database/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-07-30 16:24:05 +03:00
Code Activity

Fix tests not to fail with OpenSSL 1.1.1 with TLSv1.3

Browse Source
This commit is contained in:
Sergei Golubchik
2019-01-24 20:18:55 +01:00
parent 31d0727a10
commit 74f184aff2
9 changed files with 192 additions and 163 deletions
Download Patch File Download Diff File Expand all files Collapse all files

72
mysql-test/r/openssl_1.result
View File

@ -4,52 +4,38 @@ drop table if exists t1;
create table t1(f1 int); create table t1(f1 int);
insert into t1 values (5); insert into t1 values (5);
grant select on test.* to ssl_user1@localhost require SSL; grant select on test.* to ssl_user1@localhost require SSL;
grant select on test.* to ssl_user2@localhost require cipher "AES256-SHA"; grant select on test.* to ssl_user3@localhost require SUBJECT "/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB/CN=client";
grant select on test.* to ssl_user3@localhost require cipher "AES256-SHA" AND SUBJECT "/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB/CN=client"; grant select on test.* to ssl_user4@localhost require SUBJECT "/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB/CN=client" ISSUER "/CN=cacert/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB";
grant select on test.* to ssl_user4@localhost require cipher "AES256-SHA" AND SUBJECT "/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB/CN=client" ISSUER "/CN=cacert/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB"; grant select on test.* to ssl_user5@localhost require SUBJECT "xxx";
grant select on test.* to ssl_user5@localhost require cipher "AES256-SHA" AND SUBJECT "xxx";
flush privileges; flush privileges;
connect con1,localhost,ssl_user1,,,,,SSL-CIPHER=AES256-SHA; connect con1,localhost,ssl_user1,,,,,SSL;
connect(localhost,ssl_user2,,test,MASTER_PORT,MASTER_SOCKET); connect con3,localhost,ssl_user3,,,,,SSL;
connect con2,localhost,ssl_user2,,,,,SSL-CIPHER=AES128-SHA; connect con4,localhost,ssl_user4,,,,,SSL;
ERROR 28000: Access denied for user 'ssl_user2'@'localhost' (using password: NO)
connect con2,localhost,ssl_user2,,,,,SSL-CIPHER=AES256-SHA;
connect con3,localhost,ssl_user3,,,,,SSL-CIPHER=AES256-SHA;
connect con4,localhost,ssl_user4,,,,,SSL-CIPHER=AES256-SHA;
connect(localhost,ssl_user5,,test,MASTER_PORT,MASTER_SOCKET); connect(localhost,ssl_user5,,test,MASTER_PORT,MASTER_SOCKET);
connect con5,localhost,ssl_user5,,,,,SSL-CIPHER=AES256-SHA; connect con5,localhost,ssl_user5,,,,,SSL;
ERROR 28000: Access denied for user 'ssl_user5'@'localhost' (using password: NO) ERROR 28000: Access denied for user 'ssl_user5'@'localhost' (using password: NO)
connection con1; connection con1;
SHOW STATUS LIKE 'Ssl_cipher'; SELECT VARIABLE_VALUE <> '' AS have_ssl FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_cipher';
Variable_name Value have_ssl
Ssl_cipher AES256-SHA 1
select * from t1; select * from t1;
f1 f1
5 5
delete from t1; delete from t1;
ERROR 42000: DELETE command denied to user 'ssl_user1'@'localhost' for table 't1' ERROR 42000: DELETE command denied to user 'ssl_user1'@'localhost' for table 't1'
connection con2;
SHOW STATUS LIKE 'Ssl_cipher';
Variable_name Value
Ssl_cipher AES256-SHA
select * from t1;
f1
5
delete from t1;
ERROR 42000: DELETE command denied to user 'ssl_user2'@'localhost' for table 't1'
connection con3; connection con3;
SHOW STATUS LIKE 'Ssl_cipher'; SELECT VARIABLE_VALUE <> '' AS have_ssl FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_cipher';
Variable_name Value have_ssl
Ssl_cipher AES256-SHA 1
select * from t1; select * from t1;
f1 f1
5 5
delete from t1; delete from t1;
