mariadb/mysql-test/main/ssl_autoverify,win.rdiff

--- ssl_autoverify.result	2024-02-08 23:55:13.779166100 +0100
+++ ssl_autoverify,win.reject	2024-02-08 23:55:46.988212400 +0100
@@ -22,9 +22,9 @@
 WARNING: option --ssl-verify-server-cert is disabled, because of an insecure passwordless login.
 test.have_ssl()
 yes
-# mysql --protocol socket -uroot --ssl-verify-server-cert -e "select test.have_ssl()"
+# mysql --protocol pipe -uroot --ssl-verify-server-cert -e "select test.have_ssl()"
 test.have_ssl()
-yes
+no
 # mysql --protocol tcp --host 127.0.0.1 -uroot --ssl-verify-server-cert -e "select test.have_ssl()"
 test.have_ssl()
 yes
@@ -45,16 +45,6 @@
 # mysql -umulti -ppw2 --ssl-verify-server-cert -e "select test.have_ssl()"
 test.have_ssl()
 yes
->> MitM active <<
-# mysql -uroot --disable-ssl-verify-server-cert -e "select 'Detecting MitM' as MitM, test.have_ssl()"
-MitM	test.have_ssl()
-No MitM found!	yes
->> MitM active <<
-# mysql -unative -pfoo --ssl-verify-server-cert -e "select 'Detecting MitM', test.have_ssl()"
-ERROR 2026 (HY000): TLS/SSL error: Failed to verify the server certificate
->> MitM active <<
-# mysql -ued -pbar --ssl-verify-server-cert -e "select 'Detecting MitM', test.have_ssl()"
-ERROR 2026 (HY000): TLS/SSL error: Failed to verify the server certificate
 drop function have_ssl;
 drop user native@'%';
 drop user ed@'%';
MDEV-33430 - Fix self-signed certificate errors on Windows Adjust test after fixing the C/C. On Windows, use --host=127.0.0.2 to fake "insecure" transport with TCP connection for test purposes. 127.0.0.2 is loopback address, that can be used instead of usual 127.0.0.1 Unfortunately, this technique does not work on all nixes the same, notably neither on BSDs nor Solaris. Thus default --host=localhost remains "insecure" transport,when TCP is used. but it is not that critical, the "self-signed" is not nearly as annoying on nixes as it is on Windows. 2024-02-09 02:18:32 +01:00			`--- ssl_autoverify.result 2024-02-08 23:55:13.779166100 +0100`
			`+++ ssl_autoverify,win.reject 2024-02-08 23:55:46.988212400 +0100`
			`@@ -22,9 +22,9 @@`
auto-disable --ssl-verify-server-cert in clients, if * --ssl-verify-server-cert was not enabled explicitly, and * CA was not specified, and * fingerprint was not specified, and * protocol is TCP, and * no password was provided insecure passwordless logins are common in test environment, let's not break them. practically, it hardly makes sense to have strong MitM protection if an attacker can simply login without a password. Covers mariadb, mariadb-admin, mariadb-binlog, mariadb-dump 2023-09-15 12:33:52 +02:00			`WARNING: option --ssl-verify-server-cert is disabled, because of an insecure passwordless login.`
			`test.have_ssl()`
MDEV-31855 validate ssl certificates using client password if the client enabled --ssl-verify-server-cert, then the server certificate is verified as follows: * if --ssl-ca or --ssl-capath were specified, the cert must have a proper signature by the specified CA (or CA in the path) and the cert's hostname must match the server's hostname. If the cert isn't signed or a hostname is wrong - the connection is aborted. * if MARIADB_OPT_TLS_PEER_FP was used and the fingerprint matches, the connection is allowed, if it doesn't match - aborted. * If the connection uses unix socket or named pipes - it's allowed. (consistent with server's --require-secure-transport behavior) otherwise the cert is still in doubt, we don't know if we can trust it or there's an active MitM in progress. * If the user has provided no password or the server requested an authentication plugin that sends the password in cleartext - the connection is aborted. * Perform the authentication. If the server accepts the password, it'll send SHA2(scramble \|\| password hash \|\| cert fingerprint) with the OK packet. * Verify the SHA2 digest, if it matches - the connection is allowed, otherwise it's aborted. 2023-08-21 16:25:56 +02:00			`yes`
