MDEV-6975 Implement TLS protocol

change SSL methods to be SSLv23 (according to openssl manpage: "A TLS/SSL connection established with these methods may understand the SSLv2, SSLv3, TLSv1, TLSv1.1 and TLSv1.2 protocols") from TLSv1 methods, that go back to the initial SSL implementation in MySQL in 2001. OpenSSL default ciphers are different if TLSv1.2 is enabled, so tests need to take this into account.
author: Sergei Golubchik <sergii@pisem.net> 2014-11-18 17:57:06 +0100
committer: Sergei Golubchik <sergii@pisem.net> 2014-11-18 17:57:06 +0100
commit: cb8f837a3d0d16bdbfc9c545d32527ad28b0d841 (patch)
tree: 30fd5447e10cd587a0ff68c6e083c943f61b1e7b
parent: 386e2e52f63971d3c1f33fb6b90715549d81ed1e (diff)
download: mariadb-git-cb8f837a3d0d16bdbfc9c545d32527ad28b0d841.tar.gz
10 files changed, 107 insertions, 3 deletions
diff --git a/mysql-test/mysql-test-run.pl b/mysql-test/mysql-test-run.pl
index ddfed62c238..60e0399efd4 100755
--- a/mysql-test/mysql-test-run.pl
+++ b/mysql-test/mysql-test-run.pl
@@ -4801,6 +4801,8 @@ sub extract_warning_lines ($$) {
      qr|feedback plugin: failed to retrieve the MAC address|,
      qr|Plugin 'FEEDBACK' init function returned error|,
      qr|Plugin 'FEEDBACK' registration as a INFORMATION SCHEMA failed|,
+     qr|Failed to setup SSL|,
+     qr|SSL error: Failed to set ciphers to use|,
     );
 
