summaryrefslogtreecommitdiffstats
path: root/mysql-test/main/ssl_autoverify.test
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-07-01 18:15:00 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-07-01 18:15:00 +0000
commita2a2e32c02643a0cec111511220227703fda1cd5 (patch)
tree69cc2b631234c2a8e026b9cd4d72676c61c594df /mysql-test/main/ssl_autoverify.test
parentReleasing progress-linux version 1:10.11.8-1~progress7.99u1. (diff)
downloadmariadb-a2a2e32c02643a0cec111511220227703fda1cd5.tar.xz
mariadb-a2a2e32c02643a0cec111511220227703fda1cd5.zip
Merging upstream version 1:11.4.2.
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'mysql-test/main/ssl_autoverify.test')
-rw-r--r--mysql-test/main/ssl_autoverify.test129
1 files changed, 129 insertions, 0 deletions
diff --git a/mysql-test/main/ssl_autoverify.test b/mysql-test/main/ssl_autoverify.test
new file mode 100644
index 00000000..0417f6eb
--- /dev/null
+++ b/mysql-test/main/ssl_autoverify.test
@@ -0,0 +1,129 @@
+source include/platform.inc;
+source include/not_embedded.inc;
+if (!$AUTH_ED25519_SO) {
+ skip No auth_ed25519 plugin;
+}
+if (!$DIALOG_EXAMPLES_SO) {
+ skip No dialog_examples plugin;
+}
+
+install soname 'auth_ed25519';
+install plugin three_attempts soname 'dialog_examples';
+
+create user native@'%' identified via mysql_native_password using password('foo');
+create user ed@'%' identified via ed25519 using password('bar');
+create user nohash@'%' identified via three_attempts using 'onetwothree';
+create user multi@'%' identified via mysql_native_password using password('pw1')
+ or ed25519 using password('pw2');
+grant all privileges on test.* to native@'%';
+grant all privileges on test.* to ed@'%';
+grant all privileges on test.* to nohash@'%';
+grant all privileges on test.* to multi@'%';
+
+create function have_ssl() returns char(3)
+ return (select if(variable_value > '','yes','no') as 'have_ssl'
+ from information_schema.session_status
+ where variable_name='ssl_cipher');
+
+let host=;
+if ($MTR_COMBINATION_WIN) {
+ # 127.0.0.2 (and generally 127.0.0.0/8) works on Windows the same as 127.0.0.1,
+ # i.e client can connect if server listens on IPv4 loopback
+ #
+ # We use 127.0.0.2 as it does not match any of "localhost","127.0.0.1","::1"
+ # thus it is not considered "secure transport" by the connector/C
+ let host=--host=127.0.0.2;
+}
+#
+# root user, no password, so cannot validate cert.
+#
+--echo # mysql -uroot --disable-ssl-verify-server-cert -e "select test.have_ssl()"
+--exec $MYSQL --protocol tcp -uroot --disable-ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
+--echo # mysql -uroot --ssl-verify-server-cert -e "select test.have_ssl()"
+--replace_regex /TLS\/SSL error.*certificate[^\n]*/TLS\/SSL error: Failed to verify the server certificate/
+--error 1
+--exec $MYSQL --protocol tcp $host -uroot --ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
+#
+# except if ssl-verify-server-cert is left on default (not explicitly enabled)
+#
+--let $csd=`select @@character_sets_dir`
+--echo # mysql -uroot -e "select test.have_ssl()"
+--exec $EXE_MYSQL --no-defaults --character-sets-dir=$csd --protocol tcp $host --port $MASTER_MYPORT -uroot -e "select test.have_ssl()" 2>&1
+#
+# or unless using a secure transport, like unix_socket or named pipes
+#
+# note that SSL works over unix_socket, and it doesn't work over named pipes
+# but the connection is allowed either way, as the transport is secure
+#
+let proto=socket;
+if ($MTR_COMBINATION_WIN) {
+ let proto=pipe;
+}
+--echo # mysql --protocol $proto -uroot --ssl-verify-server-cert -e "select test.have_ssl()"
+--exec $MYSQL --protocol $proto -uroot --ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
+
+#
+# same for tcp via localhost
+#
+--echo # mysql --protocol tcp --host 127.0.0.1 -uroot --ssl-verify-server-cert -e "select test.have_ssl()"
+--exec $MYSQL --protocol tcp --host 127.0.0.1 -uroot --ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
+
+#
+# mysql_native_password with password works fine
+#
+--echo # mysql -unative -pfoo --ssl-verify-server-cert -e "select test.have_ssl()"
+--exec $MYSQL --protocol tcp $host -unative -pfoo --ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
+#
+# ed25519 with password works fine
+#
+--echo # mysql -ued -pbar --ssl-verify-server-cert -e "select test.have_ssl()"
+--exec $MYSQL --protocol tcp $host -ued -pbar --ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
+#
+# three_attempts uses auth string as is, doesn't hash.
