diff options
Diffstat (limited to 'mysql-test/main/openssl_1.test')
-rw-r--r-- | mysql-test/main/openssl_1.test | 268 |
1 files changed, 268 insertions, 0 deletions
diff --git a/mysql-test/main/openssl_1.test b/mysql-test/main/openssl_1.test new file mode 100644 index 00000000000..a3db700f787 --- /dev/null +++ b/mysql-test/main/openssl_1.test @@ -0,0 +1,268 @@ +# Tests for SSL connections, only run if mysqld is compiled +# with support for SSL. + +-- source include/have_ssl_communication.inc + +# Save the initial number of concurrent sessions +--source include/count_sessions.inc + +set local sql_mode=""; +set global sql_mode=""; + +--disable_warnings +drop table if exists t1; +--enable_warnings +create table t1(f1 int); +insert into t1 values (5); + +grant select on test.* to ssl_user1@localhost require SSL; +grant select on test.* to ssl_user2@localhost require cipher "AES256-SHA"; +grant select on test.* to ssl_user3@localhost require cipher "AES256-SHA" AND SUBJECT "/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB/CN=client"; +grant select on test.* to ssl_user4@localhost require cipher "AES256-SHA" AND SUBJECT "/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB/CN=client" ISSUER "/CN=cacert/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB"; +grant select on test.* to ssl_user5@localhost require cipher "AES256-SHA" AND SUBJECT "xxx"; +flush privileges; + +connect (con1,localhost,ssl_user1,,,,,SSL-CIPHER=AES256-SHA); +--replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT +--error ER_ACCESS_DENIED_ERROR +connect (con2,localhost,ssl_user2,,,,,SSL-CIPHER=AES128-SHA); +connect (con2,localhost,ssl_user2,,,,,SSL-CIPHER=AES256-SHA); +connect (con3,localhost,ssl_user3,,,,,SSL-CIPHER=AES256-SHA); +connect (con4,localhost,ssl_user4,,,,,SSL-CIPHER=AES256-SHA); +--replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT +--error ER_ACCESS_DENIED_ERROR +connect (con5,localhost,ssl_user5,,,,,SSL-CIPHER=AES256-SHA); + +connection con1; +# Check ssl turned on +SHOW STATUS LIKE 'Ssl_cipher'; +select * from t1; +--error ER_TABLEACCESS_DENIED_ERROR +delete from t1; + +connection con2; +# Check ssl turned on +SHOW STATUS LIKE 'Ssl_cipher'; +select * from t1; +--error ER_TABLEACCESS_DENIED_ERROR +delete from t1; + +connection con3; +# Check ssl turned on +SHOW STATUS LIKE 'Ssl_cipher'; +select * from t1; +--error ER_TABLEACCESS_DENIED_ERROR +delete from t1; + +connection con4; +# Check ssl turned on +SHOW STATUS LIKE 'Ssl_cipher'; +select * from t1; +--error ER_TABLEACCESS_DENIED_ERROR +delete from t1; + +connection default; +disconnect con1; +disconnect con2; +disconnect con3; +disconnect con4; +drop user ssl_user1@localhost, ssl_user2@localhost, +ssl_user3@localhost, ssl_user4@localhost, ssl_user5@localhost; + +drop table t1; + +# End of 4.1 tests + +# +# Test that we can't open connection to server if we are using +# a different cacert +# +--exec echo "this query should not execute;" > $MYSQLTEST_VARDIR/tmp/test.sql +# Handle that openssl gives different error messages from YaSSL. +--replace_regex /2026 SSL connection error.*/2026 SSL connection error: xxxx/ +--error 1 +--exec $MYSQL_TEST --ssl-ca=$MYSQL_TEST_DIR/std_data/untrusted-cacert.pem --max-connect-retries=1 < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1 +--echo + +# +# Test that we can't open connection to server if we are using +# a blank ca +# +--replace_regex /2026 SSL connection error.*/2026 SSL connection error: xxxx/ +--error 1 +--exec $MYSQL_TEST --ssl-ca= --max-connect-retries=1 < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1 +--echo + +# +# Test that we can't open connection to server if we are using +# a nonexistent ca file +# +--replace_regex /2026 SSL connection error.*/2026 SSL connection error: xxxx/ +--error 1 +--exec $MYSQL_TEST --ssl-ca=nonexisting_file.pem --max-connect-retries=1 < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1 +--echo + +# +# Test that we can't open connection to server if we are using +# a blank client-key +# +--replace_regex /2026 SSL connection error.*/2026 SSL connection error: xxxx/ +--error 1 +--exec $MYSQL_TEST --ssl-key= --max-connect-retries=1 < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1 +--echo + +# +# Test that we can't open connection to server if we are using +# a blank client-cert +# +--replace_regex /2026 SSL connection error.