			`-# mysql --protocol socket -uroot --ssl-verify-server-cert -e "select test.have_ssl()"`
			`+# mysql --protocol pipe -uroot --ssl-verify-server-cert -e "select test.have_ssl()"`
			`test.have_ssl()`
			`-yes`
			`+no`
MDEV-33430 - Fix self-signed certificate errors on Windows Adjust test after fixing the C/C. On Windows, use --host=127.0.0.2 to fake "insecure" transport with TCP connection for test purposes. 127.0.0.2 is loopback address, that can be used instead of usual 127.0.0.1 Unfortunately, this technique does not work on all nixes the same, notably neither on BSDs nor Solaris. Thus default --host=localhost remains "insecure" transport,when TCP is used. but it is not that critical, the "self-signed" is not nearly as annoying on nixes as it is on Windows. 2024-02-09 02:18:32 +01:00			`# mysql --protocol tcp --host 127.0.0.1 -uroot --ssl-verify-server-cert -e "select test.have_ssl()"`
MDEV-31855 validate ssl certificates using client password if the client enabled --ssl-verify-server-cert, then the server certificate is verified as follows: * if --ssl-ca or --ssl-capath were specified, the cert must have a proper signature by the specified CA (or CA in the path) and the cert's hostname must match the server's hostname. If the cert isn't signed or a hostname is wrong - the connection is aborted. * if MARIADB_OPT_TLS_PEER_FP was used and the fingerprint matches, the connection is allowed, if it doesn't match - aborted. * If the connection uses unix socket or named pipes - it's allowed. (consistent with server's --require-secure-transport behavior) otherwise the cert is still in doubt, we don't know if we can trust it or there's an active MitM in progress. * If the user has provided no password or the server requested an authentication plugin that sends the password in cleartext - the connection is aborted. * Perform the authentication. If the server accepts the password, it'll send SHA2(scramble \|\| password hash \|\| cert fingerprint) with the OK packet. * Verify the SHA2 digest, if it matches - the connection is allowed, otherwise it's aborted. 2023-08-21 16:25:56 +02:00			`test.have_ssl()`
			`yes`
MDEV-33430 - Fix self-signed certificate errors on Windows Adjust test after fixing the C/C. On Windows, use --host=127.0.0.2 to fake "insecure" transport with TCP connection for test purposes. 127.0.0.2 is loopback address, that can be used instead of usual 127.0.0.1 Unfortunately, this technique does not work on all nixes the same, notably neither on BSDs nor Solaris. Thus default --host=localhost remains "insecure" transport,when TCP is used. but it is not that critical, the "self-signed" is not nearly as annoying on nixes as it is on Windows. 2024-02-09 02:18:32 +01:00			`@@ -45,16 +45,6 @@`
test SSL MitM attack verify that --ssl-verify-server-cert detects cert mismatch, but with --disable-ssl-verify-server-cert the connection succeeds 2023-08-22 22:49:14 +02:00			`# mysql -umulti -ppw2 --ssl-verify-server-cert -e "select test.have_ssl()"`
			`test.have_ssl()`
			`yes`
			`->> MitM active <<`
			`-# mysql -uroot --disable-ssl-verify-server-cert -e "select 'Detecting MitM' as MitM, test.have_ssl()"`
			`-MitM test.have_ssl()`
			`-No MitM found! yes`
			`->> MitM active <<`
			`-# mysql -unative -pfoo --ssl-verify-server-cert -e "select 'Detecting MitM', test.have_ssl()"`
			`-ERROR 2026 (HY000): TLS/SSL error: Failed to verify the server certificate`
			`->> MitM active <<`
			`-# mysql -ued -pbar --ssl-verify-server-cert -e "select 'Detecting MitM', test.have_ssl()"`
			`-ERROR 2026 (HY000): TLS/SSL error: Failed to verify the server certificate`
			`drop function have_ssl;`
			`drop user native@'%';`
			`drop user ed@'%';`