pkg does not detect some SSL/TLS authentication errors

[mdr1384]

With the network set up for TLS and mutual authentication via certificates, we found that pkg update -f was responding with "Up to date" when OpenSSL authentication was failing (e.g. with mega-debug on we see "SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:s3_pkt.c:1498:SSL alert number 40").

This seems to be due to a couple of issues:

1. The use of ERR_print_errors_fp() actually CONSUMES the errors as they are printed, so later checks would not see any error.
2. The fetch_syserr() function does not look for OpenSSL errors.

I saw a case in http_connect() where the author was forcing an error when OpenSSL failed:

        if (strcasecmp(URL->scheme, SCHEME_HTTPS) == 0 &&
            fetch_ssl(conn, URL, verbose) == -1) {
                /* grrr */
                errno = EAUTH;
                fetch_syserr();
                goto ouch;
        }

and I applied the same technique to a couple of other places in the external/libfetch/common.c file:

--- external/libfetch/common.c.orig	2019-09-18 07:11:10 UTC
+++ external/libfetch/common.c
@@ -875,6 +875,7 @@ fetch_ssl(conn_t *conn, const struct url
 		if (ssl_err != SSL_ERROR_WANT_READ &&
 		    ssl_err != SSL_ERROR_WANT_WRITE) {
 			ERR_print_errors_fp(stderr);
+			errno = EAUTH;
 			return (-1);
 		}
 	}
@@ -937,6 +938,7 @@ fetch_ssl_read(SSL *ssl, char *buf, size
 			return (FETCH_READ_WAIT);
 		} else {
 			ERR_print_errors_fp(stderr);
+			errno = EAUTH;
 			return (FETCH_READ_ERROR);
 		}
 	}

and this fixed the problem. We now get "Unable to update repository ____" when mutual auth fails.

HOWEVER - I want to point out that this is not intended to be a "fix" for the problem. Someone with more familiarity with the code should design a permanent fix.