Fix for CONC-587:

Since alerts may happen after handshake (for example with described
test in CONC-587 using TLSv1.3 protocol or by renegotiation) the
tls error message needs to be retrieved if error is a protocol error
(SSL_ERROR_SSL) and/or if errno was not set.

libmariadb/mariadb_lib.c

@@ -202,10 +202,16 @@ ma_net_safe_read(MYSQL *mysql)
   if (len == packet_error || len == 0)
   {
     end_server(mysql);
-    my_set_error(mysql, net->last_errno == ER_NET_PACKET_TOO_LARGE ?
-		     CR_NET_PACKET_TOO_LARGE:
-		     CR_SERVER_LOST,
-         SQLSTATE_UNKNOWN, 0, errno);
+#ifdef HAVE_TLS
+    /* don't overwrite possible tls protocol errors */
+    if (net->last_errno != CR_SSL_CONNECTION_ERROR)
+#endif
+    {
+      my_set_error(mysql, net->last_errno == ER_NET_PACKET_TOO_LARGE ?
+                   CR_NET_PACKET_TOO_LARGE:
+                   CR_SERVER_LOST,
+                   SQLSTATE_UNKNOWN, 0, errno);
+    }
     return(packet_error);
   }
   if (net->read_pos[0] == 255)

libmariadb/secure/openssl.c

@@ -591,7 +591,14 @@ ssize_t ma_tls_read(MARIADB_TLS *ctls, const uchar* buffer, size_t length)
   {
     int error= SSL_get_error((SSL *)ctls->ssl, rc);
     if (error != SSL_ERROR_WANT_READ)
+    {
+      if (error == SSL_ERROR_SSL || errno == 0)
+      {
+        MYSQL *mysql= SSL_get_app_data(ctls->ssl);
+        ma_tls_set_error(mysql);
+      }
       return rc;
+    }
     if (pvio->methods->wait_io_or_timeout(pvio, TRUE, pvio->mysql->options.read_timeout) < 1)
       return rc;
   }
@@ -607,7 +614,14 @@ ssize_t ma_tls_write(MARIADB_TLS *ctls, const uchar* buffer, size_t length)
   {
     int error= SSL_get_error((SSL *)ctls->ssl, rc);
     if (error != SSL_ERROR_WANT_WRITE)
+    {
+      if (error == SSL_ERROR_SSL || errno == 0)
+      {
+        MYSQL *mysql= SSL_get_app_data(ctls->ssl);
+        ma_tls_set_error(mysql);
+      }
       return rc;
+    }
     if (pvio->methods->wait_io_or_timeout(pvio, TRUE, pvio->mysql->options.write_timeout) < 1)
       return rc;
   }