From 8d47d9ed8852d4fbc1c8708e06eeb180e15587c6 Mon Sep 17 00:00:00 2001 From: Sergei Golubchik Date: Wed, 20 Feb 2019 15:15:34 +0100 Subject: [PATCH] SSL test fixes * fix CRL tests to work * regenerate certificates to be at least 2048 bit (fixes buster and rhel8 in buildbot) * update generate-ssl-cert.sh to generate crl files * make all SSL tests to use certificates generated in generate-ssl-cert.sh, remove unused certificates Backport from 10.4 9c60535f8676 --- mysql-test/disabled.def | 3 - mysql-test/include/have_openssl.inc | 7 +- mysql-test/lib/generate-ssl-certs.sh | 37 ++- mysql-test/r/ssl-crl-revoked-crl.result | 1 - mysql-test/r/ssl.result | 4 +- mysql-test/r/ssl_cert_verify.result | 5 - mysql-test/r/ssl_crl.result | 24 +- mysql-test/r/ssl_crl_clients-valid.result | 24 -- mysql-test/r/ssl_crl_clients.result | 6 + mysql-test/r/ssl_crl_clients_valid.result | 16 -- mysql-test/r/ssl_crl_clrpath.result | 23 -- mysql-test/std_data/ca-cert-verify.pem | 20 -- mysql-test/std_data/cacert.pem | 110 ++++---- mysql-test/std_data/cakey.pem | 52 ++-- mysql-test/std_data/client-cert.crl | 12 + mysql-test/std_data/client-cert.pem | 102 ++++---- mysql-test/std_data/client-key.pem | 38 ++- mysql-test/std_data/crl-ca-cert.pem | 63 ----- mysql-test/std_data/crl-client-cert.pem | 62 ----- mysql-test/std_data/crl-client-key.pem | 15 -- mysql-test/std_data/crl-client-revoked.crl | 10 - mysql-test/std_data/crl-server-cert.pem | 62 ----- mysql-test/std_data/crl-server-key.pem | 15 -- mysql-test/std_data/crldir/ed1f42db.r0 | 12 + mysql-test/std_data/crldir/fc725416.r0 | 10 - mysql-test/std_data/galera-cert.pem | 26 -- mysql-test/std_data/galera-key.pem | 28 -- .../std_data/galera-upgrade-ca-cert.pem | 40 --- .../std_data/galera-upgrade-server-cert.pem | 20 -- .../std_data/galera-upgrade-server-key.pem | 28 -- .../std_data/server-cert-verify-fail.pem | 19 -- .../std_data/server-cert-verify-pass.pem | 19 -- mysql-test/std_data/server-cert.crl | 12 + mysql-test/std_data/server-cert.pem | 100 +++---- .../std_data/server-key-verify-fail.pem | 27 -- .../std_data/server-key-verify-pass.pem | 27 -- mysql-test/std_data/server-key.pem | 38 ++- mysql-test/std_data/server-new-cert.pem | 81 ++++++ mysql-test/std_data/server-new-key.pem | 27 ++ mysql-test/std_data/server8k-cert.pem | 246 +++++++++--------- mysql-test/std_data/server8k-key.pem | 194 +++++++------- mysql-test/std_data/serversan-cert.pem | 92 ++++--- mysql-test/std_data/serversan-key.pem | 40 ++- mysql-test/suite/galera/t/galera_ssl.cnf | 4 +- .../suite/galera/t/galera_ssl_compression.cnf | 4 +- .../suite/galera/t/galera_ssl_upgrade.cnf | 4 +- .../suite/galera/t/galera_ssl_upgrade.test | 2 +- ...alera_sst_mariabackup_encrypt_with_key.cnf | 4 +- mysql-test/t/ssl_cert_verify.test | 43 --- mysql-test/t/ssl_crl-master.opt | 4 - mysql-test/t/ssl_crl.combinations | 5 + mysql-test/t/ssl_crl.test | 15 +- mysql-test/t/ssl_crl_clients-master.opt | 4 - mysql-test/t/ssl_crl_clients.test | 31 +-- mysql-test/t/ssl_crl_clients_valid-master.opt | 4 - mysql-test/t/ssl_crl_clients_valid.test | 23 -- mysql-test/t/ssl_crl_clrpath-master.opt | 4 - mysql-test/t/ssl_crl_clrpath.test | 16 -- 58 files changed, 760 insertions(+), 1204 deletions(-) delete mode 100644 mysql-test/r/ssl-crl-revoked-crl.result delete mode 100644 mysql-test/r/ssl_cert_verify.result delete mode 100644 mysql-test/r/ssl_crl_clients-valid.result delete mode 100644 mysql-test/r/ssl_crl_clients_valid.result