reason(1)"
  to "error:140830B5:SSL routines:SSL3_CLIENT_HELLO:no ciphers available"
=== modified file 'client/mysqltest.cc'
--- a/client/mysqltest.cc	2014-05-28 11:51:19 +0000
+++ b/client/mysqltest.cc	2014-11-11 19:03:52 +0000
@@ -5883,6 +5883,7 @@ void do_connect(struct st_command *comma
 {
   int con_port= opt_port;
   char *con_options;
+  char *ssl_cipher= opt_ssl_cipher;
   my_bool con_ssl= 0, con_compress= 0;
   my_bool con_pipe= 0;
   my_bool con_shm __attribute__ ((unused))= 0;
@@ -5971,6 +5972,11 @@ void do_connect(struct st_command *comma
     length= (size_t) (end - con_options);
     if (length == 3 && !strncmp(con_options, "SSL", 3))
       con_ssl= 1;
+    else if (!strncmp(con_options, "SSL-CIPHER=", 11))
+    {
+      con_ssl= 1;
+      ssl_cipher=con_options + 11;
+    }
     else if (length == 8 && !strncmp(con_options, "COMPRESS", 8))
       con_compress= 1;
     else if (length == 4 && !strncmp(con_options, "PIPE", 4))
@@ -6027,7 +6033,7 @@ void do_connect(struct st_command *comma
   {
 #if defined(HAVE_OPENSSL) && !defined(EMBEDDED_LIBRARY)
     mysql_ssl_set(con_slot->mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca,
-		  opt_ssl_capath, opt_ssl_cipher);
+		  opt_ssl_capath, ssl_cipher);
 #if MYSQL_VERSION_ID >= 50000
     /* Turn on ssl_verify_server_cert only if host is "localhost" */
     opt_ssl_verify_server_cert= !strcmp(ds_host.str, "localhost");

=== modified file 'mysql-test/mysql-test-run.pl'
--- a/mysql-test/mysql-test-run.pl	2014-10-28 11:45:39 +0000
+++ b/mysql-test/mysql-test-run.pl	2014-11-11 19:03:52 +0000
@@ -4801,6 +4801,8 @@ sub extract_warning_lines ($$) {
      qr|feedback plugin: failed to retrieve the MAC address|,
      qr|Plugin 'FEEDBACK' init function returned error|,
      qr|Plugin 'FEEDBACK' registration as a INFORMATION SCHEMA failed|,
+     qr|Failed to setup SSL|,
+     qr|SSL error: Failed to set ciphers to use|,
     );
 
   my $matched_lines= [];

=== added file 'mysql-test/r/openssl-poodle_6975,tlsv12.rdiff'
--- a/mysql-test/r/openssl-poodle_6975,tlsv12.rdiff	1970-01-01 00:00:00 +0000
+++ b/mysql-test/r/openssl-poodle_6975,tlsv12.rdiff	2014-11-11 19:03:52 +0000
@@ -0,0 +1,38 @@
+4,5c4,7
+< ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
+< ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
+---
+> Variable_name	Value
+> Ssl_cipher	AES128-SHA256
+> Variable_name	Value
+> Ssl_cipher	DHE-RSA-AES256-GCM-SHA384
+7,8c9,10
+< ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
+< ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
+---
+> ERROR 1045 (28000): Access denied for user 'ssl_sslv3'@'localhost' (using password: NO)
+> ERROR 1045 (28000): Access denied for user 'ssl_sslv3'@'localhost' (using password: NO)
+9a12,15
+> Variable_name	Value
+> Ssl_cipher	AES128-SHA256
+> ERROR 1045 (28000): Access denied for user 'ssl_tls12'@'localhost' (using password: NO)
+> SSLv3 ciphers: user is ok with any cipher
+12,16d17
+< SSLv3 ciphers: user is ok with any cipher
+< Variable_name	Value
+< Ssl_cipher	RC4-SHA
+< Variable_name	Value
+< Ssl_cipher	DHE-RSA-AES256-SHA
+18,20c19,20
+< Variable_name	Value
+< Ssl_cipher	RC4-SHA
+< ERROR 1045 (28000): Access denied for user 'ssl_sslv3'@'localhost' (using password: NO)
+---
+> ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
+> ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
+22,23c22,23
+< ERROR 1045 (28000): Access denied for user 'ssl_tls12'@'localhost' (using password: NO)
+< ERROR 1045 (28000): Access denied for user 'ssl_tls12'@'localhost' (using password: NO)
+---
+> ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
+> ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

