mirror of
https://github.com/MariaDB/server.git
synced 2025-07-30 16:24:05 +03:00
MDEV-33430 - Fix self-signed certificate errors on Windows
Adjust test after fixing the C/C. On Windows, use --host=127.0.0.2 to fake "insecure" transport with TCP connection for test purposes. 127.0.0.2 is loopback address, that can be used instead of usual 127.0.0.1 Unfortunately, this technique does not work on all *nixes the same, notably neither on BSDs nor Solaris. Thus default --host=localhost remains "insecure" transport,when TCP is used. but it is not that critical, the "self-signed" is not nearly as annoying on *nixes as it is on Windows.
This commit is contained in:
Vladislav Vaintroub
Submodule libmariadb updated: 8dffd56936...536d9e2b9e
@ -20,9 +20,15 @@ create procedure have_ssl()
|
|||||||
--echo mysql --ssl-ca=cacert.pem --ssl-verify-server-cert -e "call test.have_ssl()"
|
--echo mysql --ssl-ca=cacert.pem --ssl-verify-server-cert -e "call test.have_ssl()"
|
||||||
--exec $MYSQL --protocol tcp --ssl-ca=$MYSQL_TEST_DIR/std_data/cacert.pem --ssl-verify-server-cert -e "call test.have_ssl()" 2>&1
|
--exec $MYSQL --protocol tcp --ssl-ca=$MYSQL_TEST_DIR/std_data/cacert.pem --ssl-verify-server-cert -e "call test.have_ssl()" 2>&1
|
||||||
|
|
||||||
|
let $is_win = `select convert(@@version_compile_os using latin1) IN ("Win32","Win64","Windows")`;
|
||||||
|
let $host=;
|
||||||
|
if($is_win)
|
||||||
|
{
|
||||||
|
let $host=--host=127.0.0.2;
|
||||||
|
}
|
||||||
--echo mysql --ssl --ssl-verify-server-cert -e "call test.have_ssl()"
|
--echo mysql --ssl --ssl-verify-server-cert -e "call test.have_ssl()"
|
||||||
--replace_regex /TLS\/SSL error.*certificate[^\n]*/TLS\/SSL error: Failed to verify the server certificate/
|
--replace_regex /TLS\/SSL error.*certificate[^\n]*/TLS\/SSL error: Failed to verify the server certificate/
|
||||||
--exec $MYSQL --protocol tcp --ssl --ssl-verify-server-cert -e "call test.have_ssl()" 2>&1
|
--exec $MYSQL --protocol tcp $host --ssl --ssl-verify-server-cert -e "call test.have_ssl()" 2>&1
|
||||||
|
|
||||||
--echo #
|
--echo #
|
||||||
--echo # MDEV-27105 --ssl option set as default for mariadb CLI
|
--echo # MDEV-27105 --ssl option set as default for mariadb CLI
|
||||||
|
|||||||
@ -1,6 +1,6 @@
|
|||||||
--- a/mysql-test/main/ssl_autoverify.result
|
--- ssl_autoverify.result 2024-02-08 23:55:13.779166100 +0100
|
||||||
+++ b/mysql-test/main/ssl_autoverify.result
|
+++ ssl_autoverify,win.reject 2024-02-08 23:55:46.988212400 +0100
|
||||||
@@ -22,9 +22,9 @@ ERROR 2026 (HY000): TLS/SSL error: Failed to verify the server certificate
|
@@ -22,9 +22,9 @@
|
||||||
WARNING: option --ssl-verify-server-cert is disabled, because of an insecure passwordless login.
|
WARNING: option --ssl-verify-server-cert is disabled, because of an insecure passwordless login.