delete mode 100644 mysql-test/r/ssl_crl_clrpath.result delete mode 100644 mysql-test/std_data/ca-cert-verify.pem create mode 100644 mysql-test/std_data/client-cert.crl delete mode 100644 mysql-test/std_data/crl-ca-cert.pem delete mode 100644 mysql-test/std_data/crl-client-cert.pem delete mode 100644 mysql-test/std_data/crl-client-key.pem delete mode 100644 mysql-test/std_data/crl-client-revoked.crl delete mode 100644 mysql-test/std_data/crl-server-cert.pem delete mode 100644 mysql-test/std_data/crl-server-key.pem create mode 100644 mysql-test/std_data/crldir/ed1f42db.r0 delete mode 100644 mysql-test/std_data/crldir/fc725416.r0 delete mode 100644 mysql-test/std_data/galera-cert.pem delete mode 100644 mysql-test/std_data/galera-key.pem delete mode 100644 mysql-test/std_data/galera-upgrade-ca-cert.pem delete mode 100644 mysql-test/std_data/galera-upgrade-server-cert.pem delete mode 100644 mysql-test/std_data/galera-upgrade-server-key.pem delete mode 100644 mysql-test/std_data/server-cert-verify-fail.pem delete mode 100644 mysql-test/std_data/server-cert-verify-pass.pem create mode 100644 mysql-test/std_data/server-cert.crl delete mode 100644 mysql-test/std_data/server-key-verify-fail.pem delete mode 100644 mysql-test/std_data/server-key-verify-pass.pem create mode 100644 mysql-test/std_data/server-new-cert.pem create mode 100644 mysql-test/std_data/server-new-key.pem delete mode 100644 mysql-test/t/ssl_cert_verify.test delete mode 100644 mysql-test/t/ssl_crl-master.opt create mode 100644 mysql-test/t/ssl_crl.combinations delete mode 100644 mysql-test/t/ssl_crl_clients-master.opt delete mode 100644 mysql-test/t/ssl_crl_clients_valid-master.opt delete mode 100644 mysql-test/t/ssl_crl_clients_valid.test delete mode 100644 mysql-test/t/ssl_crl_clrpath-master.opt delete mode 100644 mysql-test/t/ssl_crl_clrpath.test diff --git a/mysql-test/disabled.def b/mysql-test/disabled.def index b6991cc1d37..93fff886791 100644 --- a/mysql-test/disabled.def +++ b/mysql-test/disabled.def @@ -14,9 +14,6 @@ events_time_zone : Test is not predictable as it depends on precise timi read_many_rows_innodb : Bug#11748886 2010-11-15 mattiasj report already exists mysql_embedded : Bug#12561297 2011-05-14 Anitha Dependent on PB2 changes - eventum#41836 #show_explain : Psergey: random timeout in range-checked-for-each record query. -ssl_crl_clients_valid : broken upstream -ssl_crl : broken upstream -ssl_crl_clrpath : broken upstream innodb-wl5522-debug-zip : broken upstream innodb_bug12902967 : broken upstream file_contents : MDEV-6526 these files are not installed anymore diff --git a/mysql-test/include/have_openssl.inc b/mysql-test/include/have_openssl.inc index c9260123f9d..ee51ee4527a 100644 --- a/mysql-test/include/have_openssl.inc +++ b/mysql-test/include/have_openssl.inc @@ -1,7 +1,4 @@ --- source include/have_ssl_communication.inc -let $crllen=`select length(trim(coalesce(@@ssl_crl, ''))) + length(trim(coalesce(@@ssl_crlpath, '')))`; -if (!