You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
313 lines
8.8 KiB
313 lines
8.8 KiB
|
|
# Want to skip this test from daily Valgrind execution
|
|
--source include/no_valgrind_without_big.inc
|
|
|
|
# Save the initial number of concurrent sessions
|
|
--source include/count_sessions.inc
|
|
|
|
# The SSL library may fail initializing during this one
|
|
call mtr.add_suppression("Failed to set up SSL because of the following SSL library error");
|
|
|
|
--echo # Check if ssl is on
|
|
SELECT LENGTH(VARIABLE_VALUE) > 0 FROM performance_schema.session_status
|
|
WHERE VARIABLE_NAME='Ssl_cipher';
|
|
|
|
--echo ################## FR1.1 and FR 1.4: ALTER INSTANCE RELOAD TLS
|
|
|
|
ALTER INSTANCE RELOAD TLS;
|
|
|
|
--echo # Check if ssl is still turned on after reload
|
|
SELECT LENGTH(VARIABLE_VALUE) > 0 FROM performance_schema.session_status
|
|
WHERE VARIABLE_NAME='Ssl_cipher';
|
|
|
|
--echo # FR1.1: check if old sessions continue
|
|
connect (ssl_con,localhost,root,,,,,SSL);
|
|
|
|
SET @must_be_present= 'present';
|
|
|
|
connection default;
|
|
|
|
ALTER INSTANCE RELOAD TLS;
|
|
|
|
connection ssl_con;
|
|
|
|
--echo # Success criteria: value must be present
|
|
SELECT @must_be_present;
|
|
|
|
connection default;
|
|
disconnect ssl_con;
|
|
|
|
--echo # cleanup
|
|
# Wait until all sessions are disconnected
|
|
--source include/wait_until_count_sessions.inc
|
|
|
|
|
|
--echo ################## FR 1.2: check if new sessions get the new vals
|
|
|
|
--echo # Save the defaults
|
|
let $orig_cipher= query_get_value(SHOW STATUS LIKE 'Ssl_cipher', Value, 1);
|
|
SET @orig_ssl_cipher = @@global.ssl_cipher;
|
|
SET @orig_tls_version = @@global.tls_version;
|
|
|
|
--echo # in ssl_con
|
|
connect (ssl_con,localhost,root,,,,,SSL);
|
|
|
|
--echo # check if the session has the original values
|
|
--replace_result $orig_cipher orig_cipher
|
|
SHOW STATUS LIKE 'Ssl_cipher';
|
|
|
|
--echo # in default connection
|
|
connection default;
|
|
|
|
--echo # setting new values for ssl_cipher
|
|
SET GLOBAL ssl_cipher = "DHE-RSA-AES256-SHA256";
|
|
SET GLOBAL tls_version = "TLSv1.2";
|
|
ALTER INSTANCE RELOAD TLS;
|
|
|
|
--echo # in ssl_new_con
|
|
connect (ssl_new_con,localhost,root,,,,,SSL);
|
|
--echo # Save the new defaults
|
|
let $new_cipher= query_get_value(SHOW STATUS LIKE 'Ssl_cipher', Value, 1);
|
|
|
|
--echo # Check if the old and the new not afters differ
|
|
let $the_same=`SELECT "$new_cipher" = "$orig_cipher"`;
|
|
if ($the_same == 1)
|
|
{
|
|
die the not-after values must be different;
|
|
}
|
|
|
|
--echo # in ssl_con
|
|
connection ssl_con;
|
|
|
|
--echo # the con session must have the original values
|
|
--replace_result $orig_cipher orig_cipher;
|
|
SHOW STATUS LIKE 'Ssl_cipher';
|
|
|
|
--echo # cleanup
|
|
--echo # in default connection
|
|
connection default;
|
|
disconnect ssl_con;
|
|
disconnect ssl_new_con;
|
|
|
|
SET GLOBAL ssl_cipher = @orig_ssl_cipher;
|
|
SET GLOBAL tls_version = @orig_tls_version;
|
|
ALTER INSTANCE RELOAD TLS;
|
|
|
|
# Wait till all disconnects are completed
|
|
--source include/wait_until_count_sessions.inc
|
|
|
|
|
|
|
|
--echo ################## FR 1.5: new values effective only after RELOAD TLS
|
|
|
|
--echo # Save the defaults
|
|
let $orig_cipher= query_get_value(SHOW STATUS LIKE 'Ssl_cipher', Value, 1);