+# so it's not safe over untrusted connection and thus cannot validate cert
+#
+--echo # mysql -unohash -ponetwothree --disable-ssl-verify-server-cert -e "select test.have_ssl()"
+--exec $MYSQL --protocol tcp $host -unohash -ponetwothree --disable-ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
+--echo # mysql -unohash -ponetwothree --ssl-verify-server-cert -e "select test.have_ssl()"
+--replace_regex /TLS\/SSL error.*certificate[^\n]*/TLS\/SSL error: Failed to verify the server certificate/
+--error 1
+--exec $MYSQL --protocol tcp $host -unohash -ponetwothree --ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
+#
+# multi-auth case, both client and server must use
+# the same plugin for cert validation
+#
+--echo # mysql -umulti -ppw1 --ssl-verify-server-cert -e "select test.have_ssl()"
+--exec $MYSQL --protocol tcp $host -umulti -ppw1 --ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
+--echo # mysql -umulti -ppw2 --ssl-verify-server-cert -e "select test.have_ssl()"
+--exec $MYSQL --protocol tcp $host -umulti -ppw2 --ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
+
+#
+# Now try MitM
+#
+if (!$MTR_COMBINATION_WIN) {
+let mitm_port=$MASTER_MYPORT;
+inc $mitm_port;
+--exec perl lib/ssl-mitm.pl --listen-on $mitm_port --connect-to $MASTER_MYPORT --ssl-ca std_data/cacert.pem --ssl-key std_data/server-new-key.pem --ssl-cert std_data/server-new-cert.pem
+--echo # mysql -uroot --disable-ssl-verify-server-cert -e "select 'Detecting MitM' as MitM, test.have_ssl()"
+--exec $MYSQL --port $mitm_port --disable-ssl-verify-server-cert -uroot -e "select 'Detecting MitM' as MitM, test.have_ssl()" 2>&1
+
+--exec perl lib/ssl-mitm.pl --listen-on $mitm_port --connect-to $MASTER_MYPORT --ssl-ca std_data/cacert.pem --ssl-key std_data/server-new-key.pem --ssl-cert std_data/server-new-cert.pem
+--echo # mysql -unative -pfoo --ssl-verify-server-cert -e "select 'Detecting MitM', test.have_ssl()"
+--replace_regex /TLS\/SSL error.*certificate[^\n]*/TLS\/SSL error: Failed to verify the server certificate/
+--error 1
+--exec $MYSQL --port $mitm_port -unative -pfoo --ssl-verify-server-cert -e "select 'Detecting MitM', test.have_ssl()" 2>&1
+
+--exec perl lib/ssl-mitm.pl --listen-on $mitm_port --connect-to $MASTER_MYPORT --ssl-ca std_data/cacert.pem --ssl-key std_data/server-new-key.pem --ssl-cert std_data/server-new-cert.pem
+--echo # mysql -ued -pbar --ssl-verify-server-cert -e "select 'Detecting MitM', test.have_ssl()"
+--replace_regex /TLS\/SSL error.*certificate[^\n]*/TLS\/SSL error: Failed to verify the server certificate/
+--error 1
+--exec $MYSQL --port $mitm_port -ued -pbar --ssl-verify-server-cert -e "select 'Detecting MitM', test.have_ssl()" 2>&1
+}
+
+drop function have_ssl;
+drop user native@'%';
+drop user ed@'%';
+drop user nohash@'%';
+drop user multi@'%';
+uninstall plugin ed25519;
+uninstall plugin three_attempts;
generated by cgit v1.2.3 (git 2.39.1) at 2025-01-06 05:49:59 +0000