$crllen) -{ +if (`SELECT count(*) = 0 FROM information_schema.GLOBAL_VARIABLES WHERE + VARIABLE_NAME = 'have_openssl' AND VARIABLE_VALUE = 'YES'`){ skip Needs OpenSSL; } - diff --git a/mysql-test/lib/generate-ssl-certs.sh b/mysql-test/lib/generate-ssl-certs.sh index 8f15ba9d521..0894be3a299 100755 --- a/mysql-test/lib/generate-ssl-certs.sh +++ b/mysql-test/lib/generate-ssl-certs.sh @@ -10,30 +10,49 @@ rm -rf demoCA mkdir demoCA demoCA/newcerts touch demoCA/index.txt echo 01 > demoCA/serial +echo 01 > demoCA/crlnumber # CA certificate, self-signed openssl req -x509 -newkey rsa:2048 -keyout cakey.pem -out cacert.pem -days 7300 -nodes -subj '/CN=cacert/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB' -text # server certificate signing request and private key. Note the very long subject (for MDEV-7859) -openssl req -newkey rsa:1024 -keyout server-key.pem -out demoCA/server-req.pem -days 7300 -nodes -subj '/CN=localhost/C=FI/ST=state or province within country, in other certificates in this file it is the same as L/L=location, usually an address but often ambiguously used/OU=organizational unit name, a division name within an organization/O=organization name, typically a company name' +openssl req -newkey rsa:2048 -keyout server-key.pem -out demoCA/server-req.pem -days 7300 -nodes -subj '/CN=localhost/C=FI/ST=state or province within country, in other certificates in this file it is the same as L/L=location, usually an address but often ambiguously used/OU=organizational unit name, a division name within an organization/O=organization name, typically a company name' # convert the key to yassl compatible format openssl rsa -in server-key.pem -out server-key.pem # sign the server certificate with CA certificate -openssl ca -keyfile cakey.pem -days 7300 -batch -cert cacert.pem -policy policy_anything -out server-cert.pem -infiles demoCA/server-req.pem +openssl ca -keyfile cakey.pem -days 7300 -batch -cert cacert.pem -policy policy_anything -out server-cert.pem -in demoCA/server-req.pem +# server certificate with different validity period (MDEV-7598) +openssl req -newkey rsa:2048 -keyout server-new-key.pem -out demoCA/server-new-req.pem -days 7301 -nodes -subj '/CN=server-new/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB' +openssl rsa -in server-new-key.pem -out server-new-key.pem +openssl ca -keyfile cakey.pem -days 7301 -batch -cert cacert.pem -policy policy_anything -out server-new-cert.pem -in demoCA/server-new-req.pem + +# 8K cert openssl req -newkey rsa:8192 -keyout server8k-key.pem -out demoCA/server8k-req.pem -days 7300 -nodes -subj '/CN=server8k/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB' openssl rsa -in server8k-key.pem -out server8k-key.pem -openssl ca -keyfile cakey.pem -days 7300 -batch -cert cacert.pem -policy policy_anything -out server8k-cert.pem -infiles demoCA/server8k-req.pem - -openssl req -newkey rsa:1024 -keyout client-key.pem -out demoCA/client-req.pem -days 7300 -nodes -subj '/CN=client/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB' -openssl rsa -in client-key.pem -out client-key.pem -openssl ca -keyfile cakey.pem -days 7300 -batch -cert cacert.pem -policy policy_anything -out client-cert.pem -infiles demoCA/client-req.pem +openssl ca -keyfile cakey.pem -days 7300 -batch -cert cacert.pem -policy policy_anything -out server8k-cert.pem -in demoCA/server8k-req.pem # with SubjectAltName, only for OpenSSL 1.0.2+ cat > demoCA/sanext.conf < $MYSQLTEST_VARDIR/tmp/mysqld.1.expect ---shutdown_server ---source include/wait_until_disconnected.inc - ---exec echo "restart:" $ssl_verify_fail_path > $MYSQLTEST_VARDIR/tmp/mysqld.1.expect ---enable_reconnect ---source include/wait_until_connected_again.inc - ---error 1 ---exec $MYSQL --protocol=tcp --ssl-ca=$MYSQL_TEST_DIR/std_data/ca-cert-verify.pem --ssl-verify-server-cert -e "SHOW STATUS like 'Ssl_version'" - ---echo #T2: Host name (localhost) as common name in the server certificate, server certificate verification should pass. ---exec echo "wait" > $MYSQLTEST_VARDIR/tmp/mysqld.1.expect ---shutdown_server ---source include/wait_until_disconnected.inc - ---exec echo "restart:" $ssl_verify_pass_path > $MYSQLTEST_VARDIR/tmp/mysqld.1.expect ---enable_reconnect ---source include/wait_until_connected_again.inc - ---replace_result TLSv1.3 TLS_VERSION TLSv1.2 TLS_VERSION TLSv1.1 TLS_VERSION TLSv1 TLS_VERSION ---exec $MYSQL --protocol=tcp --ssl-ca=$MYSQL_TEST_DIR/std_data/ca-cert-verify.pem --ssl-verify-server-cert -e "SHOW STATUS like 'Ssl_version'" - ---echo # restart server using restart ---exec echo "wait" > $MYSQLTEST_VARDIR/tmp/mysqld.1.expect ---shutdown_server ---source include/wait_until_disconnected.inc - ---exec echo "restart: " > $MYSQLTEST_VARDIR/tmp/mysqld.1.expect ---enable_reconnect ---source include/wait_until_connected_again.inc diff --git a/mysql-test/t/ssl_crl-master.opt b/mysql-test/t/ssl_crl-master.opt deleted file mode 100644 index 8500f8cd6e7..00000000000 --- a/mysql-test/t/ssl_crl-master.opt +++ /dev/null @@ -1,4 +0,0 @@ ---ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem ---ssl-key=$MYSQL_TEST_DIR/std_data/crl-server-key.pem ---ssl-cert=$MYSQL_TEST_DIR/std_data/crl-server-cert.pem ---ssl-crl=$MYSQL_TEST_DIR/std_data/crl-client-revoked.crl diff --git a/mysql-test/t/ssl_crl.combinations b/mysql-test/t/ssl_crl.combinations new file mode 100644 index 00000000000..abeec480510 --- /dev/null +++ b/mysql-test/t/ssl_crl.combinations @@ -0,0 +1,5 @@ +[file] +ssl-crl=$MYSQL_TEST_DIR/std_data/client-cert.crl + +[path] +ssl-crlpath=$MYSQL_TEST_DIR/std_data/crldir diff --git a/mysql-test/t/ssl_crl.test b/mysql-test/t/ssl_crl.test index 65c14837e50..dc30a9b5934 100644 --- a/mysql-test/t/ssl_crl.test +++ b/mysql-test/t/ssl_crl.test @@ -2,15 +2,12 @@ -- source include/not_embedded.inc -- source include/have_openssl.inc ---echo # test --crl for the client : should connect ---replace_result $MYSQL_TEST_DIR MYSQL_TEST_DIR ---exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-valid-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-valid-cert.pem test --ssl-crl=$MYSQL_TEST_DIR/std_data/crl-client-revoked.crl -e "SHOW VARIABLES like '%ssl%';" - ---echo # test --crlpath for the client : should connect ---replace_result $MYSQL_TEST_DIR MYSQL_TEST_DIR ---exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-valid-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-valid-cert.pem --ssl-crlpath=$MYSQL_TEST_DIR/std_data/crldir test -e "SHOW VARIABLES like '%ssl%';" +--echo # try logging in with a certificate not in the server's --ssl-crl : should succeed +--replace_result TLSv1.3 TLS_VERSION TLSv1.2 TLS_VERSION TLSv1.1 TLS_VERSION TLSv1 TLS_VERSION +--exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/cacert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/server-new-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/server-new-cert.pem test -e "SHOW STATUS LIKE 'Ssl_version'" --echo # try logging in with a certificate in the server's --ssl-crl : should fail ---replace_result $MYSQL_TEST_DIR MYSQL_TEST_DIR +# OpenSSL 1.1.1a correctly rejects the certificate, but the error message is wrong +--replace_result "ERROR 2013 (HY000): Lost connection to MySQL server at 'reading authorization packet', system error: 0" "ERROR 2026 (HY000): SSL connection error: sslv3 