|
||||||
test.have_ssl()
|
test.have_ssl()
|
||||||
yes
|
yes
|
||||||
@ -9,10 +9,10 @@
|
|||||||
test.have_ssl()
|
test.have_ssl()
|
||||||
-yes
|
-yes
|
||||||
+no
|
+no
|
||||||
# mysql -unative -pfoo --ssl-verify-server-cert -e "select test.have_ssl()"
|
# mysql --protocol tcp --host 127.0.0.1 -uroot --ssl-verify-server-cert -e "select test.have_ssl()"
|
||||||
test.have_ssl()
|
test.have_ssl()
|
||||||
yes
|
yes
|
||||||
@@ -42,16 +42,6 @@ yes
|
@@ -45,16 +45,6 @@
|
||||||
# mysql -umulti -ppw2 --ssl-verify-server-cert -e "select test.have_ssl()"
|
# mysql -umulti -ppw2 --ssl-verify-server-cert -e "select test.have_ssl()"
|
||||||
test.have_ssl()
|
test.have_ssl()
|
||||||
yes
|
yes
|
||||||
|
|||||||
@ -25,6 +25,9 @@ yes
|
|||||||
# mysql --protocol socket -uroot --ssl-verify-server-cert -e "select test.have_ssl()"
|
# mysql --protocol socket -uroot --ssl-verify-server-cert -e "select test.have_ssl()"
|
||||||
test.have_ssl()
|
test.have_ssl()
|
||||||
yes
|
yes
|
||||||
|
# mysql --protocol tcp --host 127.0.0.1 -uroot --ssl-verify-server-cert -e "select test.have_ssl()"
|
||||||
|
test.have_ssl()
|
||||||
|
yes
|
||||||
# mysql -unative -pfoo --ssl-verify-server-cert -e "select test.have_ssl()"
|
# mysql -unative -pfoo --ssl-verify-server-cert -e "select test.have_ssl()"
|
||||||
test.have_ssl()
|
test.have_ssl()
|
||||||
yes
|
yes
|
||||||
|
|||||||
@ -25,6 +25,15 @@ create function have_ssl() returns char(3)
|
|||||||
from information_schema.session_status
|
from information_schema.session_status
|
||||||
where variable_name='ssl_cipher');
|
where variable_name='ssl_cipher');
|
||||||
|
|
||||||
|
let host=;
|
||||||
|
if ($MTR_COMBINATION_WIN) {
|
||||||
|
# 127.0.0.2 (and generally 127.0.0.0/8) works on Windows the same as 127.0.0.1,
|
||||||
|
# i.e client can connect if server listens on IPv4 loopback
|
||||||
|
#
|
||||||
|
# We use 127.0.0.2 as it does not match any of "localhost","127.0.0.1","::1"
|
||||||
|
# thus it is not considered "secure transport" by the connector/C
|
||||||
|
let host=--host=127.0.0.2;
|
||||||
|
}
|
||||||
#
|
#
|
||||||
# root user, no password, so cannot validate cert.
|
# root user, no password, so cannot validate cert.
|
||||||
#
|
#
|
||||||
@ -33,13 +42,13 @@ create function have_ssl() returns char(3)
|
|||||||
--echo # mysql -uroot --ssl-verify-server-cert -e "select test.have_ssl()"
|
--echo # mysql -uroot --ssl-verify-server-cert -e "select test.have_ssl()"
|
||||||
--replace_regex /TLS\/SSL error.*certificate[^\n]*/TLS\/SSL error: Failed to verify the server certificate/
|
--replace_regex /TLS\/SSL error.*certificate[^\n]*/TLS\/SSL error: Failed to verify the server certificate/
|
||||||
--error 1
|
--error 1
|
||||||
--exec $MYSQL --protocol tcp -uroot --ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
|
--exec $MYSQL --protocol tcp $host -uroot --ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
|
||||||
#
|
#
|
||||||
# except if ssl-verify-server-cert is left on default (not explicitly enabled)
|
# except if ssl-verify-server-cert is left on default (not explicitly enabled)
|
||||||
#
|
#
|
||||||
--let $csd=`select @@character_sets_dir`
|
--let $csd=`select @@character_sets_dir`
|
||||||
--echo # mysql -uroot -e "select test.have_ssl()"
|
--echo # mysql -uroot -e "select test.have_ssl()"
|
||||||
--exec $EXE_MYSQL --no-defaults --character-sets-dir=$csd --protocol tcp --port $MASTER_MYPORT -uroot -e "select test.have_ssl()" 2>&1
|
--exec $EXE_MYSQL --no-defaults --character-sets-dir=$csd --protocol tcp $host --port $MASTER_MYPORT -uroot -e "select test.have_ssl()" 2>&1
|
||||||
#
|
#
|
||||||
# or unless using a secure transport, like unix_socket or named pipes
|
# or unless using a secure transport, like unix_socket or named pipes
|
