1
0
mirror of https://github.com/MariaDB/server.git synced 2025-08-30 11:22:14 +03:00
Files
mariadb/mysql-test/main/ssl_cipher.result
Vladislav Vaintroub f0fa40efad MDEV-25785 Add support for OpenSSL 3.0
Summary of changes

- MD_CTX_SIZE is increased

- EVP_CIPHER_CTX_buf_noconst(ctx) does not work anymore, points
  to nobody knows where. The assumption made previously was that
  (since the function does not seem to be documented)
  was that it points to the last partial source block.
  Add own partial block buffer for NOPAD encryption instead

- SECLEVEL in CipherString in openssl.cnf
  had been downgraded to 0, from 1, to make TLSv1.0 and TLSv1.1 possible
   (according to https://github.com/openssl/openssl/blob/openssl-3.0.0/NEWS.md
   even though the manual for SSL_CTX_get_security_level claims that it
   should not be necessary)

- Workaround Ssl_cipher_list issue, it now returns TLSv1.3 ciphers,
  in addition to what was set in --ssl-cipher

- ctx_buf buffer now must be aligned to 16 bytes with openssl(
  previously with WolfSSL only), ot crashes will happen

- updated aes-t , to be better debuggable
  using function, rather than a huge multiline macro
  added test that does "nopad" encryption piece-wise, to test
  replacement of EVP_CIPHER_CTX_buf_noconst

part of MDEV-28133
2022-05-23 15:27:51 +02:00

69 lines
2.7 KiB
Plaintext

create user ssl_user1@localhost require SSL;
create user ssl_user2@localhost require cipher 'AES256-SHA';
create user ssl_user3@localhost require cipher 'AES256-SHA' AND SUBJECT '/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB/CN=client';
create user ssl_user4@localhost require cipher 'AES256-SHA' AND SUBJECT '/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB/CN=client' ISSUER '/CN=cacert/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB';
create user ssl_user5@localhost require cipher 'AES256-SHA' AND SUBJECT 'xxx';
connect con1,localhost,ssl_user1,,,,,SSL-CIPHER=AES256-SHA;
connect(localhost,ssl_user2,,test,MASTER_PORT,MASTER_SOCKET);
connect con2,localhost,ssl_user2,,,,,SSL-CIPHER=AES128-SHA;
ERROR 28000: Access denied for user 'ssl_user2'@'localhost' (using password: NO)
connect con2,localhost,ssl_user2,,,,,SSL-CIPHER=AES256-SHA;
connect con3,localhost,ssl_user3,,,,,SSL-CIPHER=AES256-SHA;
connect con4,localhost,ssl_user4,,,,,SSL-CIPHER=AES256-SHA;
connect(localhost,ssl_user5,,test,MASTER_PORT,MASTER_SOCKET);
connect con5,localhost,ssl_user5,,,,,SSL-CIPHER=AES256-SHA;
ERROR 28000: Access denied for user 'ssl_user5'@'localhost' (using password: NO)
connection con1;
SHOW STATUS LIKE 'Ssl_cipher';
Variable_name Value
Ssl_cipher AES256-SHA
disconnect con1;
connection con2;
SHOW STATUS LIKE 'Ssl_cipher';
Variable_name Value
Ssl_cipher AES256-SHA
disconnect con2;
connection con3;
SHOW STATUS LIKE 'Ssl_cipher';
Variable_name Value
Ssl_cipher AES256-SHA
disconnect con3;
connection con4;
SHOW STATUS LIKE 'Ssl_cipher';
Variable_name Value
Ssl_cipher AES256-SHA
disconnect con4;
connection default;
drop user ssl_user1@localhost, ssl_user2@localhost, ssl_user3@localhost, ssl_user4@localhost, ssl_user5@localhost;
SHOW STATUS LIKE 'Ssl_cipher';
Variable_name Value
Ssl_cipher AES256-SHA
SHOW STATUS LIKE 'Ssl_cipher';
Variable_name Value
Ssl_cipher AES128-SHA
SHOW STATUS LIKE 'Ssl_cipher';
Variable_name Value
Ssl_cipher AES128-SHA
mysqltest: Could not open connection 'default': 2026 SSL connection error: xxxxVariable_name Value
Ssl_cipher AES256-SHA
Variable_name Value
Ssl_cipher AES128-SHA
select 'is still running; no cipher request crashed the server' as result from dual;
result
is still running; no cipher request crashed the server
create user mysqltest_1@localhost;
grant usage on mysqltest.* to mysqltest_1@localhost require cipher "AES256-SHA";
Variable_name Value
Ssl_cipher AES256-SHA
drop user mysqltest_1@localhost;
# restart: --ssl-cipher=AES128-SHA
connect ssl_con,localhost,root,,,,,SSL;
SHOW STATUS LIKE 'Ssl_cipher';
Variable_name Value
Ssl_cipher AES128-SHA
SELECT VARIABLE_VALUE like '%AES128-SHA%' FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_cipher_list';
VARIABLE_VALUE like '%AES128-SHA%'
1
disconnect ssl_con;
connection default;