cherry pick pingcap#15287 to release-3.0

Signed-off-by: sre-bot <sre-bot@pingcap.com>

config/config.go

@@ -170,7 +170,16 @@ func (s *Security) ToTLSConfig() (*tls.Config, error) {
 
 		// Append the certificates from the CA
 		if !certPool.AppendCertsFromPEM(ca) {
+<<<<<<< HEAD
 			return nil, errors.New("failed to append ca certs")
+=======
+			err = errors.New("failed to append ca certs")
+			return
+		}
+		tlsConfig = &tls.Config{
+			RootCAs:   certPool,
+			ClientCAs: certPool,
+>>>>>>> 6c67561... server: fix tls setup and error log (#15287)
 		}
 
 		tlsConfig = &tls.Config{

server/http_status.go

@@ -270,6 +270,30 @@ func (s *Server) startHTTPServer() {
 		tlsConfig = s.setCNChecker(tlsConfig)
 		ln = tls.NewListener(ln, tlsConfig)
 	}
+<<<<<<< HEAD
+=======
+	if tlsConfig != nil {
+		logutil.BgLogger().Info("HTTP/gRPC status server secure connection is enabled", zap.Bool("CN verification enabled", tlsConfig.VerifyPeerCertificate != nil))
+	}
+	m := cmux.New(l)
+	// Match connections in order:
+	// First HTTP, and otherwise grpc.
+	httpL := m.Match(cmux.HTTP1Fast())
+	grpcL := m.Match(cmux.Any())
+
+	s.statusServer = &http.Server{Addr: addr, Handler: CorsHandler{handler: serverMux, cfg: s.cfg}}
+	s.grpcServer = NewRPCServer(s.cfg, s.dom, s)
+
+	go util.WithRecovery(func() {
+		err := s.grpcServer.Serve(grpcL)
+		logutil.BgLogger().Error("grpc server error", zap.Error(err))
+	}, nil)
+
+	go util.WithRecovery(func() {
+		err := s.statusServer.Serve(httpL)
+		logutil.BgLogger().Error("http server error", zap.Error(err))
+	}, nil)
+>>>>>>> 6c67561... server: fix tls setup and error log (#15287)
 
 	err = s.statusServer.Serve(ln)
 	if err != nil {

server/server.go

@@ -207,9 +207,17 @@ func NewServer(cfg *config.Config, driver IDriver) (*Server, error) {
 	if err != nil {
 		logutil.Logger(context.Background()).Error("secure connection cert/key/ca load fail", zap.Error(err))
 	}
+<<<<<<< HEAD
 	logutil.Logger(context.Background()).Info("secure connection is enabled", zap.Bool("client verification enabled", len(variable.SysVars["ssl_ca"].Value) > 0))
 	setSSLVariable(s.cfg.Security.SSLCA, s.cfg.Security.SSLKey, s.cfg.Security.SSLCert)
 	atomic.StorePointer(&s.tlsConfig, unsafe.Pointer(tlsConfig))
+=======
+	if tlsConfig != nil {
+		setSSLVariable(s.cfg.Security.SSLCA, s.cfg.Security.SSLKey, s.cfg.Security.SSLCert)
+		atomic.StorePointer(&s.tlsConfig, unsafe.Pointer(tlsConfig))
+		logutil.BgLogger().Info("mysql protocol server secure connection is enabled", zap.Bool("client verification enabled", len(variable.SysVars["ssl_ca"].Value) > 0))
+	}
+>>>>>>> 6c67561... server: fix tls setup and error log (#15287)
 
 	setSystemTimeZoneVariable()
 
@@ -369,6 +377,7 @@ func (s *Server) Close() {
 func (s *Server) onConn(conn *clientConn) {
 	ctx := logutil.WithConnID(context.Background(), conn.connectionID)
 	if err := conn.handshake(ctx); err != nil {
+		terror.Log(err)
 		if plugin.IsEnable(plugin.Audit) {
 			conn.ctx.GetSessionVars().ConnectionInfo = conn.connectInfo()
 		}

server/tidb_test.go

@@ -160,33 +160,65 @@ func (ts *TidbTestSuite) TestStatusAPI(c *C) {
 	runTestStatusAPI(c)
 }
 
