MDEV-29811 server advertises ssl even if it's unusable.

Abort startup, if SSL setup fails. Also, for the server always check that certificate matches private key (even if ssl_cert is not set, OpenSSL will try to use default one)
MariaDB · Oct 25, 2022 · 32158be · 32158be
1 parent 34ff5ca
commit 32158be
Show file tree

Hide file tree

Showing 4 changed files with 29 additions and 9 deletions.
diff --git a/mysql-test/main/bad_startup_options.result b/mysql-test/main/bad_startup_options.result
@@ -0,0 +1 @@
+FOUND 1 /\[ERROR\] SSL error: Unable to get certificate/ in errorlog.err
diff --git a/mysql-test/main/bad_startup_options.test b/mysql-test/main/bad_startup_options.test
@@ -0,0 +1,19 @@
+--source include/not_embedded.inc
+--source include/have_ssl_communication.inc
+
+--source include/shutdown_mysqld.inc
+
+# Try to start the server, with bad values for some options.
+# Make sure, the starts fails, and expected message is in the error log
+
+--let errorlog=$MYSQL_TMP_DIR/errorlog.err
+--let SEARCH_FILE=$errorlog
+
+# Bad ssl-cert
+--error 1
+--exec $MYSQLD --defaults-group-suffix=.1 --defaults-file=$MYSQLTEST_VARDIR/my.cnf --ssl-cert=bad --log-error=$errorlog
+--let SEARCH_PATTERN=\[ERROR\] SSL error: Unable to get certificate
+--source include/search_pattern_in_file.inc
+--remove_file $SEARCH_FILE
+
+--source include/start_mysqld.inc
diff --git a/sql/mysqld.cc b/sql/mysqld.cc
@@ -5037,10 +5037,9 @@ static void init_ssl()
     DBUG_PRINT("info",("ssl_acceptor_fd: %p", ssl_acceptor_fd));
     if (!ssl_acceptor_fd)
     {
-      sql_print_warning("Failed to setup SSL");
-      sql_print_warning("SSL error: %s", sslGetErrString(error));
-      opt_use_ssl = 0;
-      have_ssl= SHOW_OPTION_DISABLED;
+      sql_print_error("Failed to setup SSL");
+      sql_print_error("SSL error: %s", sslGetErrString(error));
+      unireg_abort(1);
     }
     if (global_system_variables.log_warnings > 0)
     {

diff --git a/vio/viosslfactories.c b/vio/viosslfactories.c
@@ -97,7 +97,7 @@ sslGetErrString(enum enum_ssl_init_error e)
 
 static int
 vio_set_cert_stuff(SSL_CTX *ctx, const char *cert_file, const char *key_file,
-                   enum enum_ssl_init_error* error)
+                   my_bool is_client, enum enum_ssl_init_error* error)
 {
   DBUG_ENTER("vio_set_cert_stuff");
   DBUG_PRINT("enter", ("ctx: %p cert_file: %s  key_file: %s",
@@ -134,10 +134,10 @@ vio_set_cert_stuff(SSL_CTX *ctx, const char *cert_file, const char *key_file,
   }
 
   /*
-    If we are using DSA, we can copy the parameters from the private key
-    Now we know that a key and cert have been set against the SSL context
+    If certificate is used check if private key matches.
+    Note, that server side has to use certificate.
   */
-  if (cert_file && !SSL_CTX_check_private_key(ctx))
+  if ((cert_file != NULL || !is_client) && !SSL_CTX_check_private_key(ctx))
   {
     *error= SSL_INITERR_NOMATCH;
     DBUG_PRINT("error", ("%s",sslGetErrString(*error)));
@@ -288,7 +288,8 @@ new_VioSSLFd(const char *key_file, const char *cert_file,
 #endif
   }
 
-  if (vio_set_cert_stuff(ssl_fd->ssl_context, cert_file, key_file, error))
+  if (vio_set_cert_stuff(ssl_fd->ssl_context, cert_file, key_file,
+                         is_client_method, error))
   {
     DBUG_PRINT("error", ("vio_set_cert_stuff failed"));
     goto err2;