ERROR 42000: DELETE command denied to user 'ssl_user3'@'localhost' for table 't1' ERROR 42000: DELETE command denied to user 'ssl_user3'@'localhost' for table 't1'
connection con4; connection con4;
SHOW STATUS LIKE 'Ssl_cipher'; SELECT VARIABLE_VALUE <> '' AS have_ssl FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_cipher';
Variable_name Value have_ssl
Ssl_cipher AES256-SHA 1
select * from t1; select * from t1;
f1 f1
5 5
@ -57,20 +43,15 @@ delete from t1;
ERROR 42000: DELETE command denied to user 'ssl_user4'@'localhost' for table 't1' ERROR 42000: DELETE command denied to user 'ssl_user4'@'localhost' for table 't1'
connection default; connection default;
disconnect con1; disconnect con1;
disconnect con2;
disconnect con3; disconnect con3;
disconnect con4; disconnect con4;
drop user ssl_user1@localhost, ssl_user2@localhost, drop user ssl_user1@localhost, ssl_user3@localhost, ssl_user4@localhost, ssl_user5@localhost;
ssl_user3@localhost, ssl_user4@localhost, ssl_user5@localhost;
drop table t1; drop table t1;
mysqltest: Could not open connection 'default': 2026 SSL connection error: xxxx mysqltest: Could not open connection 'default': 2026 SSL connection error: xxxx
mysqltest: Could not open connection 'default': 2026 SSL connection error: xxxx mysqltest: Could not open connection 'default': 2026 SSL connection error: xxxx
mysqltest: Could not open connection 'default': 2026 SSL connection error: xxxx mysqltest: Could not open connection 'default': 2026 SSL connection error: xxxx
mysqltest: Could not open connection 'default': 2026 SSL connection error: xxxx mysqltest: Could not open connection 'default': 2026 SSL connection error: xxxx
mysqltest: Could not open connection 'default': 2026 SSL connection error: xxxx mysqltest: Could not open connection 'default': 2026 SSL connection error: xxxx
SHOW STATUS LIKE 'Ssl_cipher';
Variable_name Value
Ssl_cipher AES256-SHA
have_ssl have_ssl
1 1
End of 5.0 tests End of 5.0 tests
@ -94,13 +75,7 @@ SSL_ACCEPTS #
SSL_CALLBACK_CACHE_HITS # SSL_CALLBACK_CACHE_HITS #
DROP TABLE thread_status; DROP TABLE thread_status;
SET GLOBAL event_scheduler=0; SET GLOBAL event_scheduler=0;
SHOW STATUS LIKE 'Ssl_cipher'; CREATE TABLE t1(a int);
Variable_name Value
Ssl_cipher AES128-SHA
SHOW STATUS LIKE 'Ssl_cipher';
Variable_name Value
Ssl_cipher AES128-SHA
mysqltest: Could not open connection 'default': 2026 SSL connection error: xxxxCREATE TABLE t1(a int);
INSERT INTO t1 VALUES (1), (2); INSERT INTO t1 VALUES (1), (2);
/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */; /*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
@ -204,19 +179,12 @@ UNLOCK TABLES;
/*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */; /*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */;
/*!40111 SET SQL_NOTES=@OLD_SQL_NOTES */; /*!40111 SET SQL_NOTES=@OLD_SQL_NOTES */;
mysqldump: Got error: 2026: SSL connection error: xxxx mysqldump: Got error: 2026: "SSL connection error: xxxx
DROP TABLE t1; DROP TABLE t1;
Variable_name Value
Ssl_cipher AES256-SHA
Variable_name Value
Ssl_cipher AES128-SHA
select 'is still running; no cipher request crashed the server' as result from dual;
result
is still running; no cipher request crashed the server
GRANT SELECT ON test.* TO bug42158@localhost REQUIRE X509; GRANT SELECT ON test.* TO bug42158@localhost REQUIRE X509;
FLUSH PRIVILEGES; FLUSH PRIVILEGES;
connect con1,localhost,bug42158,,,,,SSL; connect con1,localhost,bug42158,,,,,SSL;
SELECT (VARIABLE_VALUE <> '') AS have_ssl FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_cipher'; SELECT VARIABLE_VALUE <> '' AS have_ssl FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_cipher';
have_ssl have_ssl
1 1
disconnect con1; disconnect con1;

