WL#9072: Backport WL#8785 to 5.5

b3e9211e · Ramil Kalimullin · d9c541cb · b3e9211e · b3e9211e · b3e9211e
Commit b3e9211e authored Feb 19, 2016 by Ramil Kalimullin
18 changed files
--- a/client/client_priv.h
+++ b/client/client_priv.h
 /*
-   Copyright (c) 2001, 2012, Oracle and/or its affiliates. All rights reserved.
+   Copyright (c) 2001, 2016, Oracle and/or its affiliates. All rights reserved.
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -88,6 +88,7 @@ enum options_client
  OPT_DEFAULT_AUTH,
  OPT_DEFAULT_PLUGIN,
  OPT_ENABLE_CLEARTEXT_PLUGIN,
+  OPT_SSL_MODE,
  OPT_MAX_CLIENT_OPTION
 };
@@ -111,3 +112,36 @@ enum options_client
 */
 #define PERFORMANCE_SCHEMA_DB_NAME "performance_schema"
+/**
+  Wrapper for mysql_real_connect() that checks if SSL connection is establised.
+  The function calls mysql_real_connect() first, then if given ssl_required==TRUE
+  argument (i.e. --ssl-mode=REQUIRED option used) checks current SSL chiper to
+  ensure that SSL is used for current connection.
+  Otherwise it returns NULL and sets errno to CR_SSL_CONNECTION_ERROR.
+  All clients (except mysqlbinlog which disregards SSL options) use this function
+  instead of mysql_real_connect() to handle --ssl-mode=REQUIRED option.
+*/
+MYSQL *mysql_connect_ssl_check(MYSQL *mysql_arg, const char *host,
+                               const char *user, const char *passwd,
+                               const char *db, uint port,
+                               const char *unix_socket, ulong client_flag,
+                               my_bool ssl_required __attribute__((unused)))
+{
+  MYSQL *mysql= mysql_real_connect(mysql_arg, host, user, passwd, db, port,
+                                   unix_socket, client_flag);
+#if defined(HAVE_OPENSSL) && !defined(EMBEDDED_LIBRARY)
+  if (mysql &&                                   /* connection established. */
+      ssl_required &&                            /* --ssl-mode=REQUIRED. */
+      !mysql_get_ssl_cipher(mysql))              /* non-SSL connection. */
+  {
+    NET *net= &mysql->net;
+    net->last_errno= CR_SSL_CONNECTION_ERROR;
+    strmov(net->last_error, "--ssl-mode=REQUIRED option forbids non SSL connections");
+    strmov(net->sqlstate, "HY000");
+    return NULL;
+  }
+#endif
+  return mysql;
+}
--- a/client/mysql.cc
+++ b/client/mysql.cc
 /*
-   Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved.
+   Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -1316,8 +1316,9 @@ sig_handler handle_sigint(int sig)
  }
  kill_mysql= mysql_init(kill_mysql);
-  if (!mysql_real_connect(kill_mysql,current_host, current_user, opt_password,
+  if (!mysql_connect_ssl_check(kill_mysql, current_host, current_user, opt_password,
-                          "", opt_mysql_port, opt_mysql_unix_port,0))
+                               "", opt_mysql_port, opt_mysql_unix_port, 0,
+                               opt_ssl_required))
  {
    tee_fprintf(stdout, "Ctrl-C -- sorry, cannot connect to server to kill query, giving up ...\n");
    goto err;
@@ -4457,9 +4458,10 @@ sql_real_connect(char *host,char *database,char *user,char *password,
    mysql_options(&mysql, MYSQL_ENABLE_CLEARTEXT_PLUGIN, 
                  (char*) &opt_enable_cleartext_plugin);
-  if (!mysql_real_connect(&mysql, host, user, password,
+  if (!mysql_connect_ssl_check(&mysql, host, user, password,
-                          database, opt_mysql_port, opt_mysql_unix_port,
+                               database, opt_mysql_port, opt_mysql_unix_port,
-                          connect_flag | CLIENT_MULTI_STATEMENTS))
+                               connect_flag | CLIENT_MULTI_STATEMENTS,
+                               opt_ssl_required))
  {
    if (!silent ||
 	(mysql_errno(&mysql) != CR_CONN_HOST_ERROR &&

--- a/client/mysql_upgrade.c
+++ b/client/mysql_upgrade.c
 /*
-   Copyright (c) 2006, 2015, Oracle and/or its affiliates. All rights reserved.