||||||
#
|
#
|
||||||
@ -52,34 +61,41 @@ if ($MTR_COMBINATION_WIN) {
|
|||||||
}
|
}
|
||||||
--echo # mysql --protocol $proto -uroot --ssl-verify-server-cert -e "select test.have_ssl()"
|
--echo # mysql --protocol $proto -uroot --ssl-verify-server-cert -e "select test.have_ssl()"
|
||||||
--exec $MYSQL --protocol $proto -uroot --ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
|
--exec $MYSQL --protocol $proto -uroot --ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
|
||||||
|
|
||||||
|
#
|
||||||
|
# same for tcp via localhost
|
||||||
|
#
|
||||||
|
--echo # mysql --protocol tcp --host 127.0.0.1 -uroot --ssl-verify-server-cert -e "select test.have_ssl()"
|
||||||
|
--exec $MYSQL --protocol tcp --host 127.0.0.1 -uroot --ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
|
||||||
|
|
||||||
#
|
#
|
||||||
# mysql_native_password with password works fine
|
# mysql_native_password with password works fine
|
||||||
#
|
#
|
||||||
--echo # mysql -unative -pfoo --ssl-verify-server-cert -e "select test.have_ssl()"
|
--echo # mysql -unative -pfoo --ssl-verify-server-cert -e "select test.have_ssl()"
|
||||||
--exec $MYSQL --protocol tcp -unative -pfoo --ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
|
--exec $MYSQL --protocol tcp $host -unative -pfoo --ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
|
||||||
#
|
#
|
||||||
# ed25519 with password works fine
|
# ed25519 with password works fine
|
||||||
#
|
#
|
||||||
--echo # mysql -ued -pbar --ssl-verify-server-cert -e "select test.have_ssl()"
|
--echo # mysql -ued -pbar --ssl-verify-server-cert -e "select test.have_ssl()"
|
||||||
--exec $MYSQL --protocol tcp -ued -pbar --ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
|
--exec $MYSQL --protocol tcp $host -ued -pbar --ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
|
||||||
#
|
#
|
||||||
# three_attempts uses auth string as is, doesn't hash.
|
# three_attempts uses auth string as is, doesn't hash.
|
||||||
# so it's not safe over untrusted connection and thus cannot validate cert
|
# so it's not safe over untrusted connection and thus cannot validate cert
|
||||||
#
|
#
|
||||||
--echo # mysql -unohash -ponetwothree --disable-ssl-verify-server-cert -e "select test.have_ssl()"
|
--echo # mysql -unohash -ponetwothree --disable-ssl-verify-server-cert -e "select test.have_ssl()"
|
||||||
--exec $MYSQL --protocol tcp -unohash -ponetwothree --disable-ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
|
--exec $MYSQL --protocol tcp $host -unohash -ponetwothree --disable-ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
|
||||||
--echo # mysql -unohash -ponetwothree --ssl-verify-server-cert -e "select test.have_ssl()"
|
--echo # mysql -unohash -ponetwothree --ssl-verify-server-cert -e "select test.have_ssl()"
|
||||||
--replace_regex /TLS\/SSL error.*certificate[^\n]*/TLS\/SSL error: Failed to verify the server certificate/
|
--replace_regex /TLS\/SSL error.*certificate[^\n]*/TLS\/SSL error: Failed to verify the server certificate/
|
||||||
--error 1
|
--error 1
|
||||||
--exec $MYSQL --protocol tcp -unohash -ponetwothree --ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
|
--exec $MYSQL --protocol tcp $host -unohash -ponetwothree --ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
|
||||||
#
|
#
|
||||||
# multi-auth case, both client and server must use
|
# multi-auth case, both client and server must use
|
||||||
# the same plugin for cert validation
|
# the same plugin for cert validation
|
||||||
#
|
#
|
||||||
--echo # mysql -umulti -ppw1 --ssl-verify-server-cert -e "select test.have_ssl()"
|
--echo # mysql -umulti -ppw1 --ssl-verify-server-cert -e "select test.have_ssl()"
|
||||||