=== added file 'mysql-test/r/openssl-poodle_6975.result'
--- a/mysql-test/r/openssl-poodle_6975.result	1970-01-01 00:00:00 +0000
+++ b/mysql-test/r/openssl-poodle_6975.result	2014-11-11 19:03:52 +0000
@@ -0,0 +1,25 @@
+grant select on test.* to ssl_sslv3 at localhost require cipher "RC4-SHA";
+grant select on test.* to ssl_tls12 at localhost require cipher "AES128-SHA256";
+TLS1.2 ciphers: user is ok with any cipher
+ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
+ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
+TLS1.2 ciphers: user requires SSLv3 cipher RC4-SHA
+ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
+ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
+TLS1.2 ciphers: user requires TLSv1.2 cipher AES128-SHA256
+ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
+ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
+SSLv3 ciphers: user is ok with any cipher
+Variable_name	Value
+Ssl_cipher	RC4-SHA
+Variable_name	Value
+Ssl_cipher	DHE-RSA-AES256-SHA
+SSLv3 ciphers: user requires SSLv3 cipher RC4-SHA
+Variable_name	Value
+Ssl_cipher	RC4-SHA
+ERROR 1045 (28000): Access denied for user 'ssl_sslv3'@'localhost' (using password: NO)
+SSLv3 ciphers: user requires TLSv1.2 cipher AES128-SHA256
+ERROR 1045 (28000): Access denied for user 'ssl_tls12'@'localhost' (using password: NO)
+ERROR 1045 (28000): Access denied for user 'ssl_tls12'@'localhost' (using password: NO)
+drop user ssl_sslv3 at localhost;
+drop user ssl_tls12 at localhost;

=== modified file 'mysql-test/r/openssl_1.result'
--- a/mysql-test/r/openssl_1.result	2014-01-22 14:29:36 +0000
+++ b/mysql-test/r/openssl_1.result	2014-11-11 19:03:52 +0000
@@ -7,6 +7,8 @@ grant select on test.* to ssl_user3 at loca
 grant select on test.* to ssl_user4 at localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "/C=SE/ST=Uppsala/O=MySQL AB" ISSUER "/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB";
 grant select on test.* to ssl_user5 at localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "xxx";
 flush privileges;
+connect(localhost,ssl_user2,,test,MASTER_PORT,MASTER_SOCKET);
+ERROR 28000: Access denied for user 'ssl_user2'@'localhost' (using password: NO)
 connect(localhost,ssl_user5,,test,MASTER_PORT,MASTER_SOCKET);
 ERROR 28000: Access denied for user 'ssl_user5'@'localhost' (using password: NO)
 SHOW STATUS LIKE 'Ssl_cipher';

=== added file 'mysql-test/t/openssl-poodle_6975.combinations'
--- a/mysql-test/t/openssl-poodle_6975.combinations	1970-01-01 00:00:00 +0000
+++ b/mysql-test/t/openssl-poodle_6975.combinations	2014-11-11 19:03:52 +0000
@@ -0,0 +1,6 @@
+[tlsv12]
+loose-ssl-cipher=TLSv1.2
+
+[sslv3]
+loose-ssl-cipher=SSLv3
+