+<<<<<<< HEAD
 func (ts *TidbTestSuite) TestStatusAPIWithTLSCNCheck(c *C) {
 	c.Skip("need add ca-tidb-test-1.crt to OS")
 	root := filepath.Join(os.Getenv("GOPATH"), "/src/github.com/pingcap/tidb")
 	ca := filepath.Join(root, "/tests/cncheckcert/ca-tidb-test-1.crt")
 	statusURL := fmt.Sprintf("%s://localhost:%d%s", "https", 4100, "/status")
+=======
+func (ts *tidbTestSuite) TestStatusAPIWithTLSCNCheck(c *C) {
+	caPath := filepath.Join(os.TempDir(), "ca-cert-cn.pem")
+	serverKeyPath := filepath.Join(os.TempDir(), "server-key-cn.pem")
+	serverCertPath := filepath.Join(os.TempDir(), "server-cert-cn.pem")
+	client1KeyPath := filepath.Join(os.TempDir(), "client-key-cn-check-a.pem")
+	client1CertPath := filepath.Join(os.TempDir(), "client-cert-cn-check-a.pem")
+	client2KeyPath := filepath.Join(os.TempDir(), "client-key-cn-check-b.pem")
+	client2CertPath := filepath.Join(os.TempDir(), "client-cert-cn-check-b.pem")
+
+	caCert, caKey, err := generateCert(0, "TiDB CA CN CHECK", nil, nil, filepath.Join(os.TempDir(), "ca-key-cn.pem"), caPath)
+	c.Assert(err, IsNil)
+	_, _, err = generateCert(1, "tidb-server-cn-check", caCert, caKey, serverKeyPath, serverCertPath)
+	c.Assert(err, IsNil)
+	_, _, err = generateCert(2, "tidb-client-cn-check-a", caCert, caKey, client1KeyPath, client1CertPath, func(c *x509.Certificate) {
+		c.Subject.CommonName = "tidb-client-1"
+	})
+	c.Assert(err, IsNil)
+	_, _, err = generateCert(3, "tidb-client-cn-check-b", caCert, caKey, client2KeyPath, client2CertPath, func(c *x509.Certificate) {
+		c.Subject.CommonName = "tidb-client-2"
+	})
+	c.Assert(err, IsNil)
+>>>>>>> 6c67561... server: fix tls setup and error log (#15287)
 
 	cfg := config.NewConfig()
+<<<<<<< HEAD
 	cfg.Status.StatusPort = 4100
 	cfg.Security.ClusterSSLCA = ca
 	cfg.Security.ClusterSSLCert = filepath.Join(root, "/tests/cncheckcert/server-cert.pem")
 	cfg.Security.ClusterSSLKey = filepath.Join(root, "/tests/cncheckcert/server-key.pem")
+=======
+	cfg.Port = cli.port
+	cfg.Status.StatusPort = cli.statusPort
+	cfg.Security.ClusterSSLCA = caPath
+	cfg.Security.ClusterSSLCert = serverCertPath
+	cfg.Security.ClusterSSLKey = serverKeyPath
+>>>>>>> 6c67561... server: fix tls setup and error log (#15287)
 	cfg.Security.ClusterVerifyCN = []string{"tidb-client-2"}
 	server, err := NewServer(cfg, ts.tidbdrv)
 	c.Assert(err, IsNil)
 	go server.Run()
 	time.Sleep(time.Millisecond * 100)
 
-	hc := newTLSHttpClient(c, ca,
-		filepath.Join(root, "/tests/cncheckcert/client-cert-1.pem"),
-		filepath.Join(root, "/tests/cncheckcert/client-key-1.pem"),
+	hc := newTLSHttpClient(c, caPath,
+		client1CertPath,
+		client1KeyPath,
 	)
 	_, err = hc.Get(statusURL)
 	c.Assert(err, NotNil)
 
-	hc = newTLSHttpClient(c, ca,
-		filepath.Join(root, "/tests/cncheckcert/client-cert-2.pem"),
-		filepath.Join(root, "/tests/cncheckcert/client-key-2.pem"),
+	hc = newTLSHttpClient(c, caPath,
+		client2CertPath,
+		client2KeyPath,
 	)
 	_, err = hc.Get(statusURL)
 	c.Assert(err, IsNil)