summaryrefslogtreecommitdiffstats
path: root/mysql-test/main/ssl_cipher.test
blob: 0d33ec5d5e02024c28c40d420b278f618b35f251 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
#
# Various tests that require setting of a specific ssl_cipher
# which currently doesn't work in OpenSSL 1.1.1
#

--disable_query_log
CALL mtr.add_suppression("are insecure");
--enable_query_log

--source include/have_ssl_communication.inc

if (`select @@version_ssl_library like 'OpenSSL 1.1.1%'`) {
  skip OpenSSL 1.1.1;
}

create user ssl_user1@localhost require SSL;
create user ssl_user2@localhost require cipher 'AES256-SHA';
create user ssl_user3@localhost require cipher 'AES256-SHA' AND SUBJECT '/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB/CN=client';
create user ssl_user4@localhost require cipher 'AES256-SHA' AND SUBJECT '/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB/CN=client' ISSUER '/CN=cacert/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB';
create user ssl_user5@localhost require cipher 'AES256-SHA' AND SUBJECT 'xxx';

connect (con1,localhost,ssl_user1,,,,,SSL-CIPHER=AES256-SHA);
--replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT
--error ER_ACCESS_DENIED_ERROR
connect (con2,localhost,ssl_user2,,,,,SSL-CIPHER=AES128-SHA);
connect (con2,localhost,ssl_user2,,,,,SSL-CIPHER=AES256-SHA);
connect (con3,localhost,ssl_user3,,,,,SSL-CIPHER=AES256-SHA);
connect (con4,localhost,ssl_user4,,,,,SSL-CIPHER=AES256-SHA);
--replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT
--error ER_ACCESS_DENIED_ERROR
connect (con5,localhost,ssl_user5,,,,,SSL-CIPHER=AES256-SHA);

connection con1;
SHOW STATUS LIKE 'Ssl_cipher';
disconnect con1;
connection con2;
SHOW STATUS LIKE 'Ssl_cipher';
disconnect con2;
connection con3;
SHOW STATUS LIKE 'Ssl_cipher';
disconnect con3;
connection con4;
SHOW STATUS LIKE 'Ssl_cipher';
disconnect con4;
connection default;
drop user ssl_user1@localhost, ssl_user2@localhost, ssl_user3@localhost, ssl_user4@localhost, ssl_user5@localhost;

#
# Bug#21611 Slave can't connect when master-ssl-cipher specified
# - Apparently selecting a cipher doesn't work at all
# - Use a cipher that both WolfSSL and OpenSSL supports
#
--write_file $MYSQLTEST_VARDIR/tmp/test.sql
SHOW STATUS LIKE 'Ssl_cipher';
EOF
--exec $MYSQL_TEST --ssl-cipher=AES256-SHA < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1
# Test to connect using a list of ciphers
--exec $MYSQL_TEST --ssl-cipher=UNKNOWN-CIPHER:AES128-SHA < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1
# Test to connect using a specifi cipher
--exec $MYSQL_TEST --ssl-cipher=AES128-SHA < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1
# Test to connect using an unknown cipher
--replace_regex /2026 TLS\/SSL error.*/2026 TLS\/SSL error: xxxx/
--error 1
--exec $MYSQL_TEST --ssl-cipher=UNKNOWN-CIPHER < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1
--remove_file $MYSQLTEST_VARDIR/tmp/test.sql

#
# Bug#39172 Asking for DH+non-RSA key with server set to use other key caused
#           YaSSL to crash the server.
#

# Common ciphers to openssl and yassl
--exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'Ssl_cipher';" --ssl-cipher=AES256-SHA
--exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'Ssl_cipher';" --ssl-cipher=AES128-SHA
--disable_query_log
--disable_result_log

# Below here caused crashes.  ################
--error 0,1
--exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'Ssl-cipher';" --ssl-cipher=NOT----EXIST
# These probably exist but the server's keys can't be used to accept these kinds of connections.
--error 0,1
--exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'Ssl-cipher';" --ssl-cipher=AES128-RMD

# If this gives a result, then the bug is fixed.
--enable_result_log
--enable_query_log
select 'is still running; no cipher request crashed the server' as result from dual;

#
# MDEV-10054 Secure login fails when CIPHER is required
#
create user mysqltest_1@localhost;
grant usage on mysqltest.* to mysqltest_1@localhost require cipher "AES256-SHA";
--exec $MYSQL -umysqltest_1 --ssl-cipher=AES256-SHA -e "show status like 'ssl_cipher'" 2>&1
drop user mysqltest_1@localhost;

#
# BUG#11760210 - SSL_CIPHER_LIST NOT SET OR RETURNED FOR "SHOW STATUS LIKE 'SSL_CIPHER_LIST'"
# it was a bug in yaSSL, fixed in d2e36e4258bb
#
let $restart_parameters=--ssl-cipher=AES128-SHA;
source include/restart_mysqld.inc;
connect (ssl_con,localhost,root,,,,,SSL);
SHOW STATUS LIKE 'Ssl_cipher';
SELECT VARIABLE_VALUE like '%AES128-SHA%' FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_cipher_list';
disconnect ssl_con;
connection default;

# MDEV-31369 Disable TLS v1.0 and 1.1 for MariaDB
call mtr.add_suppression("TLSv1.0 and TLSv1.1 are insecure");
--let SEARCH_FILE=$MYSQLTEST_VARDIR/log/mysqld.1.err
--let SEARCH_PATTERN= TLSv1.0 and TLSv1.1 are insecure
--source include/search_pattern_in_file.inc