mirror of
https://github.com/MariaDB/server.git
synced 2025-10-19 14:12:12 +02:00
eeb00ceffd
Follow-up patch with adjustments of test files and updates of result files for tests. Some of tests were rewritten slighlty. Everywhere where common pattern used: ----- CREATE USER userA; --connect con1 ... userA ... <sql statements...> --disconnect con1 DROP USER userA; ----- the DROP USER statement has been eclosed into the directive --disable_warnings --enable_warnings This change is caused by the race conddition between --disconnect and DROP USER since a number of currently running sessions established on behalf the user being dropped is counted by holding the rw_lock THD_list_iterator::lock that is not acquired on execution the DROP USER statement but the lock is taken as the last step on handling disconnection (when the client is already sending the next statement). Therefore, for the cases where the command --disconnect precedes the DROP USER statement we hide the possible warnings about presence of active sessions for the user being deleted to make tests deterministic.
133 lines
5.2 KiB
Text
133 lines
5.2 KiB
Text
#
|
|
# Various tests that require setting of a specific ssl_cipher
|
|
# which currently doesn't work in OpenSSL 1.1.1
|
|
#
|
|
|
|
--disable_query_log
|
|
CALL mtr.add_suppression("are insecure");
|
|
--enable_query_log
|
|
|
|
--source include/have_ssl_communication.inc
|
|
|
|
if (`select @@version_ssl_library like 'OpenSSL 1.1.1%'`) {
|
|
skip OpenSSL 1.1.1;
|
|
}
|
|
|
|
create user ssl_user1@localhost require SSL;
|
|
create user ssl_user2@localhost require cipher 'AES256-SHA';
|
|
create user ssl_user3@localhost require cipher 'AES256-SHA' AND SUBJECT '/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB/CN=client';
|
|
create user ssl_user4@localhost require cipher 'AES256-SHA' AND SUBJECT '/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB/CN=client' ISSUER '/CN=cacert/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB';
|
|
create user ssl_user5@localhost require cipher 'AES256-SHA' AND SUBJECT 'xxx';
|
|
|
|
connect (con1,localhost,ssl_user1,,,,,SSL-CIPHER=AES256-SHA);
|
|
--replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT
|
|
--error ER_ACCESS_DENIED_ERROR
|
|
connect (con2,localhost,ssl_user2,,,,,SSL-CIPHER=AES128-SHA);
|
|
connect (con2,localhost,ssl_user2,,,,,SSL-CIPHER=AES256-SHA);
|
|
connect (con3,localhost,ssl_user3,,,,,SSL-CIPHER=AES256-SHA);
|
|
connect (con4,localhost,ssl_user4,,,,,SSL-CIPHER=AES256-SHA);
|
|
--replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT
|
|
--error ER_ACCESS_DENIED_ERROR
|
|
connect (con5,localhost,ssl_user5,,,,,SSL-CIPHER=AES256-SHA);
|
|
|
|
connection con1;
|
|
SHOW STATUS LIKE 'Ssl_cipher';
|
|
disconnect con1;
|
|
connection con2;
|
|
SHOW STATUS LIKE 'Ssl_cipher';
|
|
disconnect con2;
|
|
connection con3;
|
|
SHOW STATUS LIKE 'Ssl_cipher';
|
|
disconnect con3;
|
|
connection con4;
|
|
SHOW STATUS LIKE 'Ssl_cipher';
|
|
disconnect con4;
|
|
connection default;
|
|
--disable_warnings
|
|
drop user ssl_user1@localhost, ssl_user2@localhost, ssl_user3@localhost, ssl_user4@localhost, ssl_user5@localhost;
|
|
--enable_warnings
|
|
|
|
#
|
|
# Bug#21611 Slave can't connect when master-ssl-cipher specified
|
|
# - Apparently selecting a cipher doesn't work at all
|
|
# - Use a cipher that both WolfSSL and OpenSSL supports
|
|
#
|
|
--write_file $MYSQLTEST_VARDIR/tmp/test.sql
|
|
SHOW STATUS LIKE 'Ssl_cipher';
|
|
EOF
|
|
--exec $MYSQL_TEST --ssl-cipher=AES256-SHA < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1
|
|
# Test to connect using a list of ciphers
|
|
--exec $MYSQL_TEST --ssl-cipher=UNKNOWN-CIPHER:AES128-SHA < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1
|
|
# Test to connect using a specific cipher
|
|
--exec $MYSQL_TEST --ssl-cipher=AES128-SHA < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1
|
|
# Test to connect using an unknown cipher
|
|
--replace_regex /2026 TLS\/SSL error.*/2026 TLS\/SSL error: xxxx/
|
|
--error 1
|
|
--exec $MYSQL_TEST --ssl-cipher=UNKNOWN-CIPHER < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1