5
mysql-test/r/ssl.result
View File

@ -2175,8 +2175,3 @@ still connected?
still connected? still connected?
connection default; connection default;
disconnect ssl_con; disconnect ssl_con;
create user mysqltest_1@localhost;
grant usage on mysqltest.* to mysqltest_1@localhost require cipher "AES256-SHA";
Variable_name Value
Ssl_cipher AES256-SHA
drop user mysqltest_1@localhost;

63
mysql-test/r/ssl_cipher.result
View File

@ -1,6 +1,61 @@
# create user ssl_user1@localhost require SSL;
# BUG#11760210 - SSL_CIPHER_LIST NOT SET OR RETURNED FOR "SHOW STATUS LIKE 'SSL_CIPHER_LIST'" create user ssl_user2@localhost require cipher 'AES256-SHA';
# create user ssl_user3@localhost require cipher 'AES256-SHA' AND SUBJECT '/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB/CN=client';
create user ssl_user4@localhost require cipher 'AES256-SHA' AND SUBJECT '/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB/CN=client' ISSUER '/CN=cacert/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB';
create user ssl_user5@localhost require cipher 'AES256-SHA' AND SUBJECT 'xxx';
connect con1,localhost,ssl_user1,,,,,SSL-CIPHER=AES256-SHA;
connect(localhost,ssl_user2,,test,MASTER_PORT,MASTER_SOCKET);
connect con2,localhost,ssl_user2,,,,,SSL-CIPHER=AES128-SHA;
ERROR 28000: Access denied for user 'ssl_user2'@'localhost' (using password: NO)
connect con2,localhost,ssl_user2,,,,,SSL-CIPHER=AES256-SHA;
connect con3,localhost,ssl_user3,,,,,SSL-CIPHER=AES256-SHA;
connect con4,localhost,ssl_user4,,,,,SSL-CIPHER=AES256-SHA;
connect(localhost,ssl_user5,,test,MASTER_PORT,MASTER_SOCKET);
connect con5,localhost,ssl_user5,,,,,SSL-CIPHER=AES256-SHA;
ERROR 28000: Access denied for user 'ssl_user5'@'localhost' (using password: NO)
connection con1;
SHOW STATUS LIKE 'Ssl_cipher';
Variable_name Value
Ssl_cipher AES256-SHA
disconnect con1;
connection con2;
SHOW STATUS LIKE 'Ssl_cipher';
Variable_name Value
Ssl_cipher AES256-SHA
disconnect con2;
connection con3;
SHOW STATUS LIKE 'Ssl_cipher';
Variable_name Value
Ssl_cipher AES256-SHA
disconnect con3;
connection con4;
SHOW STATUS LIKE 'Ssl_cipher';
Variable_name Value
Ssl_cipher AES256-SHA
disconnect con4;
connection default;
drop user ssl_user1@localhost, ssl_user2@localhost, ssl_user3@localhost, ssl_user4@localhost, ssl_user5@localhost;
SHOW STATUS LIKE 'Ssl_cipher';
Variable_name Value
Ssl_cipher AES256-SHA
SHOW STATUS LIKE 'Ssl_cipher';
Variable_name Value
Ssl_cipher AES128-SHA
SHOW STATUS LIKE 'Ssl_cipher';
Variable_name Value
Ssl_cipher AES128-SHA
mysqltest: Could not open connection 'default': 2026 SSL connection error: xxxxVariable_name Value
Ssl_cipher AES256-SHA
Variable_name Value
Ssl_cipher AES128-SHA
select 'is still running; no cipher request crashed the server' as result from dual;
result
is still running; no cipher request crashed the server
create user mysqltest_1@localhost;
grant usage on mysqltest.* to mysqltest_1@localhost require cipher "AES256-SHA";
Variable_name Value
Ssl_cipher AES256-SHA
drop user mysqltest_1@localhost;
connect ssl_con,localhost,root,,,,,SSL; connect ssl_con,localhost,root,,,,,SSL;
SHOW STATUS LIKE 'Ssl_cipher'; SHOW STATUS LIKE 'Ssl_cipher';
Variable_name Value Variable_name Value
@ -8,5 +63,5 @@ Ssl_cipher AES128-SHA
SHOW STATUS LIKE 'Ssl_cipher_list'; SHOW STATUS LIKE 'Ssl_cipher_list';
Variable_name Value Variable_name Value
Ssl_cipher_list AES128-SHA Ssl_cipher_list AES128-SHA
connection default;
disconnect ssl_con; disconnect ssl_con;
connection default;

