database/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-11-24 06:01:25 +03:00
Code Activity
Files
d77e3cde5f43426271f7ac64a922e5ddbf6e675d
mariadb/mysql-test/t/openssl_1.test
Michael Widenius 4847e50ddb Changed version number from RC to stable 
Fixed bug in Yassle to get correct error messages in case of errors
Provide better error messages in case of ssl connect failure
Updated out-of-date ssl certificates to fix failing mysql-test-system (certificates now active for 10 years)
Fixed bug in query_cache that could cause asserts and hangs in DEBUG builds.
Fixed bug where one connection did not see changes done by another connection.

configure.in:
  Changed version number from RC to stable
extra/yassl/src/yassl_error.cpp:
  Fixed bug in Yassle to get correct error messages in case of errors
  - 'error' is an enum that hold more error numbers than the enum was defined for
include/violite.h:
  Added error output string for sslaccept() and sslconnect() to get reason for connect failure
mysql-test/mysql-test-run.pl:
  Write failed test cases if mysql-test-run fails because of too many errors
mysql-test/r/grant.result:
  Update results to reflect new certificates
mysql-test/r/openssl_1.result:
  Update results to reflect new certificates
mysql-test/std_data/cacert.pem:
  Update ssl certificate
mysql-test/std_data/client-cert.pem:
  Update ssl certificate
mysql-test/std_data/client-key.pem:
  Update ssl certificate
mysql-test/std_data/server-cert.pem:
  Update ssl certificate
mysql-test/std_data/server-key.pem:
  Update ssl certificate
mysql-test/t/grant.test:
  Update test to reflect new certificates
mysql-test/t/openssl_1.test:
  Update test to reflect new certificates
mysql-test/t/query_cache_debug.test:
  Remove 'big_test' as test is now fast
sql-common/client.c:
  Give a better error message if ssl connect fails
sql/net_serv.cc:
  Fixed compiler warnings
sql/slave.cc:
  Give a better error message in logs if ssl connect fails
sql/sql_cache.cc:
  debug_wait_for_kill() now removes the set watch variable after kill signal
  This is needed as invalidate_table() may be called twice for one query.
  Ensure that net->query_cache_query is reset after query. This fixes assert in
  query_cache_end_of_result() if query_cache_query holds results from previous query.
  Removed DBUG_ASSERT(0), as this code can be run by query_cache_debug.test
sql/sql_connect.cc:
  Give a better error message if ssl connect fails
sql/sql_parse.cc:
  Fixed bug where one connection did not see changes done by another connection.
  For statements that changes tables, close_thread_tables() MUST be called before
  sending OK as a table handler may not make the changes available for other connections
  before unlock_tables().
vio/viossl.c:
  Give a better error message if ssl connect fails
2010-01-29 12:42:31 +02:00

259 lines
8.7 KiB
Plaintext
Raw Blame History

# Tests for SSL connections, only run if mysqld is compiled
# with support for SSL.
--source include/have_ssl.inc
# Save the initial number of concurrent sessions
--source include/count_sessions.inc
--disable_warnings
drop table if exists t1;
--enable_warnings
create table t1(f1 int);
insert into t1 values (5);
grant select on test.* to ssl_user1@localhost require SSL;
grant select on test.* to ssl_user2@localhost require cipher "DHE-RSA-AES256-SHA";
grant select on test.* to ssl_user3@localhost require cipher
"DHE-RSA-AES256-SHA" AND SUBJECT "/C=FI/ST=Tuusula/O=Monty Program Ab/emailAddress=abstract.developer@askmonty.org";
grant select on test.* to ssl_user4@localhost require cipher
"DHE-RSA-AES256-SHA" AND SUBJECT "/C=FI/ST=Tuusula/O=Monty Program Ab/emailAddress=abstract.developer@askmonty.org" ISSUER "/C=FI/ST=Tuusula/O=Monty Program Ab/emailAddress=abstract.developer@askmonty.org";
