diff options
Diffstat (limited to 'mysql-test/main/ssl_cipher.test')
| -rw-r--r-- | mysql-test/main/ssl_cipher.test | 114 |
1 files changed, 114 insertions, 0 deletions
diff --git a/mysql-test/main/ssl_cipher.test b/mysql-test/main/ssl_cipher.test new file mode 100644 index 00000000..0d33ec5d --- /dev/null +++ b/mysql-test/main/ssl_cipher.test @@ -0,0 +1,114 @@ +# +# Various tests that require setting of a specific ssl_cipher +# which currently doesn't work in OpenSSL 1.1.1 +# + +--disable_query_log +CALL mtr.add_suppression("are insecure"); +--enable_query_log + +--source include/have_ssl_communication.inc + +if (`select @@version_ssl_library like 'OpenSSL 1.1.1%'`) { + skip OpenSSL 1.1.1; +} + +create user ssl_user1@localhost require SSL; +create user ssl_user2@localhost require cipher 'AES256-SHA'; +create user ssl_user3@localhost require cipher 'AES256-SHA' AND SUBJECT '/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB/CN=client'; +create user ssl_user4@localhost require cipher 'AES256-SHA' AND SUBJECT '/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB/CN=client' ISSUER '/CN=cacert/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB'; +create user ssl_user5@localhost require cipher 'AES256-SHA' AND SUBJECT 'xxx'; + +connect (con1,localhost,ssl_user1,,,,,SSL-CIPHER=AES256-SHA); +--replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT +--error ER_ACCESS_DENIED_ERROR +connect (con2,localhost,ssl_user2,,,,,SSL-CIPHER=AES128-SHA); +connect (con2,localhost,ssl_user2,,,,,SSL-CIPHER=AES256-SHA); +connect (con3,localhost,ssl_user3,,,,,SSL-CIPHER=AES256-SHA); +connect (con4,localhost,ssl_user4,,,,,SSL-CIPHER=AES256-SHA); +--replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT +--error ER_ACCESS_DENIED_ERROR +connect (con5,localhost,ssl_user5,,,,,SSL-CIPHER=AES256-SHA); + +connection con1; +SHOW STATUS LIKE 'Ssl_cipher'; +disconnect con1; +connection con2; +SHOW STATUS LIKE 'Ssl_cipher'; +disconnect con2; +connection con3; +SHOW STATUS LIKE 'Ssl_cipher'; +disconnect con3; +connection con4; +SHOW STATUS LIKE 'Ssl_cipher'; +disconnect con4; +connection default; +drop user ssl_user1@localhost, ssl_user2@localhost, ssl_user3@localhost, ssl_user4@localhost, ssl_user5@localhost; + +# +# Bug#21611 Slave can't connect when master-ssl-cipher specified +# - Apparently selecting a cipher doesn't work at all +# - Use a cipher that both WolfSSL and OpenSSL supports +# +--write_file $MYSQLTEST_VARDIR/tmp/test.sql +SHOW STATUS LIKE 'Ssl_cipher'; +EOF +--exec $MYSQL_TEST --ssl-cipher=AES256-SHA < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1 +# Test to connect using a list of ciphers +--exec $MYSQL_TEST --ssl-cipher=UNKNOWN-CIPHER:AES128-SHA < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1 +# Test to connect using a specifi cipher +--exec $MYSQL_TEST --ssl-cipher=AES128-SHA < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1 +# Test to connect using an unknown cipher +--replace_regex /2026 TLS\/SSL error.*/2026 TLS\/SSL error: xxxx/ +--error 1 +--exec $MYSQL_TEST --ssl-cipher=UNKNOWN-CIPHER < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1 +--remove_file $MYSQLTEST_VARDIR/tmp/test.sql + +# +# Bug#39172 Asking for DH+non-RSA key with server set to use other key caused +# YaSSL to crash the server. +# + +# Common ciphers to openssl and yassl +--exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'Ssl_cipher';" --ssl-cipher=AES256-SHA +--exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'Ssl_cipher';" --ssl-cipher=AES128-SHA +--disable_query_log +--disable_result_log + +# Below here caused crashes. ################ +--error 0,1 +--exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'Ssl-cipher';" --ssl-cipher=NOT----EXIST +# These probably exist but the server's keys can't be used to accept these kinds of connections. +--error 0,1 +--exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'Ssl-cipher';" --ssl-cipher=AES128-RMD + +# If this gives a result, then the bug is fixed. +--enable_result_log +--enable_query_log +select 'is still running; no cipher request crashed the server' as result from dual; + +# +# MDEV-10054 Secure login fails when CIPHER is required +# +create user mysqltest_1@localhost; +grant usage on mysqltest.* to mysqltest_1@localhost require cipher "AES256-SHA"; +--exec $MYSQL -umysqltest_1 --ssl-cipher=AES256-SHA -e "show status like 'ssl_cipher'" 2>&1 +drop user mysqltest_1@localhost; + +# +# BUG#11760210 - SSL_CIPHER_LIST NOT SET OR RETURNED FOR "SHOW STATUS LIKE 'SSL_CIPHER_LIST'" +# it was a bug in yaSSL, fixed in d2e36e4258bb +# +let $restart_parameters=--ssl-cipher=AES128-SHA; +source include/restart_mysqld.inc; +connect (ssl_con,localhost,root,,,,,SSL); +SHOW STATUS LIKE 'Ssl_cipher'; +SELECT VARIABLE_VALUE like '%AES128-SHA%' FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_cipher_list'; +disconnect ssl_con; +connection default; + +# MDEV-31369 Disable TLS v1.0 and 1.1 for MariaDB +call mtr.add_suppression("TLSv1.0 and TLSv1.1 are insecure"); +--let SEARCH_FILE=$MYSQLTEST_VARDIR/log/mysqld.1.err +--let SEARCH_PATTERN= TLSv1.0 and TLSv1.1 are insecure +--source include/search_pattern_in_file.inc |