--exec $MYSQL --protocol tcp -umulti -ppw1 --ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
|
--exec $MYSQL --protocol tcp $host -umulti -ppw1 --ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
|
||||||
--echo # mysql -umulti -ppw2 --ssl-verify-server-cert -e "select test.have_ssl()"
|
--echo # mysql -umulti -ppw2 --ssl-verify-server-cert -e "select test.have_ssl()"
|
||||||
--exec $MYSQL --protocol tcp -umulti -ppw2 --ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
|
--exec $MYSQL --protocol tcp $host -umulti -ppw2 --ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
|
||||||
|
|
||||||
#
|
#
|
||||||
# Now try MitM
|
# Now try MitM
|
||||||
|
|||||||
@ -5,23 +5,29 @@ create function have_ssl() returns char(3)
|
|||||||
from information_schema.session_status
|
from information_schema.session_status
|
||||||
where variable_name='ssl_cipher');
|
where variable_name='ssl_cipher');
|
||||||
|
|
||||||
|
let $is_win = `select convert(@@version_compile_os using latin1) IN ("Win32","Win64","Windows")`;
|
||||||
|
let $host=;
|
||||||
|
if($is_win)
|
||||||
|
{
|
||||||
|
let $host=--host=127.0.0.2;
|
||||||
|
}
|
||||||
#
|
#
|
||||||
# passwordless root cannot connect w/o fingerprint:
|
# passwordless root cannot connect w/o fingerprint:
|
||||||
#
|
#
|
||||||
--echo # mysql --protocol tcp -uroot --ssl-verify-server-cert -e "select test.have_ssl()"
|
--echo # mysql --protocol tcp -uroot --ssl-verify-server-cert -e "select test.have_ssl()"
|
||||||
--replace_regex /TLS\/SSL error.*certificate[^\n]*/TLS\/SSL error: Failed to verify the server certificate/
|
--replace_regex /TLS\/SSL error.*certificate[^\n]*/TLS\/SSL error: Failed to verify the server certificate/
|
||||||
--error 1
|
--error 1
|
||||||
--exec $MYSQL --protocol tcp -uroot --ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
|
--exec $MYSQL --protocol tcp $host -uroot --ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
|
||||||
#
|
#
|
||||||
# fingerprint based cert verification:
|
# fingerprint based cert verification:
|
||||||
#
|
#
|
||||||
--echo # mysql --protocol tcp -uroot --ssl-fp=F1:D0:08:AF:A1:D2:F4:15:79:B4:39:06:41:F4:20:96:F1:90:A9:65 --ssl-verify-server-cert -e "select test.have_ssl()"
|
--echo # mysql --protocol tcp -uroot --ssl-fp=F1:D0:08:AF:A1:D2:F4:15:79:B4:39:06:41:F4:20:96:F1:90:A9:65 --ssl-verify-server-cert -e "select test.have_ssl()"
|
||||||
--exec $MYSQL --protocol tcp -uroot --ssl-fp=F1:D0:08:AF:A1:D2:F4:15:79:B4:39:06:41:F4:20:96:F1:90:A9:65 --ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
|
--exec $MYSQL --protocol tcp $host -uroot --ssl-fp=F1:D0:08:AF:A1:D2:F4:15:79:B4:39:06:41:F4:20:96:F1:90:A9:65 --ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
|
||||||
#
|
#
|
||||||
# wrong fingerprint fails even with --disable-ssl-verify-server-cert
|
# wrong fingerprint fails even with --disable-ssl-verify-server-cert
|
||||||
#
|
#
|
||||||
--echo # mysql --protocol tcp -uroot --ssl-fp=00:11:22:33:44:55:66:77:88:99:AA:BB:CC:DD:EE:FF:00:11:22:33 --disable-ssl-verify-server-cert -e "select test.have_ssl()"
|
--echo # mysql --protocol tcp -uroot --ssl-fp=00:11:22:33:44:55:66:77:88:99:AA:BB:CC:DD:EE:FF:00:11:22:33 --disable-ssl-verify-server-cert -e "select test.have_ssl()"
|
||||||
--error 1
|
--error 1
|
||||||
--exec $MYSQL --protocol tcp -uroot --ssl-fp=00:11:22:33:44:55:66:77:88:99:AA:BB:CC:DD:EE:FF:00:11:22:33 --disable-ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
|
--exec $MYSQL --protocol tcp $host -uroot --ssl-fp=00:11:22:33:44:55:66:77:88:99:AA:BB:CC:DD:EE:FF:00:11:22:33 --disable-ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
|
||||||
|
|
||||||
drop function have_ssl;
|
drop function have_ssl;
|
||||||
|
|||||||
Reference in New Issue
Block a user