mariadb/mysql-test/main/ssl_cipher.result
Tony Chen 28b2958082 Add MTR to verify behavior on incompatible TLS configuration
Add a simple test to verify the server behaves in a safe manner if configured
with ciphers that aren't compatible with the server certificate.

All new code of the whole pull request, including one or several files
that are either new files or modified ones, are contributed under the
BSD-new license. I am contributing on behalf of my employer Amazon Web
Services, Inc.
2025-01-09 11:22:11 +11:00

73 lines
2.9 KiB
Text

create user ssl_user1@localhost require SSL;
create user ssl_user2@localhost require cipher 'AES256-SHA';
create user ssl_user3@localhost require cipher 'AES256-SHA' AND SUBJECT '/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB/CN=client';
create user ssl_user4@localhost require cipher 'AES256-SHA' AND SUBJECT '/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB/CN=client' ISSUER '/CN=cacert/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB';
create user ssl_user5@localhost require cipher 'AES256-SHA' AND SUBJECT 'xxx';
connect con1,localhost,ssl_user1,,,,,SSL-CIPHER=AES256-SHA;
connect(localhost,ssl_user2,,test,MASTER_PORT,MASTER_SOCKET);
connect con2,localhost,ssl_user2,,,,,SSL-CIPHER=AES128-SHA;
ERROR 28000: Access denied for user 'ssl_user2'@'localhost' (using password: NO)
connect con2,localhost,ssl_user2,,,,,SSL-CIPHER=AES256-SHA;
connect con3,localhost,ssl_user3,,,,,SSL-CIPHER=AES256-SHA;
connect con4,localhost,ssl_user4,,,,,SSL-CIPHER=AES256-SHA;
connect(localhost,ssl_user5,,test,MASTER_PORT,MASTER_SOCKET);
connect con5,localhost,ssl_user5,,,,,SSL-CIPHER=AES256-SHA;
ERROR 28000: Access denied for user 'ssl_user5'@'localhost' (using password: NO)
connection con1;
SHOW STATUS LIKE 'Ssl_cipher';
Variable_name Value
Ssl_cipher AES256-SHA
disconnect con1;
connection con2;
SHOW STATUS LIKE 'Ssl_cipher';
Variable_name Value
Ssl_cipher AES256-SHA
disconnect con2;
connection con3;
SHOW STATUS LIKE 'Ssl_cipher';
Variable_name Value
Ssl_cipher AES256-SHA
disconnect con3;
connection con4;
SHOW STATUS LIKE 'Ssl_cipher';
Variable_name Value
Ssl_cipher AES256-SHA
disconnect con4;
connection default;
drop user ssl_user1@localhost, ssl_user2@localhost, ssl_user3@localhost, ssl_user4@localhost, ssl_user5@localhost;
SHOW STATUS LIKE 'Ssl_cipher';
Variable_name Value
Ssl_cipher AES256-SHA
SHOW STATUS LIKE 'Ssl_cipher';
Variable_name Value
Ssl_cipher AES128-SHA
SHOW STATUS LIKE 'Ssl_cipher';
Variable_name Value
Ssl_cipher AES128-SHA
mysqltest: Could not open connection 'default': 2026 TLS/SSL error: xxxxVariable_name Value
Ssl_cipher AES256-SHA
Variable_name Value
Ssl_cipher AES128-SHA
select 'is still running; no cipher request crashed the server' as result from dual;
result
is still running; no cipher request crashed the server
create user mysqltest_1@localhost;
grant usage on mysqltest.* to mysqltest_1@localhost require cipher "AES256-SHA";
Variable_name Value
Ssl_cipher AES256-SHA
drop user mysqltest_1@localhost;
# restart: --ssl-cipher=AES128-SHA
connect ssl_con,localhost,root,,,,,SSL;
SHOW STATUS LIKE 'Ssl_cipher';
Variable_name Value
Ssl_cipher AES128-SHA
SELECT VARIABLE_VALUE like '%AES128-SHA%' FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_cipher_list';
VARIABLE_VALUE like '%AES128-SHA%'
1
disconnect ssl_con;
connection default;
call mtr.add_suppression("TLSv1.0 and TLSv1.1 are insecure");
FOUND 2 /TLSv1.0 and TLSv1.1 are insecure/ in mysqld.1.err
# restart: --ssl-cipher=ECDHE-ECDSA-AES128-GCM-SHA256
Variable_name Value
Ssl_version