*/2026 SSL connection error: xxxx/ +--error 1 +--exec $MYSQL_TEST --ssl-cert= --max-connect-retries=1 < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1 +--echo + +# +# Bug#21611 Slave can't connect when master-ssl-cipher specified +# - Apparently selecting a cipher doesn't work at all +# - Use a cipher that both yaSSL and OpenSSL supports +# +--exec echo "SHOW STATUS LIKE 'Ssl_cipher'; exit;" > $MYSQLTEST_VARDIR/tmp/test.sql +--exec $MYSQL_TEST --ssl-cipher=AES256-SHA < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1 + +# +# Bug#25309 SSL connections without CA certificate broken since MySQL 5.0.23 +# +# Test that we can open encrypted connection to server without +# verification of servers certificate by setting both ca certificate +# and ca path to NULL +# +--exec $MYSQL --ssl --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem -e "SELECT (VARIABLE_VALUE <> '') AS have_ssl FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_cipher'" 2>&1 +--echo End of 5.0 tests + +# +# Bug#26174 Server Crash: INSERT ... SELECT ... FROM I_S.GLOBAL_STATUS in +# Event (see also information_schema.test for the other part of test for +# this bug). +# +--disable_warnings +DROP TABLE IF EXISTS thread_status; +DROP EVENT IF EXISTS event_status; +--enable_warnings + +SET GLOBAL event_scheduler=1; + +DELIMITER $$; + +CREATE EVENT event_status + ON SCHEDULE AT NOW() + ON COMPLETION NOT PRESERVE + DO +BEGIN + CREATE TABLE thread_status + SELECT variable_name, variable_value + FROM information_schema.session_status + WHERE variable_name LIKE 'SSL_ACCEPTS' OR + variable_name LIKE 'SSL_CALLBACK_CACHE_HITS'; +END$$ + +DELIMITER ;$$ + +let $wait_condition=select count(*) = 0 from information_schema.events where event_name='event_status'; +--source include/wait_condition.inc + +# The actual value doesn't matter and can vary based on test ordering and on ssl library. +--replace_column 2 # +SELECT variable_name, variable_value FROM thread_status; + +DROP TABLE thread_status; +SET GLOBAL event_scheduler=0; + +# +# Test to connect using a list of ciphers +# +--exec echo "SHOW STATUS LIKE 'Ssl_cipher'; exit;" > $MYSQLTEST_VARDIR/tmp/test.sql +--exec $MYSQL_TEST --ssl-cipher=UNKNOWN-CIPHER:AES128-SHA < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1 + + +# Test to connect using a specifi cipher +# +--exec echo "SHOW STATUS LIKE 'Ssl_cipher'; exit;" > $MYSQLTEST_VARDIR/tmp/test.sql +--exec $MYSQL_TEST --ssl-cipher=AES128-SHA < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1 + +# Test to connect using an unknown cipher +# +--exec echo "SHOW STATUS LIKE 'Ssl_cipher'; exit" > $MYSQLTEST_VARDIR/tmp/test.sql +--replace_regex /2026 SSL connection error.*/2026 SSL connection error: xxxx/ +--error 1 +--exec $MYSQL_TEST --ssl-cipher=UNKNOWN-CIPHER < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1 + +# +# Bug#27669 mysqldump: SSL connection error when trying to connect +# + +CREATE TABLE t1(a int); +INSERT INTO t1 VALUES (1), (2); + +# Run mysqldump +--exec $MYSQL_DUMP --skip-create-options --skip-comments --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem test t1 + +--exec $MYSQL_DUMP --skip-create-options --skip-comments --ssl-ca=$MYSQL_TEST_DIR/std_data/cacert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem test + +--exec $MYSQL_DUMP --skip-create-options --skip-comments --ssl --ssl-ca=$MYSQL_TEST_DIR/std_data/cacert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem test + +# With wrong parameters +--replace_result $MYSQL_TEST_DIR MYSQL_TEST_DIR mysqldump.exe mysqldump +--replace_regex /\"SSL connection error.*/SSL connection error: xxxx/ +--error 2 +--exec $MYSQL_DUMP --skip-create-options --skip-comments --ssl --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem test 2>&1 +--echo +DROP TABLE t1; +--remove_file $MYSQLTEST_VARDIR/tmp/test.sql + +# +# Bug#39172 Asking for DH+non-RSA key with server set to use other key caused +# YaSSL to crash the server. +# + +# Common ciphers to openssl and yassl +--exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'Ssl_cipher';" --ssl-cipher=AES256-SHA +--exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'Ssl_cipher';" --ssl-cipher=AES128-SHA +--disable_query_log +--disable_result_log + +# Below here caused crashes. ################ +--error 1,0 +--exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'Ssl-cipher';" --ssl-cipher=NOT----EXIST +# These probably exist but the server's keys can't be used to accept these kinds of connections. +--error 1,0 +--exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'Ssl-cipher';" --ssl-cipher=AES128-RMD + +# If this gives a result, then the bug is fixed. +--enable_result_log +--enable_query_log +select 'is still running; no cipher request crashed the server' as result from dual; + +# +# Bug#42158: leak: SSL_get_peer_certificate() doesn't have matching X509_free() +# + +GRANT SELECT ON test.* TO bug42158@localhost REQUIRE X509; +FLUSH PRIVILEGES; +connect(con1,localhost,bug42158,,,,,SSL); +SELECT (VARIABLE_VALUE <> '') AS have_ssl FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_cipher'; +disconnect con1; +connection default; +DROP USER bug42158@localhost; + +set global sql_mode=default; +--echo End of 5.1 tests + +# +# MDEV-9605 mysqlbinlog does not accept ssl-ca option as expected. +# + +--replace_regex /SSL connection error:.*/SSL connection error/ +--error 1 +--exec $MYSQL_BINLOG --read-from-remote-server --ssl-ca --user=root --host=localhost nobinlog.111111 2>&1 + +# Wait till we reached the initial number of concurrent sessions +--source include/wait_until_count_sessions.inc |