# Tests for SSL connections --source include/allowed_ciphers.inc # Save the initial number of concurrent sessions --source include/count_sessions.inc set @orig_sql_mode= @@sql_mode; --disable_warnings drop table if exists t1; --enable_warnings create table t1(f1 int); insert into t1 values (5); connect (con0,localhost,root,,,,,SSL); connection con0; let $cipher= query_get_value("SHOW STATUS like 'Ssl_cipher'", Value, 1); let $cipher_val= "$cipher"; connection default; disconnect con0; create user ssl_user1@localhost, ssl_user2@localhost, ssl_user3@localhost, ssl_user4@localhost, ssl_user5@localhost; grant select on test.* to ssl_user1@localhost, ssl_user2@localhost, ssl_user3@localhost, ssl_user4@localhost, ssl_user5@localhost; --replace_regex $ALLOWED_CIPHERS_REGEX -- eval alter user ssl_user2@localhost require cipher $cipher_val --replace_regex $ALLOWED_CIPHERS_REGEX -- eval alter user ssl_user3@localhost require cipher $cipher_val AND SUBJECT "/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=Client" --replace_regex $ALLOWED_CIPHERS_REGEX -- eval alter user ssl_user4@localhost require cipher $cipher_val AND SUBJECT "/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=Client" ISSUER "/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=CA" --replace_regex $ALLOWED_CIPHERS_REGEX -- eval alter user ssl_user5@localhost require cipher $cipher_val AND SUBJECT "xxx" flush privileges; connect (con1,localhost,ssl_user1,,,,,SSL); connect (con2,localhost,ssl_user2,,,,,SSL); connect (con3,localhost,ssl_user3,,,,,SSL); connect (con4,localhost,ssl_user4,,,,,SSL); --replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT --error ER_ACCESS_DENIED_ERROR connect (con5,localhost,ssl_user5,,,,,SSL); connection con1; # Check ssl turned on --replace_regex $ALLOWED_CIPHERS_REGEX SHOW STATUS LIKE 'Ssl_cipher'; select * from t1; --error ER_TABLEACCESS_DENIED_ERROR delete from t1; connection con2; # Check ssl turned on --replace_regex $ALLOWED_CIPHERS_REGEX SHOW STATUS LIKE 'Ssl_cipher'; select * from t1; --error ER_TABLEACCESS_DENIED_ERROR delete from t1; connection con3; # Check ssl turned on --replace_regex $ALLOWED_CIPHERS_REGEX SHOW STATUS LIKE 'Ssl_cipher'; select * from t1; --error ER_TABLEACCESS_DENIED_ERROR delete from t1; connection con4; # Check ssl turned on --replace_regex $ALLOWED_CIPHERS_REGEX SHOW STATUS LIKE 'Ssl_cipher'; select * from t1; --error ER_TABLEACCESS_DENIED_ERROR delete from t1; connection default; disconnect con1; disconnect con2; disconnect con3; disconnect con4; drop user ssl_user1@localhost, ssl_user2@localhost, ssl_user3@localhost, ssl_user4@localhost, ssl_user5@localhost; drop table t1; # End of 4.1 tests # # Test that we can't open connection to server if we are using # a different cacert # --exec echo "this query should not execute;" > $MYSQLTEST_VARDIR/tmp/test.sql --replace_regex /2026 SSL connection error.*\n/2026 SSL connection error: xxxx/ --error 1 --exec $MYSQL_TEST --ssl-mode=VERIFY_CA --ssl-ca=$MYSQL_TEST_DIR/std_data/untrusted-cacert.pem --max-connect-retries=1 < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1 --echo # # Test that we can't open connection to server if we are using # a blank ca # --replace_regex /2026 SSL connection error.*\n/2026 SSL connection error: xxxx/ --error 1 --exec $MYSQL_TEST --ssl-mode=VERIFY_CA --ssl-ca= --max-connect-retries=1 < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1 --echo # # Test that we can't open connection to server if we are using # a nonexistent ca file # --replace_regex /2026 SSL connection error.