grant select on test.* to ssl_user5@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "xxx";
flush privileges;
connect (con1,localhost,ssl_user1,,,,,SSL);
connect (con2,localhost,ssl_user2,,,,,SSL);
connect (con3,localhost,ssl_user3,,,,,SSL);
connect (con4,localhost,ssl_user4,,,,,SSL);
--replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT
--error ER_ACCESS_DENIED_ERROR
connect (con5,localhost,ssl_user5,,,,,SSL);
connection con1;
# Check ssl turned on
SHOW STATUS LIKE 'Ssl_cipher';
select * from t1;
--error ER_TABLEACCESS_DENIED_ERROR
delete from t1;
connection con2;
# Check ssl turned on
SHOW STATUS LIKE 'Ssl_cipher';
select * from t1;
--error ER_TABLEACCESS_DENIED_ERROR
delete from t1;
connection con3;
# Check ssl turned on
SHOW STATUS LIKE 'Ssl_cipher';
select * from t1;
--error ER_TABLEACCESS_DENIED_ERROR
delete from t1;
connection con4;
# Check ssl turned on
SHOW STATUS LIKE 'Ssl_cipher';
select * from t1;
--error ER_TABLEACCESS_DENIED_ERROR
delete from t1;
connection default;
disconnect con1;
disconnect con2;
disconnect con3;
disconnect con4;
drop user ssl_user1@localhost, ssl_user2@localhost,
ssl_user3@localhost, ssl_user4@localhost, ssl_user5@localhost;
drop table t1;
# End of 4.1 tests
#
# Test that we can't open connection to server if we are using
# a different cacert
#
--exec echo "this query should not execute;" > $MYSQLTEST_VARDIR/tmp/test.sql
--error 1
--exec $MYSQL_TEST --ssl-ca=$MYSQL_TEST_DIR/std_data/untrusted-cacert.pem --max-connect-retries=1 < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1
#
# Test that we can't open connection to server if we are using
# a blank ca
#
--error 1
--exec $MYSQL_TEST --ssl-ca= --max-connect-retries=1 < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1
#
# Test that we can't open connection to server if we are using
# a nonexistent ca file
#
--error 1
--exec $MYSQL_TEST --ssl-ca=nonexisting_file.pem --max-connect-retries=1 < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1
#
# Test that we can't open connection to server if we are using
# a blank client-key
#
--error 1
--exec $MYSQL_TEST --ssl-key= --max-connect-retries=1 < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1
#
# Test that we can't open connection to server if we are using
# a blank client-cert
#
--error 1
--exec $MYSQL_TEST --ssl-cert= --max-connect-retries=1 < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1
#
# Bug#21611 Slave can't connect when master-ssl-cipher specified
# - Apparently selecting a cipher doesn't work at all
# - Usa a cipher that both yaSSL and OpenSSL supports
#
--exec echo "SHOW STATUS LIKE 'Ssl_cipher'; exit;" > $MYSQLTEST_VARDIR/tmp/test.sql
--exec $MYSQL_TEST --ssl-cipher=DHE-RSA-AES256-SHA < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1
#
# Bug#25309 SSL connections without CA certificate broken since MySQL 5.0.23
#
# Test that we can open encrypted connection to server without
# verification of servers certificate by setting both ca certificate
# and ca path to NULL
#
--exec $MYSQL --ssl --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem -e "SHOW STATUS LIKE 'ssl_Cipher'" 2>&1
--echo End of 5.0 tests
#
# Bug#26174 Server Crash: INSERT ... SELECT ... FROM I_S.GLOBAL_STATUS in
# Event (see also information_schema.test for the other part of test for
# this bug).
#
--disable_warnings
DROP TABLE IF EXISTS thread_status;
DROP EVENT IF EXISTS event_status;
--enable_warnings
SET GLOBAL event_scheduler=1;
DELIMITER $$;
CREATE EVENT event_status
ON SCHEDULE AT NOW()
ON COMPLETION NOT PRESERVE
DO
BEGIN
CREATE TABLE thread_status
SELECT variable_name, variable_value
FROM information_schema.session_status
WHERE variable_name LIKE 'SSL_ACCEPTS' OR
variable_name LIKE 'SSL_CALLBACK_CACHE_HITS';
END$$
DELIMITER ;$$
let $wait_condition=select count(*) = 0 from information_schema.events where event_name='event_status';
