mirror/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-01-15 19:42:28 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
mariadb/mysql-test/suite.pm
Tony Chen be164fc401 ssl_cipher parameter cannot configure TLSv1.3 and TLSv1.2 ciphers at the same time 
SSL_CTX_set_ciphersuites() sets the TLSv1.3 cipher suites.

SSL_CTX_set_cipher_list() sets the ciphers for TLSv1.2 and below.

The current TLS configuration logic will not perform SSL_CTX_set_cipher_list()
to configure TLSv1.2 ciphers if the call to SSL_CTX_set_ciphersuites() was
successful. The call to SSL_CTX_set_ciphersuites() is successful if any TLSv1.3
cipher suite is passed into `--ssl-cipher`.

This is a potential security vulnerability because users trying to restrict
specific secure ciphers for TLSv1.3 and TLSv1.2, would unknowingly still have
the database support insecure TLSv1.2 ciphers.

For example:
If setting `--ssl_cipher=TLS_AES_128_GCM_SHA256:ECDHE-RSA-AES128-GCM-SHA256`,
the database would still support all possible TLSv1.2 ciphers rather than only
ECDHE-RSA-AES128-GCM-SHA256.

The solution is to execute both SSL_CTX_set_ciphersuites() and
SSL_CTX_set_cipher_list() even if the first call succeeds.

This allows the configuration of exactly which TLSv1.3 and TLSv1.2 ciphers to
support.

Note that there is 1 behavior change with this. When specifying only TLSv1.3
ciphers to `--ssl-cipher`, the database will not support any TLSv1.2 cipher.
However, this does not impose a security risk and considering TLSv1.3 is the
modern protocol, this behavior should be fine.

All TLSv1.3 ciphers are still supported if only TLSv1.2 ciphers are specified
through `--ssl-cipher`.

All new code of the whole pull request, including one or several files that are
either new files or modified ones, are contributed under the BSD-new license. I
am contributing on behalf of my employer Amazon Web Services, Inc.
2024-09-26 11:50:20 +02:00

84 lines
2.9 KiB
Perl
Raw Blame History

package My::Suite::Main;
use My::Platform;
@ISA = qw(My::Suite);
sub skip_combinations {
my %skip;
$skip{'include/innodb_encrypt_log.combinations'} = [ 'crypt' ]
unless $ENV{DEBUG_KEY_MANAGEMENT_SO};
# don't run tests for the wrong platform
if (IS_WINDOWS) {
$skip{'include/platform.combinations'} = [ 'aix', 'unix' ];
} elsif (IS_AIX) {
$skip{'include/platform.combinations'} = [ 'win', 'unix' ];
} else {
$skip{'include/platform.combinations'} = [ 'aix', 'win' ];
}
$skip{'include/maybe_debug.combinations'} =
[ defined $::mysqld_variables{'debug-dbug'} ? 'release' : 'debug' ];
$skip{'include/have_debug.inc'} = 'Requires debug build'
unless defined $::mysqld_variables{'debug-dbug'};
# and for the wrong word size
# check for exact values, in case the default changes to be small everywhere
my $longsysvar= $::mysqld_variables{'max-binlog-stmt-cache-size'};
my %val_map= (
'4294963200' => '64bit', # remember, it shows *what configuration to skip*
'18446744073709547520' => '32bit'
);
die "unknown value max-binlog-stmt-cache-size=$longsysvar" unless $val_map{$longsysvar};
$skip{'include/word_size.combinations'} = [ $val_map{$longsysvar} ];
# as a special case, disable certain include files as a whole
$skip{'include/not_embedded.inc'} = 'Not run for embedded server'
if $::opt_embedded_server;
$skip{'include/have_example_plugin.inc'} = 'Need example plugin'
unless $ENV{HA_EXAMPLE_SO};
$skip{'include/not_windows.inc'} = 'Requires not Windows' if IS_WINDOWS;
$skip{'include/not_aix.inc'} = 'Requires not AIX' if IS_AIX;
$skip{'main/plugin_loaderr.test'} = 'needs compiled-in innodb'
unless $::mysqld_variables{'innodb'} eq "ON";
# disable tests that use ipv6, if unsupported
sub ipv6_ok() {
use Socket;
return 0 unless socket my $sock, PF_INET6, SOCK_STREAM, getprotobyname('tcp');
$!="";
# eval{}, if there's no Socket::sockaddr_in6 at all, old Perl installation <5.14
eval { bind $sock, sockaddr_in6($::baseport, Socket::IN6ADDR_LOOPBACK) };
return $@ eq "" && $! eq ""
}
$skip{'include/check_ipv6.inc'} = 'No IPv6' unless ipv6_ok();
# SSL is complicated
my $ssl_lib= $::mysqld_variables{'version-ssl-library'};
my $openssl_ver= $ssl_lib =~ /OpenSSL (\S+)/ ? $1 : "";
$skip{'include/have_ssl_communication.inc'} =
$skip{'include/have_ssl_crypto_functs.inc'} = 'Requires SSL' unless $ssl_lib;
$skip{'main/openssl_6975.test'} = 'no or wrong openssl version'
unless $openssl_ver ge "1.0.1d" and $openssl_ver lt "1.1.1";
$skip{'main/ssl_7937.combinations'} = [ 'x509v3' ]
unless $ssl_lib =~ /WolfSSL/ or $openssl_ver ge "1.0.2";
$skip{'main/tlsv13.test'} = 'does not work with OpenSSL <= 1.1.1'
unless $ssl_lib =~ /WolfSSL/ or $openssl_ver ge "3.0.0";
$skip{'main/ssl_verify_ip.test'} = 'x509v3 support required'
unless $openssl_ver ge "1.0.2";
%skip;
}
bless { };
Reference in a new issue View git blame Copy permalink