summaryrefslogtreecommitdiffstats
path: root/mysql-test/main/openssl_1.test
blob: 9232868bddd6b6c31f19d7b64a979a8d88f8b810 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
# Needed for mysqldump
--source include/have_utf8mb4.inc
--source include/not_asan.inc

# Tests for SSL connections, only run if mysqld is compiled
# with support for SSL.

-- source include/have_ssl_communication.inc

# Save the initial number of concurrent sessions
--source include/count_sessions.inc

set local sql_mode="";
set global sql_mode="";

--disable_warnings
drop table if exists t1;
--enable_warnings
create table t1(f1 int);
insert into t1 values (5);

grant select on test.* to ssl_user1@localhost require SSL;
grant select on test.* to ssl_user3@localhost require SUBJECT "/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB/CN=client";
grant select on test.* to ssl_user4@localhost require SUBJECT "/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB/CN=client" ISSUER "/CN=cacert/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB";
grant select on test.* to ssl_user5@localhost require SUBJECT "xxx";
flush privileges;

connect (con1,localhost,ssl_user1,,,,,SSL);
--replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT
connect (con3,localhost,ssl_user3,,,,,SSL);
connect (con4,localhost,ssl_user4,,,,,SSL);
--replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT
--error ER_ACCESS_DENIED_ERROR
connect (con5,localhost,ssl_user5,,,,,SSL);

connection con1;
# Check ssl turned on
SELECT VARIABLE_VALUE <> '' AS have_ssl FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_cipher';
select * from t1;
--error ER_TABLEACCESS_DENIED_ERROR
delete from t1;

connection con3;
# Check ssl turned on
SELECT VARIABLE_VALUE <> '' AS have_ssl FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_cipher';
select * from t1;
--error ER_TABLEACCESS_DENIED_ERROR
delete from t1;

connection con4;
# Check ssl turned on
SELECT VARIABLE_VALUE <> '' AS have_ssl FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_cipher';
select * from t1;
--error ER_TABLEACCESS_DENIED_ERROR
delete from t1;

connection default;
disconnect con1;
disconnect con3;
disconnect con4;
drop user ssl_user1@localhost, ssl_user3@localhost, ssl_user4@localhost, ssl_user5@localhost;

drop table t1;

# End of 4.1 tests

#
# Test that we can't open connection to server if we are using
# a different cacert
#
--exec echo "this query should not execute;" > $MYSQLTEST_VARDIR/tmp/test.sql
# Handle that openssl gives different error messages from YaSSL.
--replace_regex /2026 TLS\/SSL error.*/2026 TLS\/SSL error: xxxx/
--error 1
--exec $MYSQL_TEST --ssl-verify-server-cert --ssl-ca=$MYSQL_TEST_DIR/std_data/untrusted-cacert.pem --max-connect-retries=1 < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1
--echo

#
# Test that we can't open connection to server if we are using
# a blank ca
#
--replace_regex /2026 TLS\/SSL error.*/2026 TLS\/SSL error: xxxx/
--error 1
--exec $MYSQL_TEST --ssl-ca= --max-connect-retries=1 < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1
--echo

#
# Test that we can't open connection to server if we are using
# a nonexistent ca file
#
--replace_regex /2026 TLS\/SSL error.*/2026 TLS\/SSL error: xxxx/
--error 1
--exec $MYSQL_TEST --ssl-ca=nonexisting_file.pem --max-connect-retries=1 < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1
--echo

#
# Test that we can't open connection to server if we are using
# a blank client-key
#
--replace_regex /2026 TLS\/SSL error.*/2026 TLS\/SSL error: xxxx/
--error 1
--exec $MYSQL_TEST --ssl-key= --max-connect-retries=1 < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1
--echo

#
# Test that we can't open connection to server if we are using
# a blank client-cert
#
--replace_regex /2026 TLS\/SSL error.*/2026 TLS\/SSL error: xxxx/
--error 1
--exec $MYSQL_TEST --ssl-cert= --max-connect-retries=1 < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1
--echo