--source include/wait_condition.inc
# The actual value doesn't matter and can vary based on test ordering and on ssl library.
--replace_column 2 #
SELECT variable_name, variable_value FROM thread_status;
DROP TABLE thread_status;
SET GLOBAL event_scheduler=0;
#
# Test to connect using a list of ciphers
#
--exec echo "SHOW STATUS LIKE 'Ssl_cipher'; exit;" > $MYSQLTEST_VARDIR/tmp/test.sql
--exec $MYSQL_TEST --ssl-cipher=UNKNOWN-CIPHER:AES128-SHA < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1
# Test to connect using a specifi cipher
#
--exec echo "SHOW STATUS LIKE 'Ssl_cipher'; exit;" > $MYSQLTEST_VARDIR/tmp/test.sql
--exec $MYSQL_TEST --ssl-cipher=AES128-SHA < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1
# Test to connect using an unknown cipher
#
--exec echo "SHOW STATUS LIKE 'Ssl_cipher'; exit" > $MYSQLTEST_VARDIR/tmp/test.sql
--error 1
--exec $MYSQL_TEST --ssl-cipher=UNKNOWN-CIPHER < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1
#
# Bug#27669 mysqldump: SSL connection error when trying to connect
#
CREATE TABLE t1(a int);
INSERT INTO t1 VALUES (1), (2);
# Run mysqldump
--exec $MYSQL_DUMP --skip-create --skip-comments --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem test t1
--exec $MYSQL_DUMP --skip-create --skip-comments --ssl-ca=$MYSQL_TEST_DIR/std_data/cacert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem test
--exec $MYSQL_DUMP --skip-create --skip-comments --ssl --ssl-ca=$MYSQL_TEST_DIR/std_data/cacert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem test
# With wrong parameters
--replace_result $MYSQL_TEST_DIR MYSQL_TEST_DIR
--error 2
--exec $MYSQL_DUMP --skip-create --skip-comments --ssl --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem test 2>&1
DROP TABLE t1;
--remove_file $MYSQLTEST_VARDIR/tmp/test.sql
#
# Bug#39172 Asking for DH+non-RSA key with server set to use other key caused
# YaSSL to crash the server.
#
# Common ciphers to openssl and yassl
--exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'Ssl_cipher';" --ssl-cipher=DHE-RSA-AES256-SHA
--exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'Ssl_cipher';" --ssl-cipher=EDH-RSA-DES-CBC3-SHA
--exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'Ssl_cipher';" --ssl-cipher=EDH-RSA-DES-CBC-SHA
--exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'Ssl_cipher';" --ssl-cipher=RC4-SHA
--disable_query_log
--disable_result_log
# Below here caused crashes. ################
--error 1,0
--exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'Ssl-cipher';" --ssl-cipher=NOT----EXIST
# These probably exist but the server's keys can't be used to accept these kinds of connections.
--error 1,0
--exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'Ssl-cipher';" --ssl-cipher=DHE-DSS-AES128-RMD
--error 1,0
--exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'Ssl-cipher';" --ssl-cipher=DHE-DSS-AES128-SHA
--error 1,0
--exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'Ssl-cipher';" --ssl-cipher=DHE-DSS-AES256-RMD
--error 1,0
--exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'Ssl-cipher';" --ssl-cipher=DHE-DSS-AES256-SHA
--error 1,0
--exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'Ssl-cipher';" --ssl-cipher=DHE-DSS-DES-CBC3-RMD
--error 1,0
--exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'Ssl-cipher';" --ssl-cipher=EDH-DSS-DES-CBC3-SHA
--error 1,0
--exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'Ssl-cipher';" --ssl-cipher=EDH-DSS-DES-CBC-SHA
# End of crashers. ##########################
# If this gives a result, then the bug is fixed.
--enable_result_log
--enable_query_log
select 'is still running; no cipher request crashed the server' as result from dual;
#
# Bug#42158: leak: SSL_get_peer_certificate() doesn't have matching X509_free()
#
GRANT SELECT ON test.* TO bug42158@localhost REQUIRE X509;
FLUSH PRIVILEGES;
connect(con1,localhost,bug42158,,,,,SSL);
SHOW STATUS LIKE 'Ssl_cipher';
disconnect con1;
connection default;
DROP USER bug42158@localhost;
--echo End of 5.1 tests
# Wait till we reached the initial number of concurrent sessions
--source include/wait_until_count_sessions.inc
View Git Blame Copy Permalink