mariadb/mysql-test/main/ssl_cipher.test

#
# Various tests that require setting of a specific ssl_cipher
# which currently doesn't work in OpenSSL 1.1.1
#

--disable_query_log
CALL mtr.add_suppression("are insecure");
--enable_query_log

--source include/have_ssl_communication.inc

if (`select @@version_ssl_library like 'OpenSSL 1.1.1%'`) {
  skip OpenSSL 1.1.1;
}

create user ssl_user1@localhost require SSL;
create user ssl_user2@localhost require cipher 'AES256-SHA';
create user ssl_user3@localhost require cipher 'AES256-SHA' AND SUBJECT '/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB/CN=client';
create user ssl_user4@localhost require cipher 'AES256-SHA' AND SUBJECT '/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB/CN=client' ISSUER '/CN=cacert/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB';
create user ssl_user5@localhost require cipher 'AES256-SHA' AND SUBJECT 'xxx';

connect (con1,localhost,ssl_user1,,,,,SSL-CIPHER=AES256-SHA);
--replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT
--error ER_ACCESS_DENIED_ERROR
connect (con2,localhost,ssl_user2,,,,,SSL-CIPHER=AES128-SHA);
connect (con2,localhost,ssl_user2,,,,,SSL-CIPHER=AES256-SHA);
connect (con3,localhost,ssl_user3,,,,,SSL-CIPHER=AES256-SHA);
connect (con4,localhost,ssl_user4,,,,,SSL-CIPHER=AES256-SHA);
--replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT
--error ER_ACCESS_DENIED_ERROR
connect (con5,localhost,ssl_user5,,,,,SSL-CIPHER=AES256-SHA);

connection con1;
SHOW STATUS LIKE 'Ssl_cipher';
disconnect con1;
connection con2;
SHOW STATUS LIKE 'Ssl_cipher';
disconnect con2;
connection con3;
SHOW STATUS LIKE 'Ssl_cipher';
disconnect con3;
connection con4;
SHOW STATUS LIKE 'Ssl_cipher';
disconnect con4;
connection default;
drop user ssl_user1@localhost, ssl_user2@localhost, ssl_user3@localhost, ssl_user4@localhost, ssl_user5@localhost;

#
# Bug#21611 Slave can't connect when master-ssl-cipher specified
# - Apparently selecting a cipher doesn't work at all
# - Use a cipher that both WolfSSL and OpenSSL supports
#
--write_file $MYSQLTEST_VARDIR/tmp/test.sql
SHOW STATUS LIKE 'Ssl_cipher';
EOF
--exec $MYSQL_TEST --ssl-cipher=AES256-SHA < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1
# Test to connect using a list of ciphers
--exec $MYSQL_TEST --ssl-cipher=UNKNOWN-CIPHER:AES128-SHA < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1
# Test to connect using a specifi cipher
--exec $MYSQL_TEST --ssl-cipher=AES128-SHA < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1
# Test to connect using an unknown cipher
--replace_regex /2026 TLS\/SSL error.*/2026 TLS\/SSL error: xxxx/
--error 1
--exec $MYSQL_TEST --ssl-cipher=UNKNOWN-CIPHER < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1
--remove_file $MYSQLTEST_VARDIR/tmp/test.sql

#
# Bug#39172 Asking for DH+non-RSA key with server set to use other key caused
#           YaSSL to crash the server.
#

# Common ciphers to openssl and yassl
--exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'Ssl_cipher';" --ssl-cipher=AES256-SHA
--exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'Ssl_cipher';" --ssl-cipher=AES128-SHA
--disable_query_log
--disable_result_log

# Below here caused crashes.  ################
--error 0,1
--exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'Ssl-cipher';" --ssl-cipher=NOT----EXIST
# These probably exist but the server's keys can't be used to accept these kinds of connections.
--error 0,1
--exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'Ssl-cipher';" --ssl-cipher=AES128-RMD

# If this gives a result, then the bug is fixed.
--enable_result_log
--enable_query_log
select 'is still running; no cipher request crashed the server' as result from dual;

#
# MDEV-10054 Secure login fails when CIPHER is required
#
create user mysqltest_1@localhost;
grant usage on mysqltest.* to mysqltest_1@localhost require cipher "AES256-SHA";
--exec $MYSQL -umysqltest_1 --ssl-cipher=AES256-SHA -e "show status like 'ssl_cipher'" 2>&1
drop user mysqltest_1@localhost;

#
# BUG#11760210 - SSL_CIPHER_LIST NOT SET OR RETURNED FOR "SHOW STATUS LIKE 'SSL_CIPHER_LIST'"
# it was a bug in yaSSL, fixed in d2e36e4258bb
#
let $restart_parameters=--ssl-cipher=AES128-SHA;
source include/restart_mysqld.inc;
connect (ssl_con,localhost,root,,,,,SSL);
SHOW STATUS LIKE 'Ssl_cipher';
SELECT VARIABLE_VALUE like '%AES128-SHA%' FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_cipher_list';
disconnect ssl_con;
connection default;

# MDEV-31369 Disable TLS v1.0 and 1.1 for MariaDB
call mtr.add_suppression("TLSv1.0 and TLSv1.1 are insecure");
--let SEARCH_FILE=$MYSQLTEST_VARDIR/log/mysqld.1.err
--let SEARCH_PATTERN= TLSv1.0 and TLSv1.1 are insecure
--source include/search_pattern_in_file.inc

#
# Server is configured with ciphers that are not compatible with the server certificate (std_data/cacert.pem is RSA)
#
let $restart_parameters=--ssl-cipher=ECDHE-ECDSA-AES128-GCM-SHA256;
source include/restart_mysqld.inc;

# Connections are rejected as client attempts tls by default
--error 1
--exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'ssl_version'"

# Connections are rejected if client explicitly specifies tls
--error 1
--exec $MYSQL --host=localhost --ssl-ca=$MYSQL_TEST_DIR/std_data/cacert.pem --ssl-verify-server-cert -e "SHOW STATUS LIKE 'ssl_version'"

# Connections can be made with --skip-ssl
--exec $MYSQL --host=localhost --skip-ssl -e "SHOW STATUS LIKE 'ssl_version'"