   my $matched_lines= [];
diff --git a/mysql-test/r/openssl-poodle_6975,sslv3.result b/mysql-test/r/openssl-poodle_6975,sslv3.result
new file mode 100644
index 00000000000..52d5978749e
--- /dev/null
+++ b/mysql-test/r/openssl-poodle_6975,sslv3.result
@@ -0,0 +1,25 @@
+grant select on test.* to ssl_sslv3@localhost require cipher "RC4-SHA";
+grant select on test.* to ssl_tls12@localhost require cipher "AES128-SHA256";
+TLS1.2 ciphers: user is ok with any cipher
+ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
+ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
+TLS1.2 ciphers: user requires SSLv3 cipher RC4-SHA
+ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
+ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
+TLS1.2 ciphers: user requires TLSv1.2 cipher AES128-SHA256
+ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
+ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
+SSLv3 ciphers: user is ok with any cipher
+Variable_name	Value
+Ssl_cipher	RC4-SHA
+Variable_name	Value
+Ssl_cipher	DHE-RSA-AES256-SHA
+SSLv3 ciphers: user requires SSLv3 cipher RC4-SHA
+Variable_name	Value
+Ssl_cipher	RC4-SHA
+ERROR 1045 (28000): Access denied for user 'ssl_sslv3'@'localhost' (using password: NO)
+SSLv3 ciphers: user requires TLSv1.2 cipher AES128-SHA256
+ERROR 1045 (28000): Access denied for user 'ssl_tls12'@'localhost' (using password: NO)
+ERROR 1045 (28000): Access denied for user 'ssl_tls12'@'localhost' (using password: NO)
+drop user ssl_sslv3@localhost;
+drop user ssl_tls12@localhost;
diff --git a/mysql-test/r/openssl-poodle_6975,tlsv12.result b/mysql-test/r/openssl-poodle_6975,tlsv12.result
new file mode 100644
index 00000000000..033220427be
--- /dev/null
+++ b/mysql-test/r/openssl-poodle_6975,tlsv12.result
@@ -0,0 +1,25 @@
+grant select on test.* to ssl_sslv3@localhost require cipher "RC4-SHA";
+grant select on test.* to ssl_tls12@localhost require cipher "AES128-SHA256";
+TLS1.2 ciphers: user is ok with any cipher
+Variable_name	Value
+Ssl_cipher	AES128-SHA256
+Variable_name	Value
+Ssl_cipher	DHE-RSA-AES256-GCM-SHA384
+TLS1.2 ciphers: user requires SSLv3 cipher RC4-SHA
+ERROR 1045 (28000): Access denied for user 'ssl_sslv3'@'localhost' (using password: NO)
+ERROR 1045 (28000): Access denied for user 'ssl_sslv3'@'localhost' (using password: NO)
+TLS1.2 ciphers: user requires TLSv1.2 cipher AES128-SHA256
+Variable_name	Value
+Ssl_cipher	AES128-SHA256
+ERROR 1045 (28000): Access denied for user 'ssl_tls12'@'localhost' (using password: NO)
+SSLv3 ciphers: user is ok with any cipher
+ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
+ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
+SSLv3 ciphers: user requires SSLv3 cipher RC4-SHA
+ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
+ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
+SSLv3 ciphers: user requires TLSv1.2 cipher AES128-SHA256
+ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
+ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
+drop user ssl_sslv3@localhost;
+drop user ssl_tls12@localhost;
diff --git a/mysql-test/t/openssl-poodle_6975.combinations b/mysql-test/t/openssl-poodle_6975.combinations
new file mode 100644
index 00000000000..3147de1cb63
--- /dev/null
+++ b/mysql-test/t/openssl-poodle_6975.combinations
@@ -0,0 +1,6 @@
+[tlsv12]
+loose-ssl-cipher=TLSv1.2
+
+[sslv3]
+loose-ssl-cipher=SSLv3
+
diff --git a/mysql-test/t/openssl-poodle_6975.test b/mysql-test/t/openssl-poodle_6975.test
new file mode 100644
index 00000000000..bc6397c5c28
--- /dev/null
+++ b/mysql-test/t/openssl-poodle_6975.test
@@ -0,0 +1,38 @@
+#
+# MDEV-6975 Implement TLS protocol
+#
+# test SSLv3 and TLSv1.2 ciphers when OpenSSL is restricted to SSLv3 or TLSv1.2
+#
+source include/have_ssl_communication.inc;
+
+# this is OpenSSL test.
+
+grant select on test.* to ssl_sslv3@localhost require cipher "RC4-SHA";
+grant select on test.* to ssl_tls12@localhost require cipher "AES128-SHA256";
+
+let $mysql=$MYSQL --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem -e "SHOW STATUS LIKE 'ssl_Cipher'" 2>&1;
+
+disable_abort_on_error;
+echo TLS1.2 ciphers: user is ok with any cipher;
+exec $mysql                  --ssl-cipher=AES128-SHA256;
+exec $mysql                  --ssl-cipher=TLSv1.2;
+echo TLS1.2 ciphers: user requires SSLv3 cipher RC4-SHA;
+exec $mysql --user ssl_sslv3 --ssl-cipher=AES128-SHA256;
+exec $mysql --user ssl_sslv3 --ssl-cipher=TLSv1.2;
+echo TLS1.2 ciphers: user requires TLSv1.2 cipher AES128-SHA256;
+exec $mysql --user ssl_tls12 --ssl-cipher=AES128-SHA256;
+exec $mysql --user ssl_tls12 --ssl-cipher=TLSv1.2;
+
+echo SSLv3 ciphers: user is ok with any cipher;
+exec $mysql                  --ssl-cipher=RC4-SHA;
+exec $mysql                  --ssl-cipher=SSLv3;
+echo SSLv3 ciphers: user requires SSLv3 cipher RC4-SHA;
+exec $mysql --user ssl_sslv3 --ssl-cipher=RC4-SHA;
+exec $mysql --user ssl_sslv3 --ssl-cipher=SSLv3;
+echo SSLv3 ciphers: user requires TLSv1.2 cipher AES128-SHA256;
+exec $mysql --user ssl_tls12 --ssl-cipher=RC4-SHA;
+exec $mysql --user ssl_tls12 --ssl-cipher=SSLv3;
+
+drop user ssl_sslv3@localhost;
+drop user ssl_tls12@localhost;
+
diff --git a/mysql-test/t/openssl_1.test b/mysql-test/t/openssl_1.test
index 24980269a24..bee0e2cc720 100644
--- a/mysql-test/t/openssl_1.test
+++ b/mysql-test/t/openssl_1.test
@@ -132,6 +132,7 @@ drop table t1;
 # verification of servers certificate by setting both ca certificate
 # and ca path to NULL
 #
+--replace_result DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA
 --exec $MYSQL --ssl --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem -e "SHOW STATUS LIKE 'ssl_Cipher'" 2>&1
 --echo End of 5.0 tests
 
