From 28b295808281a882ca3a2be223973eb2475ac656 Mon Sep 17 00:00:00 2001 From: Tony Chen Date: Fri, 20 Sep 2024 02:59:10 +0000 Subject: [PATCH] Add MTR to verify behavior on incompatible TLS configuration Add a simple test to verify the server behaves in a safe manner if configured with ciphers that aren't compatible with the server certificate. All new code of the whole pull request, including one or several files that are either new files or modified ones, are contributed under the BSD-new license. I am contributing on behalf of my employer Amazon Web Services, Inc. --- mysql-test/main/ssl_cipher.result | 3 +++ mysql-test/main/ssl_cipher.test | 17 +++++++++++++++++ 2 files changed, 20 insertions(+) diff --git a/mysql-test/main/ssl_cipher.result b/mysql-test/main/ssl_cipher.result index d549ec7d2b4..c6a6a0d94d5 100644 --- a/mysql-test/main/ssl_cipher.result +++ b/mysql-test/main/ssl_cipher.result @@ -68,3 +68,6 @@ disconnect ssl_con; connection default; call mtr.add_suppression("TLSv1.0 and TLSv1.1 are insecure"); FOUND 2 /TLSv1.0 and TLSv1.1 are insecure/ in mysqld.1.err +# restart: --ssl-cipher=ECDHE-ECDSA-AES128-GCM-SHA256 +Variable_name Value +Ssl_version diff --git a/mysql-test/main/ssl_cipher.test b/mysql-test/main/ssl_cipher.test index 0d33ec5d5e0..62e9a90d915 100644 --- a/mysql-test/main/ssl_cipher.test +++ b/mysql-test/main/ssl_cipher.test @@ -112,3 +112,20 @@ call mtr.add_suppression("TLSv1.0 and TLSv1.1 are insecure"); --let SEARCH_FILE=$MYSQLTEST_VARDIR/log/mysqld.1.err --let SEARCH_PATTERN= TLSv1.0 and TLSv1.1 are insecure --source include/search_pattern_in_file.inc + +# +# Server is configured with ciphers that are not compatible with the server certificate (std_data/cacert.pem is RSA) +# +let $restart_parameters=--ssl-cipher=ECDHE-ECDSA-AES128-GCM-SHA256; +source include/restart_mysqld.inc; + +# Connections are rejected as client attempts tls by default +--error 1 +--exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'ssl_version'" + +# Connections are rejected if client explicitly specifies tls +--error 1 +--exec $MYSQL --host=localhost --ssl-ca=$MYSQL_TEST_DIR/std_data/cacert.pem --ssl-verify-server-cert -e "SHOW STATUS LIKE 'ssl_version'" + +# Connections can be made with --skip-ssl +--exec $MYSQL --host=localhost --skip-ssl -e "SHOW STATUS LIKE 'ssl_version'"