Log OpenSSL errors when SSL initialization fails

When the SSL fails to initialize, the errors from OpenSSL should be logged. This helps to diagnose what is wrong if the error relates to the certificate files or private keys.
2017-09-11 09:47:50 +03:00 · 2017-09-11 09:47:50 +03:00 · dd178875a3
commit dd178875a3
parent 3ca172f380
1 changed files with 26 additions and 5 deletions
--- a/server/core/listener.cc
+++ b/server/core/listener.cc
@ -31,6 +31,8 @@
 #include <stdlib.h>
 #include <string.h>
 #include <fcntl.h>
+#include <string>
+
 #include <maxscale/listener.h>
 #include <maxscale/paths.h>
 #include <maxscale/ssl.h>
@ -232,6 +234,25 @@ RSA* create_rsa(int bits)
 #endif
 }

+static thread_local std::string ssl_errbuf;
+
+static const char* get_ssl_errors()
+{
+    char errbuf[200]; // Enough space according to OpenSSL documentation
+    ssl_errbuf.clear();
+
+    for (int err = ERR_get_error(); err; err = ERR_get_error())
+    {
+        if (!ssl_errbuf.empty())
+        {
+            ssl_errbuf += ", ";
+        }
+        ssl_errbuf += ERR_error_string(err, errbuf);
+    }
+
+    return ssl_errbuf.c_str();
+}
+
 /**
 * Initialize the listener's SSL context. This sets up the generated RSA
 * encryption keys, chooses the listener encryption level and configures the
@ -279,7 +300,7 @@ listener_init_SSL(SSL_LISTENER *ssl_listener)

        if ((ssl_listener->ctx = SSL_CTX_new(ssl_listener->method)) == NULL)
        {
-            MXS_ERROR("SSL context initialization failed.");
+            MXS_ERROR("SSL context initialization failed: %s", get_ssl_errors());
            return -1;
        }

@ -311,28 +332,28 @@ listener_init_SSL(SSL_LISTENER *ssl_listener)
            /** Load the server certificate */
            if (SSL_CTX_use_certificate_chain_file(ssl_listener->ctx, ssl_listener->ssl_cert) <= 0)
            {
-                MXS_ERROR("Failed to set server SSL certificate.");
+                MXS_ERROR("Failed to set server SSL certificate: %s", get_ssl_errors());
                return -1;
            }

            /* Load the private-key corresponding to the server certificate */
            if (SSL_CTX_use_PrivateKey_file(ssl_listener->ctx, ssl_listener->ssl_key, SSL_FILETYPE_PEM) <= 0)
            {
-                MXS_ERROR("Failed to set server SSL key.");
+                MXS_ERROR("Failed to set server SSL key: %s", get_ssl_errors());
                return -1;
            }

            /* Check if the server certificate and private-key matches */
            if (!SSL_CTX_check_private_key(ssl_listener->ctx))
            {
-                MXS_ERROR("Server SSL certificate and key do not match.");
+                MXS_ERROR("Server SSL certificate and key do not match: %s", get_ssl_errors());
                return -1;
            }

            /* Load the RSA CA certificate into the SSL_CTX structure */
            if (!SSL_CTX_load_verify_locations(ssl_listener->ctx, ssl_listener->ssl_ca_cert, NULL))
            {
-                MXS_ERROR("Failed to set Certificate Authority file.");
+                MXS_ERROR("Failed to set Certificate Authority file: %s", get_ssl_errors());
                return -1;
            }
        }