4
mysql-test/suite.pm
View File

@ -70,9 +70,9 @@ sub skip_combinations {
} }
$skip{'include/check_ipv6.inc'} = 'No IPv6' unless ipv6_ok(); $skip{'include/check_ipv6.inc'} = 'No IPv6' unless ipv6_ok();
$skip{'t/openssl_6975.test'} = 'no or too old openssl' $skip{'t/openssl_6975.test'} = 'no or wrong openssl version'
unless $::mysqld_variables{'version-ssl-library'} =~ /OpenSSL (\S+)/ unless $::mysqld_variables{'version-ssl-library'} =~ /OpenSSL (\S+)/
and $1 ge "1.0.1d"; and $1 ge "1.0.1d" and $1 lt "1.1.1";
$skip{'t/ssl_7937.combinations'} = [ 'x509v3' ] $skip{'t/ssl_7937.combinations'} = [ 'x509v3' ]
unless $::mysqld_variables{'version-ssl-library'} =~ /OpenSSL (\S+)/ unless $::mysqld_variables{'version-ssl-library'} =~ /OpenSSL (\S+)/

93
mysql-test/t/openssl_1.test
View File

@ -16,58 +16,45 @@ create table t1(f1 int);
insert into t1 values (5); insert into t1 values (5);
grant select on test.* to ssl_user1@localhost require SSL; grant select on test.* to ssl_user1@localhost require SSL;
grant select on test.* to ssl_user2@localhost require cipher "AES256-SHA"; grant select on test.* to ssl_user3@localhost require SUBJECT "/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB/CN=client";
grant select on test.* to ssl_user3@localhost require cipher "AES256-SHA" AND SUBJECT "/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB/CN=client"; grant select on test.* to ssl_user4@localhost require SUBJECT "/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB/CN=client" ISSUER "/CN=cacert/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB";
grant select on test.* to ssl_user4@localhost require cipher "AES256-SHA" AND SUBJECT "/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB/CN=client" ISSUER "/CN=cacert/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB"; grant select on test.* to ssl_user5@localhost require SUBJECT "xxx";
grant select on test.* to ssl_user5@localhost require cipher "AES256-SHA" AND SUBJECT "xxx";
flush privileges; flush privileges;
connect (con1,localhost,ssl_user1,,,,,SSL-CIPHER=AES256-SHA); connect (con1,localhost,ssl_user1,,,,,SSL);
--replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT
connect (con3,localhost,ssl_user3,,,,,SSL);
connect (con4,localhost,ssl_user4,,,,,SSL);
--replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT --replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT
--error ER_ACCESS_DENIED_ERROR --error ER_ACCESS_DENIED_ERROR
connect (con2,localhost,ssl_user2,,,,,SSL-CIPHER=AES128-SHA); connect (con5,localhost,ssl_user5,,,,,SSL);
connect (con2,localhost,ssl_user2,,,,,SSL-CIPHER=AES256-SHA);
connect (con3,localhost,ssl_user3,,,,,SSL-CIPHER=AES256-SHA);
connect (con4,localhost,ssl_user4,,,,,SSL-CIPHER=AES256-SHA);
--replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT
--error ER_ACCESS_DENIED_ERROR
connect (con5,localhost,ssl_user5,,,,,SSL-CIPHER=AES256-SHA);
connection con1; connection con1;
# Check ssl turned on # Check ssl turned on
SHOW STATUS LIKE 'Ssl_cipher'; SELECT VARIABLE_VALUE <> '' AS have_ssl FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_cipher';
select * from t1;
--error ER_TABLEACCESS_DENIED_ERROR
delete from t1;
connection con2;