@@ -258,6 +259,7 @@ select 'is still running; no cipher request crashed the server' as result from d
 GRANT SELECT ON test.* TO bug42158@localhost REQUIRE X509;
 FLUSH PRIVILEGES;
 connect(con1,localhost,bug42158,,,,,SSL);
+--replace_result DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA
 SHOW STATUS LIKE 'Ssl_cipher';
 disconnect con1;
 connection default;
diff --git a/mysql-test/t/ssl.test b/mysql-test/t/ssl.test
index 341ec0591e7..d6f88fe888e 100644
--- a/mysql-test/t/ssl.test
+++ b/mysql-test/t/ssl.test
@@ -11,12 +11,14 @@
 connect (ssl_con,localhost,root,,,,,SSL);
 
 # Check ssl turned on
+--replace_result DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA
 SHOW STATUS LIKE 'Ssl_cipher';
 
 # Source select test case
 -- source include/common-tests.inc
 
 # Check ssl turned on
+--replace_result DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA
 SHOW STATUS LIKE 'Ssl_cipher';
 
 connection default;
diff --git a/mysql-test/t/ssl_8k_key-master.opt b/mysql-test/t/ssl_8k_key-master.opt
index b58ca7f39f0..531c0abc9f1 100644
--- a/mysql-test/t/ssl_8k_key-master.opt
+++ b/mysql-test/t/ssl_8k_key-master.opt
@@ -1 +1,3 @@
---loose-ssl-key=$MYSQL_TEST_DIR/std_data/server8k-key.pem --loose-ssl-cert=$MYSQL_TEST_DIR/std_data/server8k-cert.pem
+--loose-ssl-key=$MYSQL_TEST_DIR/std_data/server8k-key.pem
+--loose-ssl-cert=$MYSQL_TEST_DIR/std_data/server8k-cert.pem
+--loose-ssl-cipher=DHE-RSA-AES256-SHA
diff --git a/mysql-test/t/ssl_compress.test b/mysql-test/t/ssl_compress.test
index 8e0dea53fe7..5e45e3824a2 100644
--- a/mysql-test/t/ssl_compress.test
+++ b/mysql-test/t/ssl_compress.test
@@ -11,6 +11,7 @@
 connect (ssl_compress_con,localhost,root,,,,,SSL COMPRESS);
 
 # Check ssl turned on
+--replace_result DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA
 SHOW STATUS LIKE 'Ssl_cipher';
 
 # Check compression turned on
@@ -20,6 +21,7 @@ SHOW STATUS LIKE 'Compression';
 -- source include/common-tests.inc
 
 # Check ssl turned on
+--replace_result DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA
 SHOW STATUS LIKE 'Ssl_cipher';
 
 # Check compression turned on
diff --git a/vio/viosslfactories.c b/vio/viosslfactories.c
index 3fde307e4dd..c64bba338a4 100644
--- a/vio/viosslfactories.c
+++ b/vio/viosslfactories.c
@@ -190,8 +190,8 @@ new_VioSSLFd(const char *key_file, const char *cert_file,
     DBUG_RETURN(0);
 
   if (!(ssl_fd->ssl_context= SSL_CTX_new(is_client_method ? 
-                                         TLSv1_client_method() :
-                                         TLSv1_server_method())))
+                                         SSLv23_client_method() :
+                                         SSLv23_server_method())))
   {
     *error= SSL_INITERR_MEMFAIL;
     DBUG_PRINT("error", ("%s", sslGetErrString(*error)));
author	Sergei Golubchik <sergii@pisem.net>	2014-11-18 17:57:06 +0100
committer	Sergei Golubchik <sergii@pisem.net>	2014-11-18 17:57:06 +0100
commit	cb8f837a3d0d16bdbfc9c545d32527ad28b0d841 (patch)
tree	30fd5447e10cd587a0ff68c6e083c943f61b1e7b
parent	386e2e52f63971d3c1f33fb6b90715549d81ed1e (diff)
download	mariadb-git-cb8f837a3d0d16bdbfc9c545d32527ad28b0d841.tar.gz