=== added file 'mysql-test/t/openssl-poodle_6975.test'
--- a/mysql-test/t/openssl-poodle_6975.test	1970-01-01 00:00:00 +0000
+++ b/mysql-test/t/openssl-poodle_6975.test	2014-11-11 19:03:52 +0000
@@ -0,0 +1,38 @@
+#
+# MDEV-6975 Implement TLS protocol
+#
+# test SSLv3 and TLSv1.2 ciphers when OpenSSL is restricted to SSLv3 or TLSv1.2
+#
+source include/have_ssl_communication.inc;
+
+# this is OpenSSL test.
+
+grant select on test.* to ssl_sslv3 at localhost require cipher "RC4-SHA";
+grant select on test.* to ssl_tls12 at localhost require cipher "AES128-SHA256";
+
+let $mysql=$MYSQL --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem -e "SHOW STATUS LIKE 'ssl_Cipher'" 2>&1;
+
+disable_abort_on_error;
+echo TLS1.2 ciphers: user is ok with any cipher;
+exec $mysql                  --ssl-cipher=AES128-SHA256;
+exec $mysql                  --ssl-cipher=TLSv1.2;
+echo TLS1.2 ciphers: user requires SSLv3 cipher RC4-SHA;
+exec $mysql --user ssl_sslv3 --ssl-cipher=AES128-SHA256;
+exec $mysql --user ssl_sslv3 --ssl-cipher=TLSv1.2;
+echo TLS1.2 ciphers: user requires TLSv1.2 cipher AES128-SHA256;
+exec $mysql --user ssl_tls12 --ssl-cipher=AES128-SHA256;
+exec $mysql --user ssl_tls12 --ssl-cipher=TLSv1.2;
+
+echo SSLv3 ciphers: user is ok with any cipher;
+exec $mysql                  --ssl-cipher=RC4-SHA;
+exec $mysql                  --ssl-cipher=SSLv3;
+echo SSLv3 ciphers: user requires SSLv3 cipher RC4-SHA;
+exec $mysql --user ssl_sslv3 --ssl-cipher=RC4-SHA;
+exec $mysql --user ssl_sslv3 --ssl-cipher=SSLv3;
+echo SSLv3 ciphers: user requires TLSv1.2 cipher AES128-SHA256;
+exec $mysql --user ssl_tls12 --ssl-cipher=RC4-SHA;
+exec $mysql --user ssl_tls12 --ssl-cipher=SSLv3;
+
+drop user ssl_sslv3 at localhost;
+drop user ssl_tls12 at localhost;
+

=== modified file 'mysql-test/t/openssl_1.test'
--- a/mysql-test/t/openssl_1.test	2013-09-06 20:31:30 +0000
+++ b/mysql-test/t/openssl_1.test	2014-11-11 19:03:52 +0000
@@ -20,13 +20,16 @@ grant select on test.* to ssl_user4 at loca
 grant select on test.* to ssl_user5 at localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "xxx";
 flush privileges;
 
-connect (con1,localhost,ssl_user1,,,,,SSL);
-connect (con2,localhost,ssl_user2,,,,,SSL);
-connect (con3,localhost,ssl_user3,,,,,SSL);
-connect (con4,localhost,ssl_user4,,,,,SSL);
+connect (con1,localhost,ssl_user1,,,,,SSL-CIPHER=DHE-RSA-AES256-SHA);
 --replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT
 --error ER_ACCESS_DENIED_ERROR
-connect (con5,localhost,ssl_user5,,,,,SSL);
+connect (con2,localhost,ssl_user2,,,,,SSL-CIPHER=RC4-SHA);
+connect (con2,localhost,ssl_user2,,,,,SSL-CIPHER=DHE-RSA-AES256-SHA);
+connect (con3,localhost,ssl_user3,,,,,SSL-CIPHER=DHE-RSA-AES256-SHA);
+connect (con4,localhost,ssl_user4,,,,,SSL-CIPHER=DHE-RSA-AES256-SHA);
+--replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT
+--error ER_ACCESS_DENIED_ERROR
+connect (con5,localhost,ssl_user5,,,,,SSL-CIPHER=DHE-RSA-AES256-SHA);
 
 connection con1;
 # Check ssl turned on
@@ -129,6 +132,7 @@ drop table t1;
 # verification of servers certificate by setting both ca certificate
 # and ca path to NULL
 #
+--replace_result DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA
 --exec $MYSQL --ssl --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem -e "SHOW STATUS LIKE 'ssl_Cipher'" 2>&1
 --echo End of 5.0 tests
 