#
# Bug#25309 SSL connections without CA certificate broken since MySQL 5.0.23
#
# Test that we can open encrypted connection to server without
# verification of servers certificate by setting both ca certificate
# and ca path to NULL
#
--exec $MYSQL --ssl --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem -e "SELECT VARIABLE_VALUE <> '' AS have_ssl FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_cipher'" 2>&1
--echo End of 5.0 tests

#
# Bug#26174 Server Crash: INSERT ... SELECT ... FROM I_S.GLOBAL_STATUS in
# Event (see also information_schema.test for the other part of test for
# this bug).
#
--disable_warnings
DROP TABLE IF EXISTS thread_status;
DROP EVENT IF EXISTS event_status;
--enable_warnings

SET GLOBAL event_scheduler=1;

DELIMITER $$;

CREATE EVENT event_status
 ON SCHEDULE AT NOW()
 ON COMPLETION NOT PRESERVE
 DO
BEGIN
  CREATE TABLE thread_status
  SELECT variable_name, variable_value
  FROM information_schema.session_status
  WHERE variable_name LIKE 'SSL_ACCEPTS' OR
  variable_name LIKE 'SSL_CALLBACK_CACHE_HITS';
END$$

DELIMITER ;$$

let $wait_condition=select count(*) = 0 from information_schema.events where event_name='event_status';
--source include/wait_condition.inc

# The actual value doesn't matter and can vary based on test ordering and on ssl library.
--replace_column 2 #
SELECT variable_name, variable_value FROM thread_status;

DROP TABLE thread_status;
SET GLOBAL event_scheduler=0;

#
# Bug#27669 mysqldump: SSL connection error when trying to connect
#

CREATE TABLE t1(a int);
INSERT INTO t1 VALUES (1), (2);

# Run mysqldump
--exec $MYSQL_DUMP --default-character-set=utf8mb4 --skip-create-options --skip-comments --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem test t1

--exec $MYSQL_DUMP --default-character-set=utf8mb4 --skip-create-options --skip-comments --ssl-ca=$MYSQL_TEST_DIR/std_data/cacert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem test

--exec $MYSQL_DUMP --default-character-set=utf8mb4 --skip-create-options --skip-comments --ssl --ssl-ca=$MYSQL_TEST_DIR/std_data/cacert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem test

# With wrong parameters
--replace_result $MYSQL_TEST_DIR MYSQL_TEST_DIR $MYSQL_DUMP mariadb-dump .\exe ''
--replace_regex /TLS\/SSL error.*/TLS\/SSL error: xxxx/
--error 2
--exec $MYSQL_DUMP --default-character-set=utf8mb4 --skip-create-options --skip-comments --ssl --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem test 2>&1
--echo
DROP TABLE t1;
--remove_file $MYSQLTEST_VARDIR/tmp/test.sql

#
# Bug#42158: leak: SSL_get_peer_certificate() doesn't have matching X509_free()
#

GRANT SELECT ON test.* TO bug42158@localhost REQUIRE X509;
FLUSH PRIVILEGES;
connect(con1,localhost,bug42158,,,,,SSL);
SELECT VARIABLE_VALUE <> '' AS have_ssl FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_cipher';
disconnect con1;
connection default;
DROP USER bug42158@localhost;

set global sql_mode=default;
--echo End of 5.1 tests

#
# MDEV-9605 mysqlbinlog does not accept ssl-ca option as expected.
#

--replace_regex /TLS\/SSL error:.*/TLS\/SSL error/
--error 1
--exec $MYSQL_BINLOG --read-from-remote-server --ssl-ca --user=root --host=localhost nobinlog.111111 2>&1

# Wait till we reached the initial number of concurrent sessions
--source include/wait_until_count_sessions.inc