*\n/2026 SSL connection error: xxxx/ --error 1 --exec $MYSQL_TEST --ssl-mode=VERIFY_CA --ssl-ca=nonexisting_file.pem --max-connect-retries=1 < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1 --echo # # Test that we can't open connection to server if we are using # a blank client-key # --error 1 --exec $MYSQL_TEST --ssl-mode=REQUIRED --ssl-key= --max-connect-retries=1 < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1 # # Test that we can't open connection to server if we are using # a blank client-cert # --error 1 --exec $MYSQL_TEST --ssl-mode=REQUIRED --ssl-cert= --max-connect-retries=1 < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1 # # Bug#21611 Slave can't connect when master-ssl-cipher specified # - Apparently selecting a cipher doesn't work at all # - Usa a cipher that OpenSSL supports # --exec echo "SHOW STATUS LIKE 'Ssl_cipher'; exit;" > $MYSQLTEST_VARDIR/tmp/test.sql --exec $MYSQL_TEST --ssl-mode=REQUIRED --tls-version=TLSv1.2 --ssl-cipher=DHE-RSA-AES256-SHA < $MYSQLTEST_VARDIR/tmp/test.sql 2> $MYSQLTEST_VARDIR/tmp/bug21611_stderr --cat_file $MYSQLTEST_VARDIR/tmp/bug21611_stderr #Cleanup --remove_file $MYSQLTEST_VARDIR/tmp/bug21611_stderr # # Bug#25309 SSL connections without CA certificate broken since MySQL 5.0.23 # # Test that we can open encrypted connection to server without # verification of servers certificate by setting both ca certificate # and ca path to NULL # --replace_regex $ALLOWED_CIPHERS_REGEX --exec $MYSQL --ssl-mode=REQUIRED --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem -e "SHOW STATUS LIKE 'ssl_Cipher'" 2>&1 --echo End of 5.0 tests # # Bug#26174 Server Crash: INSERT ... SELECT ... FROM I_S.GLOBAL_STATUS in # Event (see also information_schema.test for the other part of test for # this bug). # --disable_warnings DROP TABLE IF EXISTS thread_status; DROP EVENT IF EXISTS event_status; --enable_warnings # Make Sure Event scheduler is ON (by default) SELECT COUNT(*) = 1 FROM information_schema.processlist WHERE user = 'event_scheduler' AND command = 'Daemon'; DELIMITER $$; CREATE EVENT event_status ON SCHEDULE AT NOW() ON COMPLETION NOT PRESERVE DO BEGIN CREATE TABLE thread_status SELECT variable_name, variable_value FROM performance_schema.session_status WHERE variable_name LIKE 'SSL_ACCEPTS' OR variable_name LIKE 'SSL_CALLBACK_CACHE_HITS'; END$$ DELIMITER ;$$ let $wait_condition=select count(*) = 0 from information_schema.events where event_name='event_status'; --source include/wait_condition.inc # The actual value doesn't matter and can vary based on test ordering and on ssl library. --replace_column 2 # SELECT variable_name, variable_value FROM thread_status; DROP TABLE thread_status; # # Test to connect using a list of ciphers # --exec echo "SHOW STATUS LIKE 'Ssl_cipher'; exit;" > $MYSQLTEST_VARDIR/tmp/test.sql --exec $MYSQL_TEST --ssl-mode=REQUIRED --tls-version=TLSv1.2 --ssl-cipher=UNKNOWN-CIPHER:AES128-SHA < $MYSQLTEST_VARDIR/tmp/test.sql 2> $MYSQLTEST_VARDIR/tmp/stderr_output --cat_file $MYSQLTEST_VARDIR/tmp/stderr_output # Test to connect using a specifi cipher # --exec echo "SHOW STATUS LIKE 'Ssl_cipher'; exit;" > $MYSQLTEST_VARDIR/tmp/test.sql --exec $MYSQL_TEST --ssl-mode=REQUIRED --tls-version=TLSv1.2 --ssl-cipher=AES128-SHA < $MYSQLTEST_VARDIR/tmp/test.sql 2> $MYSQLTEST_VARDIR/tmp/stderr_output --cat_file $MYSQLTEST_VARDIR/tmp/stderr_output #Cleanup --remove_file $MYSQLTEST_VARDIR/tmp/stderr_output # Test to connect using an unknown cipher # --exec echo "SHOW STATUS LIKE 'Ssl_cipher'; exit" > $MYSQLTEST_VARDIR/tmp/test.sql --replace_regex /2026 SSL connection error.