@@ -255,6 +259,7 @@ select 'is still running; no cipher requ
 GRANT SELECT ON test.* TO bug42158 at localhost REQUIRE X509;
 FLUSH PRIVILEGES;
 connect(con1,localhost,bug42158,,,,,SSL);
+--replace_result DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA
 SHOW STATUS LIKE 'Ssl_cipher';
 disconnect con1;
 connection default;

=== modified file 'mysql-test/t/ssl.test'
--- a/mysql-test/t/ssl.test	2010-11-25 17:17:28 +0000
+++ b/mysql-test/t/ssl.test	2014-11-11 19:03:52 +0000
@@ -11,12 +11,14 @@
 connect (ssl_con,localhost,root,,,,,SSL);
 
 # Check ssl turned on
+--replace_result DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA
 SHOW STATUS LIKE 'Ssl_cipher';
 
 # Source select test case
 -- source include/common-tests.inc
 
 # Check ssl turned on
+--replace_result DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA
 SHOW STATUS LIKE 'Ssl_cipher';
 
 connection default;

=== modified file 'mysql-test/t/ssl_8k_key-master.opt'
--- a/mysql-test/t/ssl_8k_key-master.opt	2010-07-28 15:59:19 +0000
+++ b/mysql-test/t/ssl_8k_key-master.opt	2014-11-11 19:03:52 +0000
@@ -1 +1,3 @@
---loose-ssl-key=$MYSQL_TEST_DIR/std_data/server8k-key.pem --loose-ssl-cert=$MYSQL_TEST_DIR/std_data/server8k-cert.pem
+--loose-ssl-key=$MYSQL_TEST_DIR/std_data/server8k-key.pem
+--loose-ssl-cert=$MYSQL_TEST_DIR/std_data/server8k-cert.pem
+--loose-ssl-cipher=DHE-RSA-AES256-SHA

=== modified file 'mysql-test/t/ssl_compress.test'
--- a/mysql-test/t/ssl_compress.test	2010-11-25 17:17:28 +0000
+++ b/mysql-test/t/ssl_compress.test	2014-11-11 19:03:52 +0000
@@ -11,6 +11,7 @@
 connect (ssl_compress_con,localhost,root,,,,,SSL COMPRESS);
 
 # Check ssl turned on
+--replace_result DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA
 SHOW STATUS LIKE 'Ssl_cipher';
 
 # Check compression turned on
@@ -20,6 +21,7 @@ SHOW STATUS LIKE 'Compression';
 -- source include/common-tests.inc
 
 # Check ssl turned on
+--replace_result DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA
 SHOW STATUS LIKE 'Ssl_cipher';
 
 # Check compression turned on

=== modified file 'vio/viossl.c'
--- a/vio/viossl.c	2014-03-17 12:04:28 +0000
+++ b/vio/viossl.c	2014-11-11 19:03:52 +0000
@@ -26,6 +26,18 @@
 
 #ifdef HAVE_OPENSSL
 
+#ifndef HAVE_YASSL
+/*
+  yassl seem to be different here, SSL_get_error() value can be
+  directly passed to ERR_error_string(), and these errors don't go
+  into ERR_get_error() stack.
+  in openssl, apparently, SSL_get_error() values live in a different
+  namespace, one needs to use ERR_get_error() as an argument
+  for ERR_error_string().
+*/
+#define SSL_get_error(X,Y) ERR_get_error()
+#endif
+
 #ifndef DBUG_OFF
 
 static void

=== modified file 'vio/viosslfactories.c'
--- a/vio/viosslfactories.c	2014-03-17 12:04:28 +0000
+++ b/vio/viosslfactories.c	2014-11-11 19:03:52 +0000
@@ -190,8 +190,8 @@ new_VioSSLFd(const char *key_file, const
     DBUG_RETURN(0);
 
   if (!(ssl_fd->ssl_context= SSL_CTX_new(is_client_method ? 
-                                         TLSv1_client_method() :
-                                         TLSv1_server_method())))
+                                         SSLv23_client_method() :
+                                         SSLv23_server_method())))
   {
     *error= SSL_INITERR_MEMFAIL;
     DBUG_PRINT("error", ("%s", sslGetErrString(*error)));



More information about the commits mailing list