From dd178875a3ecbb4feae81ebef23f8cd20d8db784 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Markus=20M=C3=A4kel=C3=A4?= <markus.makela@mariadb.com>
Date: Mon, 11 Sep 2017 09:47:50 +0300
Subject: [PATCH] Log OpenSSL errors when SSL initialization fails

When the SSL fails to initialize, the errors from OpenSSL should be
logged. This helps to diagnose what is wrong if the error relates to the
certificate files or private keys.
---
 server/core/listener.cc | 31 ++++++++++++++++++++++++++-----
 1 file changed, 26 insertions(+), 5 deletions(-)

diff --git a/server/core/listener.cc b/server/core/listener.cc
index 7264fc7b8..873173196 100644
--- a/server/core/listener.cc
+++ b/server/core/listener.cc
@@ -31,6 +31,8 @@
 #include <stdlib.h>
 #include <string.h>
 #include <fcntl.h>
+#include <string>
+
 #include <maxscale/listener.h>
 #include <maxscale/paths.h>
 #include <maxscale/ssl.h>
@@ -232,6 +234,25 @@ RSA* create_rsa(int bits)
 #endif
 }
 
+static thread_local std::string ssl_errbuf;
+
+static const char* get_ssl_errors()
+{
+    char errbuf[200]; // Enough space according to OpenSSL documentation
+    ssl_errbuf.clear();
+
+    for (int err = ERR_get_error(); err; err = ERR_get_error())
+    {
+        if (!ssl_errbuf.empty())
+        {
+            ssl_errbuf += ", ";
+        }
+        ssl_errbuf += ERR_error_string(err, errbuf);
+    }
+
+    return ssl_errbuf.c_str();
+}
+
 /**
  * Initialize the listener's SSL context. This sets up the generated RSA
  * encryption keys, chooses the listener encryption level and configures the
@@ -279,7 +300,7 @@ listener_init_SSL(SSL_LISTENER *ssl_listener)
 
         if ((ssl_listener->ctx = SSL_CTX_new(ssl_listener->method)) == NULL)
         {
-            MXS_ERROR("SSL context initialization failed.");
+            MXS_ERROR("SSL context initialization failed: %s", get_ssl_errors());
             return -1;
         }
 
@@ -311,28 +332,28 @@ listener_init_SSL(SSL_LISTENER *ssl_listener)
             /** Load the server certificate */
             if (SSL_CTX_use_certificate_chain_file(ssl_listener->ctx, ssl_listener->ssl_cert) <= 0)
             {
-                MXS_ERROR("Failed to set server SSL certificate.");
+                MXS_ERROR("Failed to set server SSL certificate: %s", get_ssl_errors());
                 return -1;
             }
 
             /* Load the private-key corresponding to the server certificate */
             if (SSL_CTX_use_PrivateKey_file(ssl_listener->ctx, ssl_listener->ssl_key, SSL_FILETYPE_PEM) <= 0)
             {
-                MXS_ERROR("Failed to set server SSL key.");
+                MXS_ERROR("Failed to set server SSL key: %s", get_ssl_errors());
                 return -1;
             }
 
             /* Check if the server certificate and private-key matches */
             if (!SSL_CTX_check_private_key(ssl_listener->ctx))
             {
-                MXS_ERROR("Server SSL certificate and key do not match.");
+                MXS_ERROR("Server SSL certificate and key do not match: %s", get_ssl_errors());
                 return -1;
             }
 
             /* Load the RSA CA certificate into the SSL_CTX structure */
             if (!SSL_CTX_load_verify_locations(ssl_listener->ctx, ssl_listener->ssl_ca_cert, NULL))
             {
-                MXS_ERROR("Failed to set Certificate Authority file.");
+                MXS_ERROR("Failed to set Certificate Authority file: %s", get_ssl_errors());
                 return -1;
             }
         }