+   Copyright (c) 2006, 2016, Oracle and/or its affiliates. All rights reserved.
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -307,6 +307,7 @@ get_one_option(int optid, const struct my_option *opt,
  case OPT_DEFAULT_AUTH:                        /* --default-auth */
    add_one_option(&conn_args, opt, argument);
    break;
+#include <sslopt-case.h>
  }
  if (add_option)
@@ -386,6 +387,10 @@ static int run_tool(char *tool_path, DYNAMIC_STRING *ds_res, ...)
  va_end(args);
+  /* If given --ssl-mode=REQUIRED propagate it to the tool. */
+  if (opt_ssl_required)
+    dynstr_append(&ds_cmdline, "--ssl-mode=REQUIRED");
 #ifdef __WIN__
  dynstr_append(&ds_cmdline, "\"");
 #endif

--- a/client/mysqladmin.cc
+++ b/client/mysqladmin.cc
 /*
-   Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
+   Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -518,8 +518,9 @@ static my_bool sql_connect(MYSQL *mysql, uint wait)
  for (;;)
  {
-    if (mysql_real_connect(mysql,host,user,opt_password,NullS,tcp_port,
+    if (mysql_connect_ssl_check(mysql, host, user, opt_password, NullS,
-			   unix_port, CLIENT_REMEMBER_OPTIONS))
+                                tcp_port, unix_port,
+                                CLIENT_REMEMBER_OPTIONS, opt_ssl_required))
    {
      mysql->reconnect= 1;
      if (info)

--- a/client/mysqlcheck.c
+++ b/client/mysqlcheck.c
 /*
-   Copyright (c) 2001, 2015, Oracle and/or its affiliates. All rights reserved.
+   Copyright (c) 2001, 2016, Oracle and/or its affiliates. All rights reserved.
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -894,8 +894,10 @@ static int dbConnect(char *host, char *user, char *passwd)
                  (char *) &opt_enable_cleartext_plugin);
  mysql_options(&mysql_connection, MYSQL_SET_CHARSET_NAME, default_charset);
-  if (!(sock = mysql_real_connect(&mysql_connection, host, user, passwd,
+  if (!(sock = mysql_connect_ssl_check(&mysql_connection, host, user, passwd,
-         NULL, opt_mysql_port, opt_mysql_unix_port, 0)))
+                                       NULL, opt_mysql_port,
+                                       opt_mysql_unix_port, 0,
+                                       opt_ssl_required)))
  {
    DBerror(&mysql_connection, "when trying to connect");
    return 1;

--- a/client/mysqldump.c
+++ b/client/mysqldump.c
 /*
-   Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
+   Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -1498,9 +1498,10 @@ static int connect_to_db(char *host, char *user,char *passwd)
    mysql_options(&mysql_connection, MYSQL_ENABLE_CLEARTEXT_PLUGIN,
                  (char *) &opt_enable_cleartext_plugin);
-  if (!(mysql= mysql_real_connect(&mysql_connection,host,user,passwd,
+  if (!(mysql= mysql_connect_ssl_check(&mysql_connection, host, user,
-                                  NULL,opt_mysql_port,opt_mysql_unix_port,
+                                       passwd, NULL, opt_mysql_port,
-                                  0)))
