mariadb/mysql-test/t/openssl_6975.test

#
# MDEV-6975 Implement TLS protocol
#
# test SSLv3 and TLSv1.2 ciphers when OpenSSL is restricted to SSLv3 or TLSv1.2
#
source include/have_ssl_communication.inc;
source include/require_openssl_client.inc;

# this is OpenSSL test.

create user ssl_sslv3@localhost;
# grant select on test.* to ssl_sslv3@localhost require cipher "AES128-SHA";
grant select on test.* to ssl_sslv3@localhost require cipher "AES128-SHA";
create user ssl_tls12@localhost;
grant select on test.* to ssl_tls12@localhost require cipher "AES128-SHA256";

let $mysql=$MYSQL --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem -e "SHOW STATUS LIKE 'ssl_Cipher'" 2>&1;

disable_abort_on_error;
echo TLS1.2 ciphers: user is ok with any cipher;
exec $mysql                  --ssl-cipher=AES128-SHA256;
--replace_result DHE-RSA-CHACHA20-POLY1305 DHE-RSA-AES256-GCM-SHA384
--replace_result ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384
exec $mysql                  --ssl-cipher=TLSv1.2
echo TLS1.2 ciphers: user requires SSLv3 cipher AES128-SHA;
exec $mysql --user ssl_sslv3 --ssl-cipher=AES128-SHA256;
exec $mysql --user ssl_sslv3 --ssl-cipher=TLSv1.2;
echo TLS1.2 ciphers: user requires TLSv1.2 cipher AES128-SHA256;
exec $mysql --user ssl_tls12 --ssl-cipher=AES128-SHA256;
exec $mysql --user ssl_tls12 --ssl-cipher=TLSv1.2;

echo SSLv3 ciphers: user is ok with any cipher;
exec $mysql                  --ssl-cipher=AES256-SHA;
exec $mysql                  --ssl-cipher=DHE-RSA-AES256-SHA
echo SSLv3 ciphers: user requires SSLv3 cipher AES128-SHA;
exec $mysql --user ssl_sslv3 --ssl-cipher=AES128-SHA;
exec $mysql --user ssl_sslv3 --ssl-cipher=SSLv3;
echo SSLv3 ciphers: user requires TLSv1.2 cipher AES128-SHA256;
exec $mysql --user ssl_tls12 --ssl-cipher=AES128-SHA;
exec $mysql --user ssl_tls12 --ssl-cipher=SSLv3;

drop user ssl_sslv3@localhost;
drop user ssl_tls12@localhost;
MDEV-6975 Implement TLS protocol change SSL methods to be SSLv23 (according to openssl manpage: "A TLS/SSL connection established with these methods may understand the SSLv2, SSLv3, TLSv1, TLSv1.1 and TLSv1.2 protocols") from TLSv1 methods, that go back to the initial SSL implementation in MySQL in 2001. OpenSSL default ciphers are different if TLSv1.2 is enabled, so tests need to take this into account. 2014-11-18 17:57:06 +01:00			`#`
			`# MDEV-6975 Implement TLS protocol`
			`#`
			`# test SSLv3 and TLSv1.2 ciphers when OpenSSL is restricted to SSLv3 or TLSv1.2`
			`#`
			`source include/have_ssl_communication.inc;`
MDEV-10332 support for OpenSSL 1.1 and LibreSSL Initial support tested against OpenSSL 1.0.1, 1.0.2, 1.1.0, Yassl and LibreSSL not working on Windows with native SChannel support, due to wrong cipher mapping: Latter one requires push of CONC-241 fixes. Please note that OpenSSL 0.9.8 and OpenSSL 1.1.0 will not work: Even if the build succeeds, test cases will fail with various errors, especially when using different tls libraries or versions for client and server. 2017-03-08 17:39:47 +01:00			`source include/require_openssl_client.inc;`
MDEV-6975 Implement TLS protocol change SSL methods to be SSLv23 (according to openssl manpage: "A TLS/SSL connection established with these methods may understand the SSLv2, SSLv3, TLSv1, TLSv1.1 and TLSv1.2 protocols") from TLSv1 methods, that go back to the initial SSL implementation in MySQL in 2001. OpenSSL default ciphers are different if TLSv1.2 is enabled, so tests need to take this into account. 2014-11-18 17:57:06 +01:00
			`# this is OpenSSL test.`

MDEV-6066: Merge new defaults from 5.6 and 5.7 (defaults changed, QC can be stopped with no-zero size) 2015-08-11 18:45:38 +02:00			`create user ssl_sslv3@localhost;`
MDEV-10332 support for OpenSSL 1.1 and LibreSSL Initial support tested against OpenSSL 1.0.1, 1.0.2, 1.1.0, Yassl and LibreSSL not working on Windows with native SChannel support, due to wrong cipher mapping: Latter one requires push of CONC-241 fixes. Please note that OpenSSL 0.9.8 and OpenSSL 1.1.0 will not work: Even if the build succeeds, test cases will fail with various errors, especially when using different tls libraries or versions for client and server. 2017-03-08 17:39:47 +01:00			`# grant select on test.* to ssl_sslv3@localhost require cipher "AES128-SHA";`
			`grant select on test.* to ssl_sslv3@localhost require cipher "AES128-SHA";`
MDEV-6066: Merge new defaults from 5.6 and 5.7 (defaults changed, QC can be stopped with no-zero size) 2015-08-11 18:45:38 +02:00			`create user ssl_tls12@localhost;`
MDEV-6975 Implement TLS protocol change SSL methods to be SSLv23 (according to openssl manpage: "A TLS/SSL connection established with these methods may understand the SSLv2, SSLv3, TLSv1, TLSv1.1 and TLSv1.2 protocols") from TLSv1 methods, that go back to the initial SSL implementation in MySQL in 2001. OpenSSL default ciphers are different if TLSv1.2 is enabled, so tests need to take this into account. 2014-11-18 17:57:06 +01:00			`grant select on test.* to ssl_tls12@localhost require cipher "AES128-SHA256";`