|
|
SET @orig_ssl_cipher = @@global.ssl_cipher;
|
|
|
|
|
|
--echo # setting new values for ssl_cipher
|
|
SET GLOBAL ssl_cipher = "DHE-RSA-AES256-SHA256";
|
|
|
|
--echo # in ssl_con
|
|
connect (ssl_con,localhost,root,,,,,SSL);
|
|
|
|
let $new_cipher= query_get_value(SHOW STATUS LIKE 'Ssl_cipher', Value, 1);
|
|
|
|
--echo # Check if the old and the new not afters differ
|
|
let $the_same=`SELECT "$new_cipher" = "$orig_cipher"`;
|
|
if ($the_same == 0)
|
|
{
|
|
die the old non-after must still be active;
|
|
}
|
|
|
|
--echo # cleanup
|
|
--echo # in default connection
|
|
connection default;
|
|
disconnect ssl_con;
|
|
|
|
SET GLOBAL ssl_cipher = @orig_ssl_cipher;
|
|
|
|
# Wait till all disconnects are completed
|
|
--source include/wait_until_count_sessions.inc
|
|
|
|
|
|
--echo ################## FR 1.7: CONNECTION_ADMIN will be required to execute
|
|
--echo # ALTER INSTANCE RELOAD TLS
|
|
CREATE USER test_connection_admin@localhost;
|
|
|
|
--echo # in ssl_con
|
|
connect (ssl_con,localhost,test_connection_admin,,,,,SSL);
|
|
|
|
--echo # Must fail
|
|
--error ER_SPECIFIC_ACCESS_DENIED_ERROR
|
|
ALTER INSTANCE RELOAD TLS;
|
|
|
|
--echo # in default connection
|
|
connection default;
|
|
GRANT SUPER ON *.* TO test_connection_admin@localhost;
|
|
|
|
--echo # in ssl_con
|
|
connection ssl_con;
|
|
|
|
--echo # Must fail
|
|
--error ER_SPECIFIC_ACCESS_DENIED_ERROR
|
|
ALTER INSTANCE RELOAD TLS;
|
|
|
|
--echo # in default connection
|
|
connection default;
|
|
REVOKE SUPER ON *.* FROM test_connection_admin@localhost;
|
|
GRANT CONNECTION_ADMIN ON *.* TO test_connection_admin@localhost;
|
|
|
|
--echo # in ssl_con
|
|
connection ssl_con;
|
|
|
|
--echo # Must pass
|
|
ALTER INSTANCE RELOAD TLS;
|
|
|
|
--echo # cleanup
|
|
--echo # in default connection
|
|
connection default;
|
|
disconnect ssl_con;
|
|
# Wait till all disconnects are completed
|
|
--source include/wait_until_count_sessions.inc
|
|
DROP USER test_connection_admin@localhost;
|
|
|
|
|
|
--echo ################## FR 1.8 and 1.9: disable SSL on wrong values
|
|
|
|
--echo # Save the defaults
|
|
SET @orig_ssl_ca= @@global.ssl_ca;
|
|
|
|
--echo # Seet CA to invalid value
|
|
SET GLOBAL ssl_ca = 'gizmo';
|
|
|
|
--echo # Must fail and not change the SSL params
|
|
--error ER_DA_SSL_LIBRARY_ERROR
|
|
ALTER INSTANCE RELOAD TLS;
|
|
|
|
--echo # Must be 1
|
|
SELECT COUNT(*) FROM performance_schema.session_status
|
|
WHERE VARIABLE_NAME = 'Current_tls_ca' AND VARIABLE_VALUE = @orig_ssl_ca;
|
|
|
|
--echo # Must return gizmo
|
|
SELECT @@global.ssl_ca;
|
|
|
|
--echo # Must connect successfully
|
|
--exec $MYSQL --ssl-mode=required -e "SELECT 1"
|
|
|
|
--echo # Must pass with a warning and disable SSL
|
|
ALTER INSTANCE RELOAD TLS NO ROLLBACK ON ERROR;
|
|
|
|
--echo # Must be 1
|
|
SELECT COUNT(*) FROM performance_schema.session_status
|
|
WHERE VARIABLE_NAME = 'Current_tls_ca' AND VARIABLE_VALUE = 'gizmo';
|
|
|
|
--echo # Must fail to connect
|
|
--error 1
|
|
--exec $MYSQL --ssl-mode=required -e "SELECT 1"
|
|
|
|
--echo # cleanup
|
|
SET GLOBAL ssl_ca = @orig_ssl_ca;
|
|
ALTER INSTANCE RELOAD TLS;
|
|
|
|
--echo # FR 1.9: Must connect successfully
|
|
--exec $MYSQL --ssl-mode=required -e "SELECT 1"
|
|
|
|
|
|
--echo ################## FR2 and FR6: --ssl-* variables settable at runtime.