+                                       opt_mysql_unix_port, 0,
+                                       opt_ssl_required)))
  {
    DB_error(&mysql_connection, "when trying to connect");
    DBUG_RETURN(1);

--- a/client/mysqlimport.c
+++ b/client/mysqlimport.c
 /*
-   Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
+   Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -449,9 +449,9 @@ static MYSQL *db_connect(char *host, char *database,
                  (char*)&opt_enable_cleartext_plugin);
  mysql_options(mysql, MYSQL_SET_CHARSET_NAME, default_charset);
-  if (!(mysql_real_connect(mysql,host,user,passwd,
+  if (!(mysql_connect_ssl_check(mysql, host, user, passwd, database,
-                           database,opt_mysql_port,opt_mysql_unix_port,
+                                opt_mysql_port, opt_mysql_unix_port,
-                           0)))
+                                0, opt_ssl_required)))
  {
    ignore_errors=0;	  /* NO RETURN FROM db_error */
    db_error(mysql);

--- a/client/mysqlshow.c
+++ b/client/mysqlshow.c
 /*
-   Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
+   Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -139,10 +139,10 @@ int main(int argc, char **argv)
    mysql_options(&mysql, MYSQL_ENABLE_CLEARTEXT_PLUGIN,
                  (char*)&opt_enable_cleartext_plugin);
-  if (!(mysql_real_connect(&mysql,host,user,opt_password,
+  if (!(mysql_connect_ssl_check(&mysql, host, user, opt_password,
-			   (first_argument_uses_wildcards) ? "" :
+			        (first_argument_uses_wildcards) ? "" :
-                           argv[0],opt_mysql_port,opt_mysql_unix_port,
+                                argv[0], opt_mysql_port, opt_mysql_unix_port,
-			   0)))
+			        0, opt_ssl_required)))
  {
    fprintf(stderr,"%s: %s\n",my_progname,mysql_error(&mysql));
    exit(1);

--- a/client/mysqlslap.c
+++ b/client/mysqlslap.c
 /*
-   Copyright (c) 2005, 2015, Oracle and/or its affiliates. All rights reserved.
+   Copyright (c) 2005, 2016, Oracle and/or its affiliates. All rights reserved.
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -355,9 +355,9 @@ int main(int argc, char **argv)
                  (char*) &opt_enable_cleartext_plugin);
  if (!opt_only_print) 
  {
-    if (!(mysql_real_connect(&mysql, host, user, opt_password,
+    if (!(mysql_connect_ssl_check(&mysql, host, user, opt_password,
-                             NULL, opt_mysql_port,
+                                  NULL, opt_mysql_port, opt_mysql_unix_port,
-                             opt_mysql_unix_port, connect_flags)))
+                                  connect_flags, opt_ssl_required)))
    {
      fprintf(stderr,"%s: Error when connecting to server: %s\n",
              my_progname,mysql_error(&mysql));

--- a/client/mysqltest.cc
+++ b/client/mysqltest.cc
-/* Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
+/* Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -5281,8 +5281,9 @@ void safe_connect(MYSQL* mysql, const char *name, const char *host,
