mirror of
https://github.com/MariaDB/server.git
synced 2025-02-10 23:45:34 +01:00
![Tony Chen](/assets/img/avatar_default.png)
Add a simple test to verify the server behaves in a safe manner if configured with ciphers that aren't compatible with the server certificate. All new code of the whole pull request, including one or several files that are either new files or modified ones, are contributed under the BSD-new license. I am contributing on behalf of my employer Amazon Web Services, Inc.
73 lines
2.9 KiB
Text
73 lines
2.9 KiB
Text
create user ssl_user1@localhost require SSL;
|
|
create user ssl_user2@localhost require cipher 'AES256-SHA';
|
|
create user ssl_user3@localhost require cipher 'AES256-SHA' AND SUBJECT '/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB/CN=client';
|
|
create user ssl_user4@localhost require cipher 'AES256-SHA' AND SUBJECT '/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB/CN=client' ISSUER '/CN=cacert/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB';
|
|
create user ssl_user5@localhost require cipher 'AES256-SHA' AND SUBJECT 'xxx';
|
|
connect con1,localhost,ssl_user1,,,,,SSL-CIPHER=AES256-SHA;
|
|
connect(localhost,ssl_user2,,test,MASTER_PORT,MASTER_SOCKET);
|
|
connect con2,localhost,ssl_user2,,,,,SSL-CIPHER=AES128-SHA;
|
|
ERROR 28000: Access denied for user 'ssl_user2'@'localhost' (using password: NO)
|
|
connect con2,localhost,ssl_user2,,,,,SSL-CIPHER=AES256-SHA;
|
|
connect con3,localhost,ssl_user3,,,,,SSL-CIPHER=AES256-SHA;
|
|
connect con4,localhost,ssl_user4,,,,,SSL-CIPHER=AES256-SHA;
|
|
connect(localhost,ssl_user5,,test,MASTER_PORT,MASTER_SOCKET);
|
|
connect con5,localhost,ssl_user5,,,,,SSL-CIPHER=AES256-SHA;
|
|
ERROR 28000: Access denied for user 'ssl_user5'@'localhost' (using password: NO)
|
|
connection con1;
|
|
SHOW STATUS LIKE 'Ssl_cipher';
|
|
Variable_name Value
|
|
Ssl_cipher AES256-SHA
|
|
disconnect con1;
|
|
connection con2;
|
|
SHOW STATUS LIKE 'Ssl_cipher';
|
|
Variable_name Value
|
|
Ssl_cipher AES256-SHA
|
|
disconnect con2;
|
|
connection con3;
|
|
SHOW STATUS LIKE 'Ssl_cipher';
|
|
Variable_name Value
|
|
Ssl_cipher AES256-SHA
|
|
disconnect con3;
|
|
connection con4;
|
|
SHOW STATUS LIKE 'Ssl_cipher';
|
|
Variable_name Value
|
|
Ssl_cipher AES256-SHA
|
|
disconnect con4;
|
|
connection default;
|
|
drop user ssl_user1@localhost, ssl_user2@localhost, ssl_user3@localhost, ssl_user4@localhost, ssl_user5@localhost;
|
|
SHOW STATUS LIKE 'Ssl_cipher';
|
|
Variable_name Value
|
|
Ssl_cipher AES256-SHA
|
|
SHOW STATUS LIKE 'Ssl_cipher';
|
|
Variable_name Value
|
|
Ssl_cipher AES128-SHA
|
|
SHOW STATUS LIKE 'Ssl_cipher';
|
|
Variable_name Value
|
|
Ssl_cipher AES128-SHA
|
|
mysqltest: Could not open connection 'default': 2026 TLS/SSL error: xxxxVariable_name Value
|
|
Ssl_cipher AES256-SHA
|
|
Variable_name Value
|
|
Ssl_cipher AES128-SHA
|
|
select 'is still running; no cipher request crashed the server' as result from dual;
|
|
result
|
|
is still running; no cipher request crashed the server
|
|
create user mysqltest_1@localhost;
|
|
grant usage on mysqltest.* to mysqltest_1@localhost require cipher "AES256-SHA";
|
|
Variable_name Value
|
|
Ssl_cipher AES256-SHA
|
|
drop user mysqltest_1@localhost;
|
|
# restart: --ssl-cipher=AES128-SHA
|
|
connect ssl_con,localhost,root,,,,,SSL;
|
|
SHOW STATUS LIKE 'Ssl_cipher';
|
|
Variable_name Value
|
|
Ssl_cipher AES128-SHA
|
|
SELECT VARIABLE_VALUE like '%AES128-SHA%' FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_cipher_list';
|
|
VARIABLE_VALUE like '%AES128-SHA%'
|
|
1
|
|
disconnect ssl_con;
|
|
connection default;
|
|
call mtr.add_suppression("TLSv1.0 and TLSv1.1 are insecure");
|
|
FOUND 2 /TLSv1.0 and TLSv1.1 are insecure/ in mysqld.1.err
|
|
# restart: --ssl-cipher=ECDHE-ECDSA-AES128-GCM-SHA256
|
|
Variable_name Value
|
|
Ssl_version
|