			`let $mysql=$MYSQL --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem -e "SHOW STATUS LIKE 'ssl_Cipher'" 2>&1;`

			`disable_abort_on_error;`
			`echo TLS1.2 ciphers: user is ok with any cipher;`
			`exec $mysql --ssl-cipher=AES128-SHA256;`
Fixed failing test cases and compiler warnings - Fixed wait condition in kill_processlist-6619 - Updated Ssl_chiper for openssl tests - Added supression for valgrinds when using libcrypto - Fixed wrong argument to pthread_mutex in server_audit.c when compiling with debug - Adding missing debug_sync_update() to debug_sync.h - Added initializers to some variables and fixed error handling in jsonudf.cpp - Fixed cluster_filter_unpack_varchar which doesn't have a stable index type. - Updated compiler_warnings.supp 2016-04-25 15:37:24 +03:00			`--replace_result DHE-RSA-CHACHA20-POLY1305 DHE-RSA-AES256-GCM-SHA384`
MDEV-10332 support for OpenSSL 1.1 and LibreSSL Initial support tested against OpenSSL 1.0.1, 1.0.2, 1.1.0, Yassl and LibreSSL not working on Windows with native SChannel support, due to wrong cipher mapping: Latter one requires push of CONC-241 fixes. Please note that OpenSSL 0.9.8 and OpenSSL 1.1.0 will not work: Even if the build succeeds, test cases will fail with various errors, especially when using different tls libraries or versions for client and server. 2017-03-08 17:39:47 +01:00			`--replace_result ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384`
			`exec $mysql --ssl-cipher=TLSv1.2`
			`echo TLS1.2 ciphers: user requires SSLv3 cipher AES128-SHA;`
MDEV-6975 Implement TLS protocol change SSL methods to be SSLv23 (according to openssl manpage: "A TLS/SSL connection established with these methods may understand the SSLv2, SSLv3, TLSv1, TLSv1.1 and TLSv1.2 protocols") from TLSv1 methods, that go back to the initial SSL implementation in MySQL in 2001. OpenSSL default ciphers are different if TLSv1.2 is enabled, so tests need to take this into account. 2014-11-18 17:57:06 +01:00			`exec $mysql --user ssl_sslv3 --ssl-cipher=AES128-SHA256;`
			`exec $mysql --user ssl_sslv3 --ssl-cipher=TLSv1.2;`
			`echo TLS1.2 ciphers: user requires TLSv1.2 cipher AES128-SHA256;`
			`exec $mysql --user ssl_tls12 --ssl-cipher=AES128-SHA256;`
			`exec $mysql --user ssl_tls12 --ssl-cipher=TLSv1.2;`

			`echo SSLv3 ciphers: user is ok with any cipher;`
MDEV-10332 support for OpenSSL 1.1 and LibreSSL Initial support tested against OpenSSL 1.0.1, 1.0.2, 1.1.0, Yassl and LibreSSL not working on Windows with native SChannel support, due to wrong cipher mapping: Latter one requires push of CONC-241 fixes. Please note that OpenSSL 0.9.8 and OpenSSL 1.1.0 will not work: Even if the build succeeds, test cases will fail with various errors, especially when using different tls libraries or versions for client and server. 2017-03-08 17:39:47 +01:00			`exec $mysql --ssl-cipher=AES256-SHA;`
			`exec $mysql --ssl-cipher=DHE-RSA-AES256-SHA`
			`echo SSLv3 ciphers: user requires SSLv3 cipher AES128-SHA;`
			`exec $mysql --user ssl_sslv3 --ssl-cipher=AES128-SHA;`
MDEV-6975 Implement TLS protocol change SSL methods to be SSLv23 (according to openssl manpage: "A TLS/SSL connection established with these methods may understand the SSLv2, SSLv3, TLSv1, TLSv1.1 and TLSv1.2 protocols") from TLSv1 methods, that go back to the initial SSL implementation in MySQL in 2001. OpenSSL default ciphers are different if TLSv1.2 is enabled, so tests need to take this into account. 2014-11-18 17:57:06 +01:00			`exec $mysql --user ssl_sslv3 --ssl-cipher=SSLv3;`
			`echo SSLv3 ciphers: user requires TLSv1.2 cipher AES128-SHA256;`
MDEV-10332 support for OpenSSL 1.1 and LibreSSL Initial support tested against OpenSSL 1.0.1, 1.0.2, 1.1.0, Yassl and LibreSSL not working on Windows with native SChannel support, due to wrong cipher mapping: Latter one requires push of CONC-241 fixes. Please note that OpenSSL 0.9.8 and OpenSSL 1.1.0 will not work: Even if the build succeeds, test cases will fail with various errors, especially when using different tls libraries or versions for client and server. 2017-03-08 17:39:47 +01:00			`exec $mysql --user ssl_tls12 --ssl-cipher=AES128-SHA;`
MDEV-6975 Implement TLS protocol change SSL methods to be SSLv23 (according to openssl manpage: "A TLS/SSL connection established with these methods may understand the SSLv2, SSLv3, TLSv1, TLSv1.1 and TLSv1.2 protocols") from TLSv1 methods, that go back to the initial SSL implementation in MySQL in 2001. OpenSSL default ciphers are different if TLSv1.2 is enabled, so tests need to take this into account. 2014-11-18 17:57:06 +01:00			`exec $mysql --user ssl_tls12 --ssl-cipher=SSLv3;`

			`drop user ssl_sslv3@localhost;`
			`drop user ssl_tls12@localhost;`