Add MTR to verify behavior on incompatible TLS configuration

Add a simple test to verify the server behaves in a safe manner if configured with ciphers that aren't compatible with the server certificate. All new code of the whole pull request, including one or several files that are either new files or modified ones, are contributed under the BSD-new license. I am contributing on behalf of my employer Amazon Web Services, Inc.
2025-01-15 19:42:28 +01:00 · 2024-09-20 02:59:10 +00:00 · 2024-09-20 02:59:10 +00:00 · 28b2958082
commit 28b2958082
parent 2294ecdf0e
2 changed files with 20 additions and 0 deletions
--- a/mysql-test/main/ssl_cipher.result
+++ b/mysql-test/main/ssl_cipher.result
@ -68,3 +68,6 @@ disconnect ssl_con;
 connection default;
 call mtr.add_suppression("TLSv1.0 and TLSv1.1 are insecure");
 FOUND 2 /TLSv1.0 and TLSv1.1 are insecure/ in mysqld.1.err
+# restart: --ssl-cipher=ECDHE-ECDSA-AES128-GCM-SHA256
+Variable_name	Value
+Ssl_version	
--- a/mysql-test/main/ssl_cipher.test
+++ b/mysql-test/main/ssl_cipher.test
@ -112,3 +112,20 @@ call mtr.add_suppression("TLSv1.0 and TLSv1.1 are insecure");
 --let SEARCH_FILE=$MYSQLTEST_VARDIR/log/mysqld.1.err
 --let SEARCH_PATTERN= TLSv1.0 and TLSv1.1 are insecure
 --source include/search_pattern_in_file.inc
+
+#
+# Server is configured with ciphers that are not compatible with the server certificate (std_data/cacert.pem is RSA)
+#
+let $restart_parameters=--ssl-cipher=ECDHE-ECDSA-AES128-GCM-SHA256;
+source include/restart_mysqld.inc;
+
+# Connections are rejected as client attempts tls by default
+--error 1
+--exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'ssl_version'"
+
+# Connections are rejected if client explicitly specifies tls
+--error 1
+--exec $MYSQL --host=localhost --ssl-ca=$MYSQL_TEST_DIR/std_data/cacert.pem --ssl-verify-server-cert -e "SHOW STATUS LIKE 'ssl_version'"
+
+# Connections can be made with --skip-ssl
+--exec $MYSQL --host=localhost --skip-ssl -e "SHOW STATUS LIKE 'ssl_version'"