|
|
--remove_file $MYSQLTEST_VARDIR/tmp/test.sql
|
|
|
|
#
|
|
# Bug#39172 Asking for DH+non-RSA key with server set to use other key caused
|
|
# YaSSL to crash the server.
|
|
#
|
|
|
|
# Common ciphers to openssl and yassl
|
|
--exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'Ssl_cipher';" --ssl-cipher=AES256-SHA
|
|
--exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'Ssl_cipher';" --ssl-cipher=AES128-SHA
|
|
--disable_query_log
|
|
--disable_result_log
|
|
|
|
# Below here caused crashes. ################
|
|
--error 0,1
|
|
--exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'Ssl-cipher';" --ssl-cipher=NOT----EXIST
|
|
# These probably exist but the server's keys can't be used to accept these kinds of connections.
|
|
--error 0,1
|
|
--exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'Ssl-cipher';" --ssl-cipher=AES128-RMD
|
|
|
|
# If this gives a result, then the bug is fixed.
|
|
--enable_result_log
|
|
--enable_query_log
|
|
select 'is still running; no cipher request crashed the server' as result from dual;
|
|
|
|
#
|
|
# MDEV-10054 Secure login fails when CIPHER is required
|
|
#
|
|
create user mysqltest_1@localhost;
|
|
grant usage on mysqltest.* to mysqltest_1@localhost require cipher "AES256-SHA";
|
|
--exec $MYSQL -umysqltest_1 --ssl-cipher=AES256-SHA -e "show status like 'ssl_cipher'" 2>&1
|
|
drop user mysqltest_1@localhost;
|
|
|
|
#
|
|
# BUG#11760210 - SSL_CIPHER_LIST NOT SET OR RETURNED FOR "SHOW STATUS LIKE 'SSL_CIPHER_LIST'"
|
|
# it was a bug in yaSSL, fixed in d2e36e4258bb
|
|
#
|
|
let $restart_parameters=--ssl-cipher=AES128-SHA;
|
|
source include/restart_mysqld.inc;
|
|
connect (ssl_con,localhost,root,,,,,SSL);
|
|
SHOW STATUS LIKE 'Ssl_cipher';
|
|
SELECT VARIABLE_VALUE like '%AES128-SHA%' FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_cipher_list';
|
|
disconnect ssl_con;
|
|
connection default;
|
|
|
|
# MDEV-31369 Disable TLS v1.0 and 1.1 for MariaDB
|
|
call mtr.add_suppression("TLSv1.0 and TLSv1.1 are insecure");
|
|
--let SEARCH_FILE=$MYSQLTEST_VARDIR/log/mysqld.1.err
|
|
--let SEARCH_PATTERN= TLSv1.0 and TLSv1.1 are insecure
|
|
--source include/search_pattern_in_file.inc
|
|
|
|
#
|
|
# Server is configured with ciphers that are not compatible with the server certificate (std_data/cacert.pem is RSA)
|
|
#
|
|
let $restart_parameters=--ssl-cipher=ECDHE-ECDSA-AES128-GCM-SHA256;
|
|
source include/restart_mysqld.inc;
|
|
|
|
# Connections are rejected as client attempts tls by default
|
|
--error 1
|
|
--exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'ssl_version'"
|
|
|
|
# Connections are rejected if client explicitly specifies tls
|
|
--error 1
|
|
--exec $MYSQL --host=localhost --ssl-ca=$MYSQL_TEST_DIR/std_data/cacert.pem --ssl-verify-server-cert -e "SHOW STATUS LIKE 'ssl_version'"
|
|
|
|
# Connections can be made with --skip-ssl
|
|
--exec $MYSQL --host=localhost --skip-ssl -e "SHOW STATUS LIKE 'ssl_version'"
|