mirror of
https://github.com/MariaDB/server.git
synced 2025-08-30 11:22:14 +03:00
f0fa40efad
Summary of changes - MD_CTX_SIZE is increased - EVP_CIPHER_CTX_buf_noconst(ctx) does not work anymore, points to nobody knows where. The assumption made previously was that (since the function does not seem to be documented) was that it points to the last partial source block. Add own partial block buffer for NOPAD encryption instead - SECLEVEL in CipherString in openssl.cnf had been downgraded to 0, from 1, to make TLSv1.0 and TLSv1.1 possible (according to https://github.com/openssl/openssl/blob/openssl-3.0.0/NEWS.md even though the manual for SSL_CTX_get_security_level claims that it should not be necessary) - Workaround Ssl_cipher_list issue, it now returns TLSv1.3 ciphers, in addition to what was set in --ssl-cipher - ctx_buf buffer now must be aligned to 16 bytes with openssl( previously with WolfSSL only), ot crashes will happen - updated aes-t , to be better debuggable using function, rather than a huge multiline macro added test that does "nopad" encryption piece-wise, to test replacement of EVP_CIPHER_CTX_buf_noconst part of MDEV-28133
69 lines
2.7 KiB
Plaintext
69 lines
2.7 KiB
Plaintext
create user ssl_user1@localhost require SSL;
|
|
create user ssl_user2@localhost require cipher 'AES256-SHA';
|
|
create user ssl_user3@localhost require cipher 'AES256-SHA' AND SUBJECT '/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB/CN=client';
|
|
create user ssl_user4@localhost require cipher 'AES256-SHA' AND SUBJECT '/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB/CN=client' ISSUER '/CN=cacert/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB';
|
|
create user ssl_user5@localhost require cipher 'AES256-SHA' AND SUBJECT 'xxx';
|
|
connect con1,localhost,ssl_user1,,,,,SSL-CIPHER=AES256-SHA;
|
|
connect(localhost,ssl_user2,,test,MASTER_PORT,MASTER_SOCKET);
|
|
connect con2,localhost,ssl_user2,,,,,SSL-CIPHER=AES128-SHA;
|
|
ERROR 28000: Access denied for user 'ssl_user2'@'localhost' (using password: NO)
|
|
connect con2,localhost,ssl_user2,,,,,SSL-CIPHER=AES256-SHA;
|
|
connect con3,localhost,ssl_user3,,,,,SSL-CIPHER=AES256-SHA;
|
|
connect con4,localhost,ssl_user4,,,,,SSL-CIPHER=AES256-SHA;
|
|
connect(localhost,ssl_user5,,test,MASTER_PORT,MASTER_SOCKET);
|
|
connect con5,localhost,ssl_user5,,,,,SSL-CIPHER=AES256-SHA;
|
|
ERROR 28000: Access denied for user 'ssl_user5'@'localhost' (using password: NO)
|
|
connection con1;
|
|
SHOW STATUS LIKE 'Ssl_cipher';
|
|
Variable_name Value
|
|
Ssl_cipher AES256-SHA
|
|
disconnect con1;
|
|
connection con2;
|
|
SHOW STATUS LIKE 'Ssl_cipher';
|
|
Variable_name Value
|
|
Ssl_cipher AES256-SHA
|
|
disconnect con2;
|
|
connection con3;
|
|
SHOW STATUS LIKE 'Ssl_cipher';
|
|
Variable_name Value
|
|
Ssl_cipher AES256-SHA
|
|
disconnect con3;
|
|
connection con4;
|
|
SHOW STATUS LIKE 'Ssl_cipher';
|
|
Variable_name Value
|
|
Ssl_cipher AES256-SHA
|
|
disconnect con4;
|
|
connection default;
|
|
drop user ssl_user1@localhost, ssl_user2@localhost, ssl_user3@localhost, ssl_user4@localhost, ssl_user5@localhost;
|
|
SHOW STATUS LIKE 'Ssl_cipher';
|
|
Variable_name Value
|
|
Ssl_cipher AES256-SHA
|
|
SHOW STATUS LIKE 'Ssl_cipher';
|
|
Variable_name Value
|
|
Ssl_cipher AES128-SHA
|
|
SHOW STATUS LIKE 'Ssl_cipher';
|
|
Variable_name Value
|
|
Ssl_cipher AES128-SHA
|
|
mysqltest: Could not open connection 'default': 2026 SSL connection error: xxxxVariable_name Value
|
|
Ssl_cipher AES256-SHA
|
|
Variable_name Value
|
|
Ssl_cipher AES128-SHA
|
|
select 'is still running; no cipher request crashed the server' as result from dual;
|
|
result
|
|
is still running; no cipher request crashed the server
|
|
create user mysqltest_1@localhost;
|
|
grant usage on mysqltest.* to mysqltest_1@localhost require cipher "AES256-SHA";
|
|
Variable_name Value
|
|
Ssl_cipher AES256-SHA
|
|
drop user mysqltest_1@localhost;
|
|
# restart: --ssl-cipher=AES128-SHA
|
|
connect ssl_con,localhost,root,,,,,SSL;
|
|
SHOW STATUS LIKE 'Ssl_cipher';
|
|
Variable_name Value
|
|
Ssl_cipher AES128-SHA
|
|
SELECT VARIABLE_VALUE like '%AES128-SHA%' FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_cipher_list';
|
|
VARIABLE_VALUE like '%AES128-SHA%'
|
|
1
|
|
disconnect ssl_con;
|
|
connection default;
|