# Check ssl turned on
SHOW STATUS LIKE 'Ssl_cipher';
select * from t1; select * from t1;
--error ER_TABLEACCESS_DENIED_ERROR --error ER_TABLEACCESS_DENIED_ERROR
delete from t1; delete from t1;
connection con3; connection con3;
# Check ssl turned on # Check ssl turned on
SHOW STATUS LIKE 'Ssl_cipher'; SELECT VARIABLE_VALUE <> '' AS have_ssl FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_cipher';
select * from t1; select * from t1;
--error ER_TABLEACCESS_DENIED_ERROR --error ER_TABLEACCESS_DENIED_ERROR
delete from t1; delete from t1;
connection con4; connection con4;
# Check ssl turned on # Check ssl turned on
SHOW STATUS LIKE 'Ssl_cipher'; SELECT VARIABLE_VALUE <> '' AS have_ssl FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_cipher';
select * from t1; select * from t1;
--error ER_TABLEACCESS_DENIED_ERROR --error ER_TABLEACCESS_DENIED_ERROR
delete from t1; delete from t1;
connection default; connection default;
disconnect con1; disconnect con1;
disconnect con2;
disconnect con3; disconnect con3;
disconnect con4; disconnect con4;
drop user ssl_user1@localhost, ssl_user2@localhost, drop user ssl_user1@localhost, ssl_user3@localhost, ssl_user4@localhost, ssl_user5@localhost;
ssl_user3@localhost, ssl_user4@localhost, ssl_user5@localhost;
drop table t1; drop table t1;
@ -120,14 +107,6 @@ drop table t1;
--exec $MYSQL_TEST --ssl-cert= --max-connect-retries=1 < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1 --exec $MYSQL_TEST --ssl-cert= --max-connect-retries=1 < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1
--echo --echo
#
# Bug#21611 Slave can't connect when master-ssl-cipher specified
# - Apparently selecting a cipher doesn't work at all
# - Use a cipher that both yaSSL and OpenSSL supports
#
--exec echo "SHOW STATUS LIKE 'Ssl_cipher'; exit;" > $MYSQLTEST_VARDIR/tmp/test.sql
--exec $MYSQL_TEST --ssl-cipher=AES256-SHA < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1
# #
# Bug#25309 SSL connections without CA certificate broken since MySQL 5.0.23 # Bug#25309 SSL connections without CA certificate broken since MySQL 5.0.23
# #
@ -135,7 +114,7 @@ drop table t1;
# verification of servers certificate by setting both ca certificate # verification of servers certificate by setting both ca certificate
# and ca path to NULL # and ca path to NULL
# #
--exec $MYSQL --ssl --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem -e "SELECT (VARIABLE_VALUE <> '') AS have_ssl FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_cipher'" 2>&1 --exec $MYSQL --ssl --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem -e "SELECT VARIABLE_VALUE <> '' AS have_ssl FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_cipher'" 2>&1
--echo End of 5.0 tests --echo End of 5.0 tests
# #
@ -176,25 +155,6 @@ SELECT variable_name, variable_value FROM thread_status;
DROP TABLE thread_status; DROP TABLE thread_status;
SET GLOBAL event_scheduler=0; SET GLOBAL event_scheduler=0;
#
# Test to connect using a list of ciphers
#
--exec echo "SHOW STATUS LIKE 'Ssl_cipher'; exit;" > $MYSQLTEST_VARDIR/tmp/test.sql
--exec $MYSQL_TEST --ssl-cipher=UNKNOWN-CIPHER:AES128-SHA < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1