|
|
SET @orig_ssl_ca= @@global.ssl_ca;
|
|
SET @orig_ssl_cert= @@global.ssl_cert;
|
|
SET @orig_ssl_key= @@global.ssl_key;
|
|
SET @orig_ssl_capath= @@global.ssl_capath;
|
|
SET @orig_ssl_crl= @@global.ssl_crl;
|
|
SET @orig_ssl_crlpath= @@global.ssl_crlpath;
|
|
SET @orig_ssl_cipher= @@global.ssl_cipher;
|
|
SET @orig_tls_cipher= @@global.tls_ciphersuites;
|
|
SET @orig_tls_version= @@global.tls_version;
|
|
|
|
--echo # Must pass
|
|
SET GLOBAL ssl_ca = 'gizmo';
|
|
SET GLOBAL ssl_cert = 'gizmo';
|
|
SET GLOBAL ssl_key = 'gizmo';
|
|
SET GLOBAL ssl_capath = 'gizmo';
|
|
SET GLOBAL ssl_crl = 'gizmo';
|
|
SET GLOBAL ssl_crlpath = 'gizmo';
|
|
SET GLOBAL ssl_cipher = 'gizmo';
|
|
SET GLOBAL tls_ciphersuites = 'gizmo';
|
|
SET GLOBAL tls_version = 'gizmo';
|
|
|
|
--echo # Must fail
|
|
--error ER_GLOBAL_VARIABLE
|
|
SET SESSION ssl_ca = 'gizmo';
|
|
--error ER_GLOBAL_VARIABLE
|
|
SET SESSION ssl_cert = 'gizmo';
|
|
--error ER_GLOBAL_VARIABLE
|
|
SET SESSION ssl_key = 'gizmo';
|
|
--error ER_GLOBAL_VARIABLE
|
|
SET SESSION ssl_capath = 'gizmo';
|
|
--error ER_GLOBAL_VARIABLE
|
|
SET SESSION ssl_crl = 'gizmo';
|
|
--error ER_GLOBAL_VARIABLE
|
|
SET SESSION ssl_crlpath = 'gizmo';
|
|
--error ER_GLOBAL_VARIABLE
|
|
SET SESSION ssl_cipher = 'gizmo';
|
|
--error ER_GLOBAL_VARIABLE
|
|
SET SESSION tls_ciphersuites = 'gizmo';
|
|
--error ER_GLOBAL_VARIABLE
|
|
SET SESSION tls_version = 'gizmo';
|
|
|
|
--echo # FR6: Must return 9
|
|
SELECT VARIABLE_NAME FROM performance_schema.session_status WHERE
|
|
VARIABLE_NAME IN
|
|
('Current_tls_ca', 'Current_tls_capath', 'Current_tls_cert',
|
|
'Current_tls_key', 'Current_tls_version', 'Current_tls_cipher',
|
|
'Current_tls_ciphersuites', 'Current_tls_crl', 'Current_tls_crlpath') AND
|
|
VARIABLE_VALUE != 'gizmo'
|
|
ORDER BY VARIABLE_NAME;
|
|
|
|
--echo # cleanup
|
|
SET GLOBAL ssl_ca = @orig_ssl_ca;
|
|
SET GLOBAL ssl_cert = @orig_ssl_cert;
|
|
SET GLOBAL ssl_key = @orig_ssl_key;
|
|
SET GLOBAL ssl_capath = @orig_ssl_capath;
|
|
SET GLOBAL ssl_crl = @orig_ssl_crl;
|
|
SET GLOBAL ssl_crlpath = @orig_ssl_crlpath;
|
|
SET GLOBAL ssl_cipher = @orig_ssl_cipher;
|
|
SET GLOBAL tls_ciphersuites = @orig_tls_ciphersuites;
|
|
SET GLOBAL tls_version = @orig_tls_version;
|
|
|
|
|
|
--echo ################## FR8: X plugin do not follow
|
|
|
|
--echo # Save the defaults
|
|
SET @orig_ssl_ca= @@global.ssl_ca;
|
|
SET @orig_ssl_cert= @@global.ssl_cert;
|
|
SET @orig_ssl_key= @@global.ssl_key;
|
|
SET @orig_mysqlx_ssl_ca= @@global.mysqlx_ssl_ca;
|
|
SET @orig_mysqlx_ssl_cert= @@global.mysqlx_ssl_cert;
|
|
SET @orig_mysqlx_ssl_key= @@global.mysqlx_ssl_key;
|
|
|
|
--echo # setting new values for ssl_cert, ssl_key and ssl_ca
|
|
--replace_result "$MYSQL_TEST_DIR" MYSQL_TEST_DIR
|
|
eval SET GLOBAL ssl_cert = "$MYSQL_TEST_DIR/std_data/server-cert-sha512.pem";
|
|
--replace_result "$MYSQL_TEST_DIR" MYSQL_TEST_DIR
|
|
eval SET GLOBAL ssl_key = "$MYSQL_TEST_DIR/std_data/server-key-sha512.pem";
|
|
--replace_result "$MYSQL_TEST_DIR" MYSQL_TEST_DIR
|
|
eval SET GLOBAL ssl_ca = "$MYSQL_TEST_DIR/std_data/ca-sha512.pem";
|
|
ALTER INSTANCE RELOAD TLS;
|
|
|
|
--echo # Check that X variables match the initial ones
|
|
--vertical_results
|
|
SELECT @@global.mysqlx_ssl_ca = @orig_mysqlx_ssl_ca,
|
|
@@global.mysqlx_ssl_cert = @orig_mysqlx_ssl_cert,
|
|
@@global.mysqlx_ssl_key = @orig_mysqlx_ssl_key;
|
|
|
|
|
|
--echo # cleanup
|
|
SET GLOBAL ssl_cert = @orig_ssl_cert;
|
|
SET GLOBAL ssl_key = @orig_ssl_key;
|
|
SET GLOBAL ssl_ca = @orig_ssl_ca;
|
|
ALTER INSTANCE RELOAD TLS;
|
|
|
|
|
|
--echo ################## End of dynamic SSL tests
|
|
|