diff options
| author | Sergei Golubchik <serg@mariadb.org> | 2015-06-09 22:11:22 +0200 |
|---|---|---|
| committer | Sergei Golubchik <serg@mariadb.org> | 2015-06-09 22:16:26 +0200 |
| commit | 5a44e1a4024f1760021e5c6fd65773584d60513a (patch) | |
| tree | 782bf9fafe6d99bf4e2b34ebae98a973c3ae1f99 | |
| parent | 80f6b2259330f2bc4de1692b671ab553dc5b4353 (diff) | |
| download | mariadb-git-5a44e1a4024f1760021e5c6fd65773584d60513a.tar.gz | |
tests for MDEV-7937: Enforce SSL when --ssl client option is usedmariadb-5.5.44
* add a test when server certificate is verified successfully
* one test with two combinations (instead of two tests)
* verbose tets: make it print what it is doing
* fix the test to work with yassl and no-ssl builds
| -rw-r--r-- | mysql-test/include/have_ssl_disabled.inc | 4 | ||||
| -rw-r--r-- | mysql-test/include/have_ssl_disabled.opt | 1 | ||||
| -rw-r--r-- | mysql-test/r/ssl_7937,nossl.result | 15 | ||||
| -rw-r--r-- | mysql-test/r/ssl_7937.result | 23 | ||||
| -rw-r--r-- | mysql-test/r/ssl_without_7937.result | 6 | ||||
| -rw-r--r-- | mysql-test/t/ssl_7937.combinations | 5 | ||||
| -rw-r--r-- | mysql-test/t/ssl_7937.test | 46 | ||||
| -rw-r--r-- | mysql-test/t/ssl_without_7937.test | 18 |
8 files changed, 67 insertions, 51 deletions
diff --git a/mysql-test/include/have_ssl_disabled.inc b/mysql-test/include/have_ssl_disabled.inc deleted file mode 100644 index 6c672794146..00000000000 --- a/mysql-test/include/have_ssl_disabled.inc +++ /dev/null @@ -1,4 +0,0 @@ -if (`SELECT COUNT(*) = 0 FROM INFORMATION_SCHEMA.GLOBAL_VARIABLES WHERE VARIABLE_NAME like 'have_ssl' and VARIABLE_VALUE like 'DISABLED'`) -{ - --skip Test requires ssl to be disabled. -} diff --git a/mysql-test/include/have_ssl_disabled.opt b/mysql-test/include/have_ssl_disabled.opt deleted file mode 100644 index a72d58c7839..00000000000 --- a/mysql-test/include/have_ssl_disabled.opt +++ /dev/null @@ -1 +0,0 @@ ---loose-disable-ssl diff --git a/mysql-test/r/ssl_7937,nossl.result b/mysql-test/r/ssl_7937,nossl.result new file mode 100644 index 00000000000..72693233bc8 --- /dev/null +++ b/mysql-test/r/ssl_7937,nossl.result @@ -0,0 +1,15 @@ +create procedure have_ssl() +select if(variable_value > '','yes','no') as 'have_ssl' + from information_schema.session_status +where variable_name='ssl_cipher'; +mysql --ssl-ca=cacert.pem -e "call test.have_ssl()" +have_ssl +no +mysql --ssl -e "call test.have_ssl()" +have_ssl +no +mysql --ssl-ca=cacert.pem --ssl-verify-server-cert -e "call test.have_ssl()" +ERROR 2026 (HY000): SSL connection error: SSL is required, but the server does not support it +mysql --ssl --ssl-verify-server-cert -e "call test.have_ssl()" +ERROR 2026 (HY000): SSL connection error: SSL is required, but the server does not support it +drop procedure have_ssl; diff --git a/mysql-test/r/ssl_7937.result b/mysql-test/r/ssl_7937.result index 19522f08981..a94ca3b3529 100644 --- a/mysql-test/r/ssl_7937.result +++ b/mysql-test/r/ssl_7937.result @@ -1,9 +1,16 @@ -Variable_name Value -Ssl_cipher DHE-RSA-AES256-GCM-SHA384 -# -Variable_name Value -Ssl_cipher DHE-RSA-AES256-GCM-SHA384 -# -ERROR 2026 (HY000): SSL connection error: Failed to verify the server certificate -# +create procedure have_ssl() +select if(variable_value > '','yes','no') as 'have_ssl' + from information_schema.session_status +where variable_name='ssl_cipher'; +mysql --ssl-ca=cacert.pem -e "call test.have_ssl()" +have_ssl +yes +mysql --ssl -e "call test.have_ssl()" +have_ssl +yes +mysql --ssl-ca=cacert.pem --ssl-verify-server-cert -e "call test.have_ssl()" +have_ssl +yes +mysql --ssl --ssl-verify-server-cert -e "call test.have_ssl()" ERROR 2026 (HY000): SSL connection error: Failed to verify the server certificate +drop procedure have_ssl; diff --git a/mysql-test/r/ssl_without_7937.result b/mysql-test/r/ssl_without_7937.result deleted file mode 100644 index 191f98fb1a5..00000000000 --- a/mysql-test/r/ssl_without_7937.result +++ /dev/null @@ -1,6 +0,0 @@ -Variable_name Value -Ssl_cipher -ERROR 2026 (HY000): SSL connection error: SSL is required, but the server does not support it -Variable_name Value -Ssl_cipher -ERROR 2026 (HY000): SSL connection error: SSL is required, but the server does not support it diff --git a/mysql-test/t/ssl_7937.combinations b/mysql-test/t/ssl_7937.combinations new file mode 100644 index 00000000000..46a45686a9b --- /dev/null +++ b/mysql-test/t/ssl_7937.combinations @@ -0,0 +1,5 @@ +[ssl] +--loose-enable-ssl + +[nossl] +--loose-disable-ssl diff --git a/mysql-test/t/ssl_7937.test b/mysql-test/t/ssl_7937.test index ff190ce7fdc..d593b9d936d 100644 --- a/mysql-test/t/ssl_7937.test +++ b/mysql-test/t/ssl_7937.test @@ -1,17 +1,35 @@ -source include/have_ssl_communication.inc; +# +# MDEV-7937: Enforce SSL when --ssl client option is used +# -let $mysql_ssl_cert=$MYSQL --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem -e "SHOW STATUS LIKE 'ssl_Cipher'" 2>&1; -let $mysql_ssl_no_cert=$MYSQL --ssl -e "SHOW STATUS LIKE 'ssl_Cipher'" 2>&1; -let $mysql_ssl_no_cert_ver=$MYSQL --ssl --ssl-verify-server-cert -e "SHOW STATUS LIKE 'ssl_Cipher'" 2>&1; -let $mysql_ssl_cert_ver=$MYSQL --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem --ssl-verify-server-cert -e "SHOW STATUS LIKE 'ssl_Cipher'" 2>&1; +source include/have_ssl_crypto_functs.inc; ---exec $mysql_ssl_cert; ---echo # ---exec $mysql_ssl_no_cert; ---echo # ---error 1 ---exec $mysql_ssl_no_cert_ver; ---echo # ---error 1 ---exec $mysql_ssl_cert_ver; +# create a procedure instead of SHOW STATUS LIKE 'ssl_cipher' +# because the cipher depends on openssl (or yassl) version, +# and it's actual value doesn't matter here anyway +create procedure have_ssl() + select if(variable_value > '','yes','no') as 'have_ssl' + from information_schema.session_status + where variable_name='ssl_cipher'; +--disable_abort_on_error +--echo mysql --ssl-ca=cacert.pem -e "call test.have_ssl()" +--exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/cacert.pem -e "call test.have_ssl()" 2>&1 +--echo mysql --ssl -e "call test.have_ssl()" +--exec $MYSQL --ssl -e "call test.have_ssl()" 2>&1 +--echo mysql --ssl-ca=cacert.pem --ssl-verify-server-cert -e "call test.have_ssl()" +--exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/cacert.pem --ssl-verify-server-cert -e "call test.have_ssl()" 2>&1 + +--echo mysql --ssl --ssl-verify-server-cert -e "call test.have_ssl()" +# this is the test where certificate verification fails. +# but yassl doesn't support certificate verification, so +# we fake the test result for yassl +let yassl=`select variable_value='Unknown' from information_schema.session_status where variable_name='Ssl_session_cache_mode'`; +if (!$yassl) { + --exec $MYSQL --ssl --ssl-verify-server-cert -e "call test.have_ssl()" 2>&1 +} +if ($yassl) { + --echo ERROR 2026 (HY000): SSL connection error: Failed to verify the server certificate +} + +drop procedure have_ssl; diff --git a/mysql-test/t/ssl_without_7937.test b/mysql-test/t/ssl_without_7937.test deleted file mode 100644 index 7519373540f..00000000000 --- a/mysql-test/t/ssl_without_7937.test +++ /dev/null @@ -1,18 +0,0 @@ -source include/have_ssl_disabled.inc; - -# SSL not mandatory here. -let $mysql_ssl_cert=$MYSQL --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem -e "SHOW STATUS LIKE 'ssl_Cipher'" 2>&1; -# SSL mandatory with verify server cert -let $mysql_ssl_cert_ver=$MYSQL --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem --ssl_verify_server_cert -e "SHOW STATUS LIKE 'ssl_Cipher'" 2>&1; ---exec $mysql_ssl_cert; ---error 1 ---exec $mysql_ssl_cert_ver; - -# SSL not mandatory again -let $mysql_no_ssl_but_ver=$MYSQL --ssl_verify_server_cert -e "SHOW STATUS LIKE 'ssl_Cipher'" 2>&1; ---exec $mysql_no_ssl_but_ver; - -# SSL mandatory but no specifications for ssl parameters -let $mysql_ssl_no_spec_ver=$MYSQL --ssl --ssl_verify_server_cert -e "SHOW STATUS LIKE 'ssl_Cipher'" 2>&1; ---error 1 ---exec $mysql_ssl_no_spec_ver |