# Test to connect using a specifi cipher
#
--exec echo "SHOW STATUS LIKE 'Ssl_cipher'; exit;" > $MYSQLTEST_VARDIR/tmp/test.sql
--exec $MYSQL_TEST --ssl-cipher=AES128-SHA < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1
# Test to connect using an unknown cipher
#
--exec echo "SHOW STATUS LIKE 'Ssl_cipher'; exit" > $MYSQLTEST_VARDIR/tmp/test.sql
--replace_regex /2026 SSL connection error.*/2026 SSL connection error: xxxx/
--error 1
--exec $MYSQL_TEST --ssl-cipher=UNKNOWN-CIPHER < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1
# #
# Bug#27669 mysqldump: SSL connection error when trying to connect # Bug#27669 mysqldump: SSL connection error when trying to connect
# #
@ -211,36 +171,13 @@ INSERT INTO t1 VALUES (1), (2);
# With wrong parameters # With wrong parameters
--replace_result $MYSQL_TEST_DIR MYSQL_TEST_DIR mysqldump.exe mysqldump --replace_result $MYSQL_TEST_DIR MYSQL_TEST_DIR mysqldump.exe mysqldump
--replace_regex /\"SSL connection error.*/SSL connection error: xxxx/ --replace_regex /SSL connection error.*/SSL connection error: xxxx/
--error 2 --error 2
--exec $MYSQL_DUMP --skip-create-options --skip-comments --ssl --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem test 2>&1 --exec $MYSQL_DUMP --skip-create-options --skip-comments --ssl --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem test 2>&1
--echo --echo
DROP TABLE t1; DROP TABLE t1;
--remove_file $MYSQLTEST_VARDIR/tmp/test.sql --remove_file $MYSQLTEST_VARDIR/tmp/test.sql
#
# Bug#39172 Asking for DH+non-RSA key with server set to use other key caused
# YaSSL to crash the server.
#
# Common ciphers to openssl and yassl
--exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'Ssl_cipher';" --ssl-cipher=AES256-SHA
--exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'Ssl_cipher';" --ssl-cipher=AES128-SHA
--disable_query_log
--disable_result_log
# Below here caused crashes. ################
--error 1,0
--exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'Ssl-cipher';" --ssl-cipher=NOT----EXIST
# These probably exist but the server's keys can't be used to accept these kinds of connections.
--error 1,0
--exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'Ssl-cipher';" --ssl-cipher=AES128-RMD
# If this gives a result, then the bug is fixed.
--enable_result_log
--enable_query_log
select 'is still running; no cipher request crashed the server' as result from dual;
# #
# Bug#42158: leak: SSL_get_peer_certificate() doesn't have matching X509_free() # Bug#42158: leak: SSL_get_peer_certificate() doesn't have matching X509_free()
# #
@ -248,7 +185,7 @@ select 'is still running; no cipher request crashed the server' as result from d
GRANT SELECT ON test.* TO bug42158@localhost REQUIRE X509; GRANT SELECT ON test.* TO bug42158@localhost REQUIRE X509;
FLUSH PRIVILEGES; FLUSH PRIVILEGES;
connect(con1,localhost,bug42158,,,,,SSL); connect(con1,localhost,bug42158,,,,,SSL);
SELECT (VARIABLE_VALUE <> '') AS have_ssl FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_cipher'; SELECT VARIABLE_VALUE <> '' AS have_ssl FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_cipher';
disconnect con1; disconnect con1;
connection default; connection default;
DROP USER bug42158@localhost; DROP USER bug42158@localhost;