alert certificate revoked" --error 1 ---exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-cert.pem test -e "SHOW VARIABLES like '%ssl%';" +--exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/cacert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem test -e "SHOW STATUS LIKE 'Ssl_version'" 2>&1 diff --git a/mysql-test/t/ssl_crl_clients-master.opt b/mysql-test/t/ssl_crl_clients-master.opt deleted file mode 100644 index fa885a61a0c..00000000000 --- a/mysql-test/t/ssl_crl_clients-master.opt +++ /dev/null @@ -1,4 +0,0 @@ ---ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem ---ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-key.pem ---ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-cert.pem ---ssl-crl=$MYSQL_TEST_DIR/std_data/crl-client-revoked.crl diff --git a/mysql-test/t/ssl_crl_clients.test b/mysql-test/t/ssl_crl_clients.test index 7c05f498fbe..fc954a2fc38 100644 --- a/mysql-test/t/ssl_crl_clients.test +++ b/mysql-test/t/ssl_crl_clients.test @@ -4,38 +4,33 @@ --echo # Test clients with and without CRL lists -let $ssl_base = --ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/crl-server-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-server-cert.pem; -let $ssl_crl = $ssl_base --ssl-crl=$MYSQL_TEST_DIR/std_data/crl-client-revoked.crl; -let $ssl_crlpath = $ssl_base --ssl-crlpath=$MYSQL_TEST_DIR/std_data/crldir; +let $ssl_base = --ssl-ca=$MYSQL_TEST_DIR/std_data/cacert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem --ssl-verify-server-cert; +let $ssl_crl = $ssl_base --ssl-crl=$MYSQL_TEST_DIR/std_data/server-cert.crl; +let $ssl_crlpath = $ssl_base --ssl-crlpath=$MYSQL_TMP_DIR; +# See `openssl x509 -in server-cert.pem -noout -issuer_hash` +copy_file $MYSQL_TEST_DIR/std_data/server-cert.crl $MYSQL_TMP_DIR/ed1f42db.r0; --echo ############ Test mysql ############## --echo # Test mysql connecting to a server with a certificate revoked by -crl ---replace_result $MYSQL_TEST_DIR MYSQL_TEST_DIR --error 1 ---exec $MYSQL $ssl_crl test -e "SHOW VARIABLES like '%ssl%';" +--exec $MYSQL $ssl_crl test -e "SHOW STATUS LIKE 'Ssl_version'" 2>&1 --echo # Test mysql connecting to a server with a certificate revoked by -crlpath ---replace_result $MYSQL_TEST_DIR MYSQL_TEST_DIR --error 1 ---exec $MYSQL $ssl_crlpath test -e "SHOW VARIABLES like '%ssl%';" +--exec $MYSQL $ssl_crlpath test -e "SHOW STATUS LIKE 'Ssl_version'" 2>&1 --echo ############ Test mysqladmin ############## -let $admin_prefix = --no-defaults; let $admin_suffix = --default-character-set=latin1 -S $MASTER_MYSOCK -P $MASTER_MYPORT -u root --password= ping; --echo # Test mysqladmin connecting to a server with a certificate revoked by -crl ---disable_result_log ---replace_regex /.*mysqladmin.*: connect/mysqladmin: connect/ ---error 2 ---exec $MYSQLADMIN $admin_prefix $ssl_crl $admin_suffix 2>&1 ---enable_result_log +--replace_regex /.*mysqladmin.*:/mysqladmin:/ +--error 1 +--exec $MYSQLADMIN $ssl_crl $admin_suffix 2>&1 ---disable_result_log --echo # Test mysqladmin connecting to a server with a certificate revoked by -crlpath ---replace_regex /.*mysqladmin.*: connect/mysqladmin: connect/ ---error 2 ---exec $MYSQLADMIN $admin_prefix $ssl_crlpath $admin_suffix 2>&1 ---enable_result_log +--replace_regex /.*mysqladmin.