[Pgpool-hackers] [PATCH] Add descriptive error messages for OpenSSL related failures

Wed Feb 3 09:39:46 UTC 2010

Hi Tatsuo,

AFAIK this was generated from a branch based of of latest CVS HEAD.  To
make sure it wasn't a problem with my use of git/git-cvsimport, I've
downloaded the patch from the mailing list and verified that it applies
in a fresh CVS checkout:

rangda[/tmp] cvs -d :pserver:anonymous at cvs.pgfoundry.org:/cvsroot/pgpool co pgpool-II
<snip>
rangda[/tmp/pgpool-II] patch  < ~/ssl.patch                                  :)
patching file pool_ssl.c

Are you certain you don't have local changes to these files?

Regards,
	sean

On Wed, Feb 03, 2010 at 12:00:07PM +0900, Tatsuo Ishii wrote:
> Sean,
> 
> > All previously handled errors related to the OpenSSL engine are now
> > handled with a macro and a small static function in order to both
> > produce more informative errors as well as commonize some duplicate
> > code in pool_ssl.c
> 
> Thanks for the patches. However following fragment does not apply
> cleanly. Can you please regenerate patches against CVS HEAD? Or
> provide me in a different patch style?
> --
> Tatsuo Ishii
> SRA OSS, Inc. Japan
> English: http://www.sraoss.co.jp/index_en.php
> Japanese: http://www.sraoss.co.jp
> 
> -------------------------------------------------------------
> ***************
> *** 145,171 ****
>   		if (strlen(pool_config->ssl_ca_cert_dir))
>   			cacert_dir = pool_config->ssl_ca_cert_dir;
>       
> - 		if ( (!error) && (cacert || cacert_dir) ) {
> - 			if (! SSL_CTX_load_verify_locations(cp->ssl_ctx, cacert, cacert_dir)) {
> - 				pool_error("pool_ssl: SSL CA load error: %ld", ERR_get_error());   
> - 				error = -1;
> - 			} else {
> - 				SSL_CTX_set_verify(cp->ssl_ctx, SSL_VERIFY_PEER, NULL);
> - 			}
>   		}
> - 
>   	}
>   
> - 	if (! error) {
> - 		cp->ssl = SSL_new(cp->ssl_ctx);
> - 		if (! cp->ssl) {
> - 			pool_error("pool_ssl: SSL_new failed: %ld", ERR_get_error());
> - 			error = -1;
> - 		}
>   	}
>   
> - 	return error;
>   }
>   
>   #else /* USE_SSL: wrap / no-op ssl functionality if it's not available */
> - - 
> --- 152,189 ----
>   		if (strlen(pool_config->ssl_ca_cert_dir))
>   			cacert_dir = pool_config->ssl_ca_cert_dir;
>       
> + 		if ( cacert || cacert_dir ) {
> + 			error = (!SSL_CTX_load_verify_locations(cp->ssl_ctx,
> + 			                                        cacert,
> + 			                                        cacert_dir));
> + 			SSL_RETURN_ERROR_IF(error, "SSL verification setup");
> + 			SSL_CTX_set_verify(cp->ssl_ctx, SSL_VERIFY_PEER, NULL);
>   		}
>   	}
>   
> + 	cp->ssl = SSL_new(cp->ssl_ctx);
> + 	SSL_RETURN_ERROR_IF( (! cp->ssl), "SSL_new");
> + 
> + 	return 0;
> + }
> + 
> + static void perror_ssl(const char *context) {
> + 	unsigned long err;
> + 	static const char *no_err_reason = "no SSL error reported";
> + 	const char *reason;
> + 
> + 	err = ERR_get_error();
> + 	if (! err) {
> + 		reason = no_err_reason;
> + 	} else {
> + 		reason = ERR_reason_error_string(err);
>   	}
>   
> + 	if (reason != NULL) {
> + 		pool_error("pool_ssl: %s: %s", context, reason);
> + 	} else {
> + 		pool_error("pool_ssl: %s: Unknown SSL error %lu", context, err);
> + 	}
>   }
>   
>   #else /* USE_SSL: wrap / no-op ssl functionality if it's not available */
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: Digital signature
URL: <http://pgfoundry.org/pipermail/pgpool-hackers/attachments/20100203/70248038/attachment.bin>