5
mysql-test/t/ssl.test
View File

@ -32,10 +32,5 @@ select 'still connected?';
connection default; connection default;
disconnect ssl_con; disconnect ssl_con;
create user mysqltest_1@localhost;
grant usage on mysqltest.* to mysqltest_1@localhost require cipher "AES256-SHA";
--exec $MYSQL -umysqltest_1 --ssl-cipher=AES256-SHA -e "show status like 'ssl_cipher'" 2>&1
drop user mysqltest_1@localhost;
# Wait till all disconnects are completed # Wait till all disconnects are completed
--source include/wait_until_count_sessions.inc --source include/wait_until_count_sessions.inc

2
mysql-test/t/ssl_cert_verify.test
View File

@ -30,7 +30,7 @@ let $ssl_verify_pass_path = --ssl --ssl-ca=$MYSQL_TEST_DIR/std_data/ca-cert-veri
--enable_reconnect --enable_reconnect
--source include/wait_until_connected_again.inc --source include/wait_until_connected_again.inc
--replace_result TLSv1.2 TLS_VERSION TLSv1.1 TLS_VERSION TLSv1 TLS_VERSION --replace_result TLSv1.3 TLS_VERSION TLSv1.2 TLS_VERSION TLSv1.1 TLS_VERSION TLSv1 TLS_VERSION
--exec $MYSQL --protocol=tcp --ssl-ca=$MYSQL_TEST_DIR/std_data/ca-cert-verify.pem --ssl-verify-server-cert -e "SHOW STATUS like 'Ssl_version'" --exec $MYSQL --protocol=tcp --ssl-ca=$MYSQL_TEST_DIR/std_data/ca-cert-verify.pem --ssl-verify-server-cert -e "SHOW STATUS like 'Ssl_version'"
--echo # restart server using restart --echo # restart server using restart