*:/mysqladmin:/ +--error 1 +--exec $MYSQLADMIN $ssl_crlpath $admin_suffix 2>&1 diff --git a/mysql-test/t/ssl_crl_clients_valid-master.opt b/mysql-test/t/ssl_crl_clients_valid-master.opt deleted file mode 100644 index 258df564eba..00000000000 --- a/mysql-test/t/ssl_crl_clients_valid-master.opt +++ /dev/null @@ -1,4 +0,0 @@ ---ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem ---ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-valid-key.pem ---ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-valid-cert.pem ---ssl-crl=$MYSQL_TEST_DIR/std_data/crl-client-revoked.crl diff --git a/mysql-test/t/ssl_crl_clients_valid.test b/mysql-test/t/ssl_crl_clients_valid.test deleted file mode 100644 index f08fbf09397..00000000000 --- a/mysql-test/t/ssl_crl_clients_valid.test +++ /dev/null @@ -1,23 +0,0 @@ -# This test should work in embedded server after we fix mysqltest --- source include/not_embedded.inc --- source include/have_openssl.inc - ---echo # Test clients with and without CRL lists - -let $ssl_base = --ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/crl-server-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-server-cert.pem; -let $ssl_crl = $ssl_base --ssl-crl=$MYSQL_TEST_DIR/std_data/crl-client-revoked.crl; -let $ssl_crlpath = $ssl_base --ssl-crlpath=$MYSQL_TEST_DIR/std_data/crldir; - - ---echo ############ Test mysql ############## - ---echo # Test mysql connecting to a server with an empty crl ---replace_result $MYSQL_TEST_DIR MYSQL_TEST_DIR ---exec $MYSQL $ssl_crl test -e "SHOW VARIABLES like '%ssl%';" 2>&1 - ---echo ############ Test mysqladmin ############## -let $admin_prefix = --no-defaults; -let $admin_suffix = --default-character-set=latin1 -S $MASTER_MYSOCK -P $MASTER_MYPORT -u root --password= ping; - ---echo # Test mysqladmin connecting to a server with an empty crl ---exec $MYSQLADMIN $admin_prefix $ssl_crl $admin_suffix 2>&1 diff --git a/mysql-test/t/ssl_crl_clrpath-master.opt b/mysql-test/t/ssl_crl_clrpath-master.opt deleted file mode 100644 index b1f486a322b..00000000000 --- a/mysql-test/t/ssl_crl_clrpath-master.opt +++ /dev/null @@ -1,4 +0,0 @@ ---ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem ---ssl-key=$MYSQL_TEST_DIR/std_data/crl-server-key.pem ---ssl-cert=$MYSQL_TEST_DIR/std_data/crl-server-cert.pem ---ssl-crlpath=$MYSQL_TEST_DIR/std_data/crldir diff --git a/mysql-test/t/ssl_crl_clrpath.test b/mysql-test/t/ssl_crl_clrpath.test deleted file mode 100644 index 50d84ad175e..00000000000 --- a/mysql-test/t/ssl_crl_clrpath.test +++ /dev/null @@ -1,16 +0,0 @@ -# This test should work in embedded server after we fix mysqltest --- source include/not_embedded.inc --- source include/have_openssl.inc - ---echo # test --crl for the client : should connect ---replace_result $MYSQL_TEST_DIR MYSQL_TEST_DIR ---exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-valid-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-valid-cert.pem test --ssl-crl=$MYSQL_TEST_DIR/std_data/crl-client-revoked.crl -e "SHOW VARIABLES like '%ssl%';" - ---echo # test --crlpath for the client : should connect ---replace_result $MYSQL_TEST_DIR MYSQL_TEST_DIR ---exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-valid-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-valid-cert.pem --ssl-crlpath=$MYSQL_TEST_DIR/std_data/crldir test -e "SHOW VARIABLES like '%ssl%';" - ---echo # try logging in with a certificate in the server's --ssl-crlpath : should fail ---replace_result $MYSQL_TEST_DIR MYSQL_TEST_DIR ---error 1 ---exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-cert.pem test -e "SHOW VARIABLES like '%ssl%';"