Commit cb8f837a authored by Sergei Golubchik's avatar Sergei Golubchik

MDEV-6975 Implement TLS protocol

change SSL methods to be SSLv23 (according to openssl manpage:
"A TLS/SSL connection established with these methods may understand
the SSLv2, SSLv3, TLSv1, TLSv1.1 and TLSv1.2 protocols") from
TLSv1 methods, that go back to the initial SSL implementation
in MySQL in 2001.

OpenSSL default ciphers are different if TLSv1.2 is enabled,
so tests need to take this into account.
parent 386e2e52
......@@ -4801,6 +4801,8 @@ sub extract_warning_lines ($$) {
qr|feedback plugin: failed to retrieve the MAC address|,
qr|Plugin 'FEEDBACK' init function returned error|,
qr|Plugin 'FEEDBACK' registration as a INFORMATION SCHEMA failed|,
qr|Failed to setup SSL|,
qr|SSL error: Failed to set ciphers to use|,
);
my $matched_lines= [];
......
grant select on test.* to ssl_sslv3@localhost require cipher "RC4-SHA";
grant select on test.* to ssl_tls12@localhost require cipher "AES128-SHA256";
TLS1.2 ciphers: user is ok with any cipher
ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
TLS1.2 ciphers: user requires SSLv3 cipher RC4-SHA
ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
TLS1.2 ciphers: user requires TLSv1.2 cipher AES128-SHA256
ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
SSLv3 ciphers: user is ok with any cipher
Variable_name Value
Ssl_cipher RC4-SHA
Variable_name Value
Ssl_cipher DHE-RSA-AES256-SHA
SSLv3 ciphers: user requires SSLv3 cipher RC4-SHA
Variable_name Value
Ssl_cipher RC4-SHA
ERROR 1045 (28000): Access denied for user 'ssl_sslv3'@'localhost' (using password: NO)
SSLv3 ciphers: user requires TLSv1.2 cipher AES128-SHA256
ERROR 1045 (28000): Access denied for user 'ssl_tls12'@'localhost' (using password: NO)
ERROR 1045 (28000): Access denied for user 'ssl_tls12'@'localhost' (using password: NO)
drop user ssl_sslv3@localhost;
drop user ssl_tls12@localhost;
grant select on test.* to ssl_sslv3@localhost require cipher "RC4-SHA";
grant select on test.* to ssl_tls12@localhost require cipher "AES128-SHA256";
TLS1.2 ciphers: user is ok with any cipher
Variable_name Value
Ssl_cipher AES128-SHA256
Variable_name Value
Ssl_cipher DHE-RSA-AES256-GCM-SHA384
TLS1.2 ciphers: user requires SSLv3 cipher RC4-SHA
ERROR 1045 (28000): Access denied for user 'ssl_sslv3'@'localhost' (using password: NO)
ERROR 1045 (28000): Access denied for user 'ssl_sslv3'@'localhost' (using password: NO)
TLS1.2 ciphers: user requires TLSv1.2 cipher AES128-SHA256
Variable_name Value
Ssl_cipher AES128-SHA256
ERROR 1045 (28000): Access denied for user 'ssl_tls12'@'localhost' (using password: NO)
SSLv3 ciphers: user is ok with any cipher
ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
SSLv3 ciphers: user requires SSLv3 cipher RC4-SHA
ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
SSLv3 ciphers: user requires TLSv1.2 cipher AES128-SHA256
ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
drop user ssl_sslv3@localhost;
drop user ssl_tls12@localhost;
[tlsv12]
loose-ssl-cipher=TLSv1.2
[sslv3]
loose-ssl-cipher=SSLv3
#
# MDEV-6975 Implement TLS protocol
#
# test SSLv3 and TLSv1.2 ciphers when OpenSSL is restricted to SSLv3 or TLSv1.2
#
source include/have_ssl_communication.inc;
# this is OpenSSL test.
grant select on test.* to ssl_sslv3@localhost require cipher "RC4-SHA";
grant select on test.* to ssl_tls12@localhost require cipher "AES128-SHA256";
let $mysql=$MYSQL --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem -e "SHOW STATUS LIKE 'ssl_Cipher'" 2>&1;
disable_abort_on_error;
echo TLS1.2 ciphers: user is ok with any cipher;
exec $mysql --ssl-cipher=AES128-SHA256;
exec $mysql --ssl-cipher=TLSv1.2;
echo TLS1.2 ciphers: user requires SSLv3 cipher RC4-SHA;
exec $mysql --user ssl_sslv3 --ssl-cipher=AES128-SHA256;
exec $mysql --user ssl_sslv3 --ssl-cipher=TLSv1.2;
echo TLS1.2 ciphers: user requires TLSv1.2 cipher AES128-SHA256;
exec $mysql --user ssl_tls12 --ssl-cipher=AES128-SHA256;
exec $mysql --user ssl_tls12 --ssl-cipher=TLSv1.2;
echo SSLv3 ciphers: user is ok with any cipher;
exec $mysql --ssl-cipher=RC4-SHA;
exec $mysql --ssl-cipher=SSLv3;
echo SSLv3 ciphers: user requires SSLv3 cipher RC4-SHA;
exec $mysql --user ssl_sslv3 --ssl-cipher=RC4-SHA;
exec $mysql --user ssl_sslv3 --ssl-cipher=SSLv3;
echo SSLv3 ciphers: user requires TLSv1.2 cipher AES128-SHA256;
exec $mysql --user ssl_tls12 --ssl-cipher=RC4-SHA;
exec $mysql --user ssl_tls12 --ssl-cipher=SSLv3;
drop user ssl_sslv3@localhost;
drop user ssl_tls12@localhost;
......@@ -132,6 +132,7 @@ drop table t1;
# verification of servers certificate by setting both ca certificate
# and ca path to NULL
#
--replace_result DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA
--exec $MYSQL --ssl --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem -e "SHOW STATUS LIKE 'ssl_Cipher'" 2>&1
--echo End of 5.0 tests
......@@ -258,6 +259,7 @@ select 'is still running; no cipher request crashed the server' as result from d
GRANT SELECT ON test.* TO bug42158@localhost REQUIRE X509;
FLUSH PRIVILEGES;
connect(con1,localhost,bug42158,,,,,SSL);
--replace_result DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA
SHOW STATUS LIKE 'Ssl_cipher';
disconnect con1;
connection default;
......
......@@ -11,12 +11,14 @@
connect (ssl_con,localhost,root,,,,,SSL);
# Check ssl turned on
--replace_result DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA
SHOW STATUS LIKE 'Ssl_cipher';
# Source select test case
-- source include/common-tests.inc
# Check ssl turned on
--replace_result DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA
SHOW STATUS LIKE 'Ssl_cipher';
connection default;
......
--loose-ssl-key=$MYSQL_TEST_DIR/std_data/server8k-key.pem --loose-ssl-cert=$MYSQL_TEST_DIR/std_data/server8k-cert.pem
--loose-ssl-key=$MYSQL_TEST_DIR/std_data/server8k-key.pem
--loose-ssl-cert=$MYSQL_TEST_DIR/std_data/server8k-cert.pem
--loose-ssl-cipher=DHE-RSA-AES256-SHA
......@@ -11,6 +11,7 @@
connect (ssl_compress_con,localhost,root,,,,,SSL COMPRESS);
# Check ssl turned on
--replace_result DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA
SHOW STATUS LIKE 'Ssl_cipher';
# Check compression turned on