1
mysql-test/t/ssl_cipher-master.opt
View File

@ -1 +0,0 @@
--loose-ssl-cipher=AES128-SHA

110
mysql-test/t/ssl_cipher.test
View File

@ -1,23 +1,103 @@
# Turn on ssl between the client and server #
# and run a number of tests # Various tests that require setting of a specific ssl_cipher
# which currently doesn't work in OpenSSL 1.1.1
#
--source include/have_ssl_communication.inc
--echo # if (`select @@version_ssl_library like 'OpenSSL 1.1.1%'`) {
--echo # BUG#11760210 - SSL_CIPHER_LIST NOT SET OR RETURNED FOR "SHOW STATUS LIKE 'SSL_CIPHER_LIST'" skip OpenSSL 1.1.1;
--echo # }
-- source include/have_ssl_communication.inc create user ssl_user1@localhost require SSL;
create user ssl_user2@localhost require cipher 'AES256-SHA';
create user ssl_user3@localhost require cipher 'AES256-SHA' AND SUBJECT '/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB/CN=client';
create user ssl_user4@localhost require cipher 'AES256-SHA' AND SUBJECT '/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB/CN=client' ISSUER '/CN=cacert/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB';
create user ssl_user5@localhost require cipher 'AES256-SHA' AND SUBJECT 'xxx';
# Save the initial number of concurrent sessions connect (con1,localhost,ssl_user1,,,,,SSL-CIPHER=AES256-SHA);
--source include/count_sessions.inc --replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT
--error ER_ACCESS_DENIED_ERROR
connect (con2,localhost,ssl_user2,,,,,SSL-CIPHER=AES128-SHA);
connect (con2,localhost,ssl_user2,,,,,SSL-CIPHER=AES256-SHA);
connect (con3,localhost,ssl_user3,,,,,SSL-CIPHER=AES256-SHA);
connect (con4,localhost,ssl_user4,,,,,SSL-CIPHER=AES256-SHA);
--replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT
--error ER_ACCESS_DENIED_ERROR
connect (con5,localhost,ssl_user5,,,,,SSL-CIPHER=AES256-SHA);
connection con1;
SHOW STATUS LIKE 'Ssl_cipher';
disconnect con1;
connection con2;
SHOW STATUS LIKE 'Ssl_cipher';
disconnect con2;
connection con3;
SHOW STATUS LIKE 'Ssl_cipher';
disconnect con3;
connection con4;
SHOW STATUS LIKE 'Ssl_cipher';
disconnect con4;
connection default;
drop user ssl_user1@localhost, ssl_user2@localhost, ssl_user3@localhost, ssl_user4@localhost, ssl_user5@localhost;
#
# Bug#21611 Slave can't connect when master-ssl-cipher specified
# - Apparently selecting a cipher doesn't work at all
# - Use a cipher that both yaSSL and OpenSSL supports
#
--write_file $MYSQLTEST_VARDIR/tmp/test.sql
SHOW STATUS LIKE 'Ssl_cipher';
EOF
--exec $MYSQL_TEST --ssl-cipher=AES256-SHA < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1
# Test to connect using a list of ciphers
--exec $MYSQL_TEST --ssl-cipher=UNKNOWN-CIPHER:AES128-SHA < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1
# Test to connect using a specifi cipher
--exec $MYSQL_TEST --ssl-cipher=AES128-SHA < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1
# Test to connect using an unknown cipher
--replace_regex /2026 SSL connection error.*/2026 SSL connection error: xxxx/
--error 1
--exec $MYSQL_TEST --ssl-cipher=UNKNOWN-CIPHER < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1
--remove_file $MYSQLTEST_VARDIR/tmp/test.sql
#
# Bug#39172 Asking for DH+non-RSA key with server set to use other key caused
# YaSSL to crash the server.
#
# Common ciphers to openssl and yassl
--exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'Ssl_cipher';" --ssl-cipher=AES256-SHA
--exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'Ssl_cipher';" --ssl-cipher=AES128-SHA
--disable_query_log
--disable_result_log
# Below here caused crashes. ################
--error 0,1
--exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'Ssl-cipher';" --ssl-cipher=NOT----EXIST
# These probably exist but the server's keys can't be used to accept these kinds of connections.
--error 0,1
--exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'Ssl-cipher';" --ssl-cipher=AES128-RMD
# If this gives a result, then the bug is fixed.
--enable_result_log
--enable_query_log
select 'is still running; no cipher request crashed the server' as result from dual;
#
# MDEV-10054 Secure login fails when CIPHER is required
#
create user mysqltest_1@localhost;
grant usage on mysqltest.* to mysqltest_1@localhost require cipher "AES256-SHA";
--exec $MYSQL -umysqltest_1 --ssl-cipher=AES256-SHA -e "show status like 'ssl_cipher'" 2>&1
drop user mysqltest_1@localhost;
#
# BUG#11760210 - SSL_CIPHER_LIST NOT SET OR RETURNED FOR "SHOW STATUS LIKE 'SSL_CIPHER_LIST'"
# it was a bug in yaSSL, fixed in d2e36e4258bb
#
let $restart_parameters=--ssl-cipher=AES128-SHA;
source include/restart_mysqld.inc;
connect (ssl_con,localhost,root,,,,,SSL); connect (ssl_con,localhost,root,,,,,SSL);
# Check Cipher Name and Cipher List
SHOW STATUS LIKE 'Ssl_cipher'; SHOW STATUS LIKE 'Ssl_cipher';
SHOW STATUS LIKE 'Ssl_cipher_list'; SHOW STATUS LIKE 'Ssl_cipher_list';
connection default;
disconnect ssl_con; disconnect ssl_con;
connection default;
# Wait till all disconnects are completed
--source include/wait_until_count_sessions.inc