*/2026 SSL connection error: xxxx/ --error 1 --exec $MYSQL_TEST --ssl-mode=REQUIRED --tls-version=TLSv1.2 --ssl-cipher=UNKNOWN-CIPHER --ssl-mode=VERIFY_CA < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1 --echo # # Bug#27669 mysqldump: SSL connection error when trying to connect # CREATE TABLE t1(a int); INSERT INTO t1 VALUES (1), (2); # Run mysqldump --exec $MYSQL_DUMP --skip-comments --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem test t1 --exec $MYSQL_DUMP --skip-comments --ssl-ca=$MYSQL_TEST_DIR/std_data/cacert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem test --exec $MYSQL_DUMP --skip-comments --ssl-mode=VERIFY_CA --ssl-ca=$MYSQL_TEST_DIR/std_data/cacert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem test # With wrong parameters --replace_result $MYSQL_TEST_DIR MYSQL_TEST_DIR --error 2 --exec $MYSQL_DUMP --skip-create-options --skip-comments --ssl-mode=REQUIRED --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem test 2>&1 DROP TABLE t1; --remove_file $MYSQLTEST_VARDIR/tmp/test.sql # # Bug#39172 Asking for DH+non-RSA key with server set to use other key caused # YaSSL to crash the server. # # Common ciphers to openssl and yassl --exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'Ssl_cipher';" --ssl-mode=REQUIRED --tls-version=TLSv1.2 --ssl-cipher=DHE-RSA-AES256-SHA --exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'Ssl_cipher';" --ssl-mode=REQUIRED --tls-version=TLSv1.2 --ssl-cipher=DHE-RSA-AES128-SHA: --exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'Ssl_cipher';" --ssl-mode=REQUIRED --tls-version=TLSv1.2 --ssl-cipher=AES256-SHA --exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'Ssl_cipher';" --ssl-mode=REQUIRED --tls-version=TLSv1.2 --ssl-cipher=DHE-RSA-AES128-SHA --disable_query_log --disable_result_log # Below here caused crashes. ################ --error 1,0 --exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'Ssl-cipher';" --ssl-mode=REQUIRED --tls-version=TLSv1.2 --ssl-cipher=NOT----EXIST # These probably exist but the server's keys can't be used to accept these kinds of connections. --error 1,0 --exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'Ssl-cipher';" --ssl-mode=REQUIRED --tls-version=TLSv1.2 --ssl-cipher=DHE-DSS-AES128-RMD --error 1,0 --exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'Ssl-cipher';" --ssl-mode=REQUIRED --tls-version=TLSv1.2 --ssl-cipher=DHE-DSS-AES128-SHA --error 1,0 --exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'Ssl-cipher';" --ssl-mode=REQUIRED --tls-version=TLSv1.2 --ssl-cipher=DHE-DSS-AES256-RMD --error 1,0 --exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'Ssl-cipher';" --ssl-mode=REQUIRED --tls-version=TLSv1.2 --ssl-cipher=DHE-DSS-AES256-SHA --error 1,0 --exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'Ssl-cipher';" --ssl-mode=REQUIRED --tls-version=TLSv1.2 --ssl-cipher=DHE-DSS-DES-CBC3-RMD --error 1,0 --exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'Ssl-cipher';" --ssl-mode=REQUIRED --tls-version=TLSv1.2 --ssl-cipher=EDH-DSS-DES-CBC3-SHA --error 1,0 --exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'Ssl-cipher';" --ssl-mode=REQUIRED --tls-version=TLSv1.2 --ssl-cipher=EDH-DSS-DES-CBC-SHA # End of crashers. ########################## # If this gives a result, then the bug is fixed. --enable_result_log --enable_query_log select 'is still running; no cipher request crashed the server' as result from dual; # # Bug#42158: leak: SSL_get_peer_certificate() doesn't have matching X509_free() # CREATE USER bug42158@localhost REQUIRE X509; GRANT SELECT ON test.* TO bug42158@localhost; FLUSH PRIVILEGES; connect(con1,localhost,bug42158,,,,,SSL); --replace_regex $ALLOWED_CIPHERS_REGEX SHOW STATUS LIKE 'Ssl_cipher'; disconnect con1; connection default; DROP USER bug42158@localhost; set sql_mode= @orig_sql_mode; --echo End of 5.1 tests --echo # --echo # Bug #20648276: SSL-RELATED GLOBAL STATUS INFORMATION ONLY AVAILABLE --echo # WHEN CONNECTED USING --SSL --echo # --echo # Must return empty --exec $MYSQL --host=127.0.0.1 -P $MASTER_MYPORT --ssl-mode=DISABLED -e "SHOW STATUS LIKE 'Ssl-cipher';" --echo # Must return values for the certificate data --exec $MYSQL --host=127.0.0.1 -P $MASTER_MYPORT --ssl-mode=DISABLED -e "SHOW STATUS LIKE 'Ssl_server_not%';" --echo End of 5.7 tests # Wait till we reached the initial number of concurrent sessions --source include/wait_until_count_sessions.inc