  verbose_msg("Connecting to server %s:%d (socket %s) as '%s'"
              ", connection '%s', attempt %d ...", 
              host, port, sock, user, name, failed_attempts);
-  while(!mysql_real_connect(mysql, host,user, pass, db, port, sock,
+  while(!mysql_connect_ssl_check(mysql, host,user, pass, db, port, sock,
-                            CLIENT_MULTI_STATEMENTS | CLIENT_REMEMBER_OPTIONS))
+                                 CLIENT_MULTI_STATEMENTS | CLIENT_REMEMBER_OPTIONS,
+                                 opt_ssl_required))
  {
    /*
      Connect failed
@@ -5382,8 +5383,9 @@ int connect_n_handle_errors(struct st_command *command,
    dynstr_append_mem(ds, ";\n", 2);
  }
-  while (!mysql_real_connect(con, host, user, pass, db, port, sock ? sock: 0,
+  while (!mysql_connect_ssl_check(con, host, user, pass, db, port,
-                          CLIENT_MULTI_STATEMENTS))
+                                  sock ? sock: 0, CLIENT_MULTI_STATEMENTS,
+                                  opt_ssl_required))
  {
    /*
      If we have used up all our connections check whether this

--- a/include/sslopt-case.h
+++ b/include/sslopt-case.h
 #ifndef SSLOPT_CASE_INCLUDED
 #define SSLOPT_CASE_INCLUDED
-/* Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
+/* Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -28,5 +28,18 @@
    */
      opt_use_ssl= 1;
      break;
+#ifdef MYSQL_CLIENT
+    case OPT_SSL_MODE:
+      if (my_strcasecmp(&my_charset_latin1, argument, "required"))
+      {
+        fprintf(stderr,
+                "Unknown value to --ssl-mode: '%s'. Use --ssl-mode=REQUIRED\n",
+                argument);
+        exit(1);
+      }
+      else
+        opt_ssl_required= 1;
+      break;
+#endif /* MYSQL_CLIENT */
 #endif
 #endif /* SSLOPT_CASE_INCLUDED */
--- a/include/sslopt-longopts.h
+++ b/include/sslopt-longopts.h
 #ifndef SSLOPT_LONGOPTS_INCLUDED
 #define SSLOPT_LONGOPTS_INCLUDED
-/* Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
+/* Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -44,6 +44,9 @@
   "when connecting. This option is disabled by default.",
   &opt_ssl_verify_server_cert, &opt_ssl_verify_server_cert,
   0, GET_BOOL, OPT_ARG, 0, 0, 0, 0, 0, 0},
+  {"ssl-mode", OPT_SSL_MODE,
+   "SSL connection mode.",
+   0, 0, 0, GET_STR, REQUIRED_ARG, 0, 0, 0, 0, 0, 0},
 #endif
 #endif /* HAVE_OPENSSL */
 #endif /* SSLOPT_LONGOPTS_INCLUDED */
--- a/include/sslopt-vars.h
+++ b/include/sslopt-vars.h
 #ifndef SSLOPT_VARS_INCLUDED
 #define SSLOPT_VARS_INCLUDED
-/* Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
+/* Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -28,8 +28,14 @@ SSL_STATIC char *opt_ssl_capath = 0;
 SSL_STATIC char *opt_ssl_cert   = 0;
 SSL_STATIC char *opt_ssl_cipher = 0;
 SSL_STATIC char *opt_ssl_key    = 0;
 #ifdef MYSQL_CLIENT
 SSL_STATIC my_bool opt_ssl_verify_server_cert= 0;
-#endif
+SSL_STATIC my_bool opt_ssl_required= 0;
-#endif
+#endif /* MYSQL_CLIENT */
+#else /* HAVE_OPENSSL */
+#define opt_ssl_required 0
+#endif /* HAVE_OPENSSL */
