10 files changed, 107 insertions, 3 deletions

diff --git a/mysql-test/mysql-test-run.pl b/mysql-test/mysql-test-run.pl
index ddfed62c238..60e0399efd4 100755
--- a/mysql-test/mysql-test-run.pl
+++ b/mysql-test/mysql-test-run.pl
@@ -4801,6 +4801,8 @@ sub extract_warning_lines ($$) {
      qr|feedback plugin: failed to retrieve the MAC address|,
      qr|Plugin 'FEEDBACK' init function returned error|,
      qr|Plugin 'FEEDBACK' registration as a INFORMATION SCHEMA failed|,
+     qr|Failed to setup SSL|,
+     qr|SSL error: Failed to set ciphers to use|,
     );
 
   my $matched_lines= [];
diff --git a/mysql-test/r/openssl-poodle_6975,sslv3.result b/mysql-test/r/openssl-poodle_6975,sslv3.result
new file mode 100644
index 00000000000..52d5978749e
--- /dev/null
+++ b/mysql-test/r/openssl-poodle_6975,sslv3.result
@@ -0,0 +1,25 @@
+grant select on test.* to ssl_sslv3@localhost require cipher "RC4-SHA";
+grant select on test.* to ssl_tls12@localhost require cipher "AES128-SHA256";
+TLS1.2 ciphers: user is ok with any cipher
+ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
+ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
+TLS1.2 ciphers: user requires SSLv3 cipher RC4-SHA
+ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
+ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
+TLS1.2 ciphers: user requires TLSv1.2 cipher AES128-SHA256
+ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
+ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
+SSLv3 ciphers: user is ok with any cipher
+Variable_name	Value
+Ssl_cipher	RC4-SHA
+Variable_name	Value
+Ssl_cipher	DHE-RSA-AES256-SHA
+SSLv3 ciphers: user requires SSLv3 cipher RC4-SHA
+Variable_name	Value
+Ssl_cipher	RC4-SHA
+ERROR 1045 (28000): Access denied for user 'ssl_sslv3'@'localhost' (using password: NO)
+SSLv3 ciphers: user requires TLSv1.2 cipher AES128-SHA256
+ERROR 1045 (28000): Access denied for user 'ssl_tls12'@'localhost' (using password: NO)
+ERROR 1045 (28000): Access denied for user 'ssl_tls12'@'localhost' (using password: NO)
+drop user ssl_sslv3@localhost;
+drop user ssl_tls12@localhost;
diff --git a/mysql-test/r/openssl-poodle_6975,tlsv12.result b/mysql-test/r/openssl-poodle_6975,tlsv12.result
new file mode 100644
index 00000000000..033220427be
--- /dev/null
+++ b/mysql-test/r/openssl-poodle_6975,tlsv12.result
@@ -0,0 +1,25 @@
+grant select on test.* to ssl_sslv3@localhost require cipher "RC4-SHA";
+grant select on test.* to ssl_tls12@localhost require cipher "AES128-SHA256";
+TLS1.2 ciphers: user is ok with any cipher
+Variable_name	Value
+Ssl_cipher	AES128-SHA256
+Variable_name	Value
+Ssl_cipher	DHE-RSA-AES256-GCM-SHA384
+TLS1.2 ciphers: user requires SSLv3 cipher RC4-SHA
+ERROR 1045 (28000): Access denied for user 'ssl_sslv3'@'localhost' (using password: NO)
+ERROR 1045 (28000): Access denied for user 'ssl_sslv3'@'localhost' (using password: NO)
+TLS1.2 ciphers: user requires TLSv1.2 cipher AES128-SHA256
+Variable_name	Value
+Ssl_cipher	AES128-SHA256
+ERROR 1045 (28000): Access denied for user 'ssl_tls12'@'localhost' (using password: NO)
+SSLv3 ciphers: user is ok with any cipher
+ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
+ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
+SSLv3 ciphers: user requires SSLv3 cipher RC4-SHA
+ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
+ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
+SSLv3 ciphers: user requires TLSv1.2 cipher AES128-SHA256
+ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
+ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
+drop user ssl_sslv3@localhost;
+drop user ssl_tls12@localhost;
diff --git a/mysql-test/t/openssl-poodle_6975.combinations b/mysql-test/t/openssl-poodle_6975.combinations
new file mode 100644
index 00000000000..3147de1cb63
--- /dev/null
+++ b/mysql-test/t/openssl-poodle_6975.combinations
@@ -0,0 +1,6 @@
+[tlsv12]
+loose-ssl-cipher=TLSv1.2
+
+[sslv3]
+loose-ssl-cipher=SSLv3
+
diff --git a/mysql-test/t/openssl-poodle_6975.test b/mysql-test/t/openssl-poodle_6975.test
new file mode 100644
index 00000000000..bc6397c5c28
--- /dev/null
+++ b/mysql-test/t/openssl-poodle_6975.test
@@ -0,0 +1,38 @@
+#
+# MDEV-6975 Implement TLS protocol
+#
+# test SSLv3 and TLSv1.2 ciphers when OpenSSL is restricted to SSLv3 or TLSv1.2
+#
+source include/have_ssl_communication.inc;
+
+# this is OpenSSL test.
+
+grant select on test.* to ssl_sslv3@localhost require cipher "RC4-SHA";
+grant select on test.* to ssl_tls12@localhost require cipher "AES128-SHA256";
+
+let $mysql=$MYSQL --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem -e "SHOW STATUS LIKE 'ssl_Cipher'" 2>&1;
+
+disable_abort_on_error;
+echo TLS1.2 ciphers: user is ok with any cipher;
+exec $mysql                  --ssl-cipher=AES128-SHA256;
+exec $mysql                  --ssl-cipher=TLSv1.2;
+echo TLS1.2 ciphers: user requires SSLv3 cipher RC4-SHA;
+exec $mysql --user ssl_sslv3 --ssl-cipher=AES128-SHA256;
+exec $mysql --user ssl_sslv3 --ssl-cipher=TLSv1.2;
+echo TLS1.2 ciphers: user requires TLSv1.2 cipher AES128-SHA256;
+exec $mysql --user ssl_tls12 --ssl-cipher=AES128-SHA256;
+exec $mysql --user ssl_tls12 --ssl-cipher=TLSv1.2;
+
+echo SSLv3 ciphers: user is ok with any cipher;
+exec $mysql                  --ssl-cipher=RC4-SHA;
+exec $mysql                  --ssl-cipher=SSLv3;
+echo SSLv3 ciphers: user requires SSLv3 cipher RC4-SHA;
+exec $mysql --user ssl_sslv3 --ssl-cipher=RC4-SHA;
+exec $mysql --user ssl_sslv3 --ssl-cipher=SSLv3;
+echo SSLv3 ciphers: user requires TLSv1.2 cipher AES128-SHA256;
+exec $mysql --user ssl_tls12 --ssl-cipher=RC4-SHA;
+exec $mysql --user ssl_tls12 --ssl-cipher=SSLv3;
+
+drop user ssl_sslv3@localhost;
+drop user ssl_tls12@localhost;
+
diff --git a/mysql-test/t/openssl_1.test b/mysql-test/t/openssl_1.test
index 24980269a24..bee0e2cc720 100644
--- a/mysql-test/t/openssl_1.test
+++ b/mysql-test/t/openssl_1.test
@@ -132,6 +132,7 @@ drop table t1;
 # verification of servers certificate by setting both ca certificate
 # and ca path to NULL
 #
+--replace_result DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA
 --exec $MYSQL --ssl --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem -e "SHOW STATUS LIKE 'ssl_Cipher'" 2>&1
 --echo End of 5.0 tests
 
@@ -258,6 +259,7 @@ select 'is still running; no cipher request crashed the server' as result from d
 GRANT SELECT ON test.* TO bug42158@localhost REQUIRE X509;
 FLUSH PRIVILEGES;
 connect(con1,localhost,bug42158,,,,,SSL);
+--replace_result DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA
 SHOW STATUS LIKE 'Ssl_cipher';
 disconnect con1;
 connection default;
diff --git a/mysql-test/t/ssl.test b/mysql-test/t/ssl.test
index 341ec0591e7..d6f88fe888e 100644
--- a/mysql-test/t/ssl.test
+++ b/mysql-test/t/ssl.test
@@ -11,12 +11,14 @@
 connect (ssl_con,localhost,root,,,,,SSL);
 
 # Check ssl turned on
+--replace_result DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA
 SHOW STATUS LIKE 'Ssl_cipher';
 
 # Source select test case
 -- source include/common-tests.inc
 
 # Check ssl turned on
+--replace_result DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA
 SHOW STATUS LIKE 'Ssl_cipher';
 
 connection default;
diff --git a/mysql-test/t/ssl_8k_key-master.opt b/mysql-test/t/ssl_8k_key-master.opt
index b58ca7f39f0..531c0abc9f1 100644
--- a/mysql-test/t/ssl_8k_key-master.opt
+++ b/mysql-test/t/ssl_8k_key-master.opt
@@ -1 +1,3 @@
---loose-ssl-key=$MYSQL_TEST_DIR/std_data/server8k-key.pem --loose-ssl-cert=$MYSQL_TEST_DIR/std_data/server8k-cert.pem
+--loose-ssl-key=$MYSQL_TEST_DIR/std_data/server8k-key.pem
+--loose-ssl-cert=$MYSQL_TEST_DIR/std_data/server8k-cert.pem
+--loose-ssl-cipher=DHE-RSA-AES256-SHA
diff --git a/mysql-test/t/ssl_compress.test b/mysql-test/t/ssl_compress.test
index 8e0dea53fe7..5e45e3824a2 100644
--- a/mysql-test/t/ssl_compress.test
+++ b/mysql-test/t/ssl_compress.test
@@ -11,6 +11,7 @@
 connect (ssl_compress_con,localhost,root,,,,,SSL COMPRESS);
 
 # Check ssl turned on
+--replace_result DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA
 SHOW STATUS LIKE 'Ssl_cipher';
 
 # Check compression turned on
@@ -20,6 +21,7 @@ SHOW STATUS LIKE 'Compression';
 -- source include/common-tests.inc
 
 # Check ssl turned on
+--replace_result DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA
 SHOW STATUS LIKE 'Ssl_cipher';
 
 # Check compression turned on
diff --git a/vio/viosslfactories.c b/vio/viosslfactories.c
index 3fde307e4dd..c64bba338a4 100644
--- a/vio/viosslfactories.c
+++ b/vio/viosslfactories.c
@@ -190,8 +190,8 @@ new_VioSSLFd(const char *key_file, const char *cert_file,
     DBUG_RETURN(0);
 
   if (!(ssl_fd->ssl_context= SSL_CTX_new(is_client_method ? 
-                                         TLSv1_client_method() :
-                                         TLSv1_server_method())))
+                                         SSLv23_client_method() :
+                                         SSLv23_server_method())))
   {
     *error= SSL_INITERR_MEMFAIL;
     DBUG_PRINT("error", ("%s", sslGetErrString(*error)));