 #endif /* SSLOPT_VARS_INCLUDED */
--- a/mysql-test/r/ssl_mode.result
+++ b/mysql-test/r/ssl_mode.result
+# positive client tests
+# mysql
+Variable_name	Value
+Ssl_cipher	DHE-RSA-AES256-SHA
+Variable_name	Value
+Ssl_cipher	DHE-RSA-AES256-SHA
+CREATE TABLE t1(a INT);
+INSERT INTO t1 VALUES(0);
+# mysqldump
+/*!40101 SET @saved_cs_client     = @@character_set_client */;
+/*!40101 SET character_set_client = utf8 */;
+CREATE TABLE `t1` (
+  `a` int(11) DEFAULT NULL
+) ENGINE=MyISAM DEFAULT CHARSET=latin1;
+/*!40101 SET character_set_client = @saved_cs_client */;
+INSERT INTO `t1` VALUES (0);
+# mysqladmin
+mysqld is alive
+# mysqlcheck
+test.t1                                            OK
+# mysqlimport
+CREATE TABLE words(a VARCHAR(255));
+test.words: Records: 70  Deleted: 0  Skipped: 0  Warnings: 0
+DROP TABLE words;
+# mysqlshow
+Database: test
+--------+
+| Tables |
+--------+
+| t1     |
+--------+
+# mysqlslap
+# mysqltest
+Output from mysqltest-x.inc
+DROP TABLE t1;
+# negative client tests
+# mysql
+Unknown value to --ssl-mode: ''. Use --ssl-mode=REQUIRED
+Unknown value to --ssl-mode: 'DERIUQER'. Use --ssl-mode=REQUIRED
+ERROR 2026 (HY000): --ssl-mode=REQUIRED option forbids non SSL connections
+ERROR 2026 (HY000): --ssl-mode=REQUIRED option forbids non SSL connections
+ERROR 2026 (HY000): --ssl-mode=REQUIRED option forbids non SSL connections
+End of tests
--- a/mysql-test/r/ssl_mode_no_ssl.result
+++ b/mysql-test/r/ssl_mode_no_ssl.result
+# negative client tests
+# mysql
+ERROR 2026 (HY000): --ssl-mode=REQUIRED option forbids non SSL connections
+ERROR 2026 (HY000): --ssl-mode=REQUIRED option forbids non SSL connections
+ERROR 2026 (HY000): --ssl-mode=REQUIRED option forbids non SSL connections
+ERROR 2026 (HY000): --ssl-mode=REQUIRED option forbids non SSL connections
+# mysqldump
+mysqldump: Got error: 2026: --ssl-mode=REQUIRED option forbids non SSL connections when trying to connect
+# mysqladmin
+mysqladmin: error: '--ssl-mode=REQUIRED option forbids non SSL connections'
+# mysqlcheck
+mysqlcheck: Got error: 2026: --ssl-mode=REQUIRED option forbids non SSL connections when trying to connect
+# mysqlimport
+mysqlimport: Error: 2026 --ssl-mode=REQUIRED option forbids non SSL connections
+# mysqlshow
+mysqlshow: --ssl-mode=REQUIRED option forbids non SSL connections
+# mysqlslap
+mysqlslap: Error when connecting to server: --ssl-mode=REQUIRED option forbids non SSL connections
+# mysqltest
+mysqltest: Could not open connection 'default': 2026 --ssl-mode=REQUIRED option forbids non SSL connections
+End of tests
--- a/mysql-test/t/ssl_mode.test
+++ b/mysql-test/t/ssl_mode.test
+-- source include/not_embedded.inc
+-- source include/have_ssl_communication.inc
+--echo # positive client tests
+--echo # mysql
+--exec $MYSQL test --ssl-mode=ReQuIrEd --ssl-cipher=DHE-RSA-AES256-SHA -e "SHOW STATUS LIKE 'Ssl_cipher'" 2>&1
+--exec $MYSQL test --ssl-mode=REQUIRED --ssl --ssl-cipher=DHE-RSA-AES256-SHA -e "SHOW STATUS LIKE 'Ssl_cipher'" 2>&1
+CREATE TABLE t1(a INT);
+INSERT INTO t1 VALUES(0);
+--echo # mysqldump
+--exec $MYSQL_DUMP --ssl-mode=REQUIRED --ssl-cipher=DHE-RSA-AES256-SHA --compact --skip-comments test 2>&1
+--echo # mysqladmin
+--exec $MYSQLADMIN --ssl-mode=REQUIRED --ssl-cipher=DHE-RSA-AES256-SHA -S $MASTER_MYSOCK -P $MASTER_MYPORT -u root --password= ping 2>&1
+--echo # mysqlcheck
+--exec $MYSQL_CHECK --ssl-mode=REQUIRED --ssl-cipher=DHE-RSA-AES256-SHA test 2>&1
+--echo # mysqlimport
+CREATE TABLE words(a VARCHAR(255));
+--exec $MYSQL_IMPORT --ssl-mode=REQUIRED --ssl-cipher=DHE-RSA-AES256-SHA test $MYSQLTEST_VARDIR/std_data/words.dat 2>&1
+DROP TABLE words;
+--echo # mysqlshow
+--exec $MYSQL_SHOW --ssl-mode=REQUIRED --ssl-cipher=DHE-RSA-AES256-SHA test 2>&1
+--echo # mysqlslap
+--exec $MYSQL_SLAP --ssl-mode=REQUIRED --ssl-cipher=DHE-RSA-AES256-SHA --create-schema=test --query="select * from t1" --silent 2>&1
+--echo # mysqltest
+--exec $MYSQL_TEST --ssl-mode=REQUIRED --ssl-cipher=DHE-RSA-AES256-SHA -x $MYSQL_TEST_DIR/include/mysqltest-x.inc 2>&1
+DROP TABLE t1;
+--echo # negative client tests
+--echo # mysql
+--error 5
+--exec $MYSQL test --ssl-mode
+--error 1
+--exec $MYSQL test --ssl-mode= 2>&1
+--error 1
+--exec $MYSQL test --ssl-mode=DERIUQER 2>&1
+--error 1
+--exec $MYSQL test --ssl-mode=REQUIRED 2>&1
+--error 1
+--exec $MYSQL test --ssl-mode=REQUIRED --ssl 2>&1
+--error 1
+--exec $MYSQL test --ssl-mode=REQUIRED --ssl-cipher=DHE-RSA-AES256-SHA --skip-ssl 2>&1
+--echo
+--echo End of tests
--- a/mysql-test/t/ssl_mode_no_ssl-master.opt
+++ b/mysql-test/t/ssl_mode_no_ssl-master.opt
+--skip-ssl
--- a/mysql-test/t/ssl_mode_no_ssl.test
+++ b/mysql-test/t/ssl_mode_no_ssl.test
+-- source include/not_embedded.inc
+--echo # negative client tests
+--echo # mysql
+--error 1
+--exec $MYSQL test --ssl-mode=REQUIRED 2>&1
+--error 1
+--exec $MYSQL test --ssl-mode=REQUIRED --ssl 2>&1
+--error 1
+--exec $MYSQL test --ssl-mode=REQUIRED --ssl-cipher=DHE-RSA-AES256-SHA 2>&1
+--error 1
+--exec $MYSQL test --ssl-mode=REQUIRED --ssl --ssl-cipher=DHE-RSA-AES256-SHA 2>&1
+--echo # mysqldump
+--error 2
+--exec $MYSQL_DUMP --ssl-mode=REQUIRED test 2>&1
+--echo # mysqladmin
+--replace_regex /.*mysqladmin.*/mysqladmin: /
+--error 1
+--exec $MYSQLADMIN --ssl-mode=REQUIRED -S $MASTER_MYSOCK -P $MASTER_MYPORT -u root --password= ping 2>&1
+--echo # mysqlcheck
+--replace_regex /.*mysqlcheck(\.exe)*/mysqlcheck/
+--error 2
+--exec $MYSQL_CHECK --ssl-mode=REQUIRED test 2>&1
+--echo # mysqlimport
+--replace_regex /.*mysqlimport(\.exe)*/mysqlimport/
+--error 1
+--exec $MYSQL_IMPORT --ssl-mode=REQUIRED test $MYSQLTEST_VARDIR/tmp/t1.txt 2>&1
+--echo # mysqlshow
+--replace_regex /.*mysqlshow(\.exe)*/mysqlshow/
+--error 1
+--exec $MYSQL_SHOW --ssl-mode=REQUIRED test 2>&1
+--echo # mysqlslap
+--replace_regex /.*mysqlslap(\.exe)*/mysqlslap/
+--error 1
+--exec $MYSQL_SLAP --ssl-mode=REQUIRED 2>&1
+--echo # mysqltest
+--error 1
+--exec $MYSQL_TEST --ssl-mode=REQUIRED -x $MYSQL_TEST_DIR/include/mysqltest-x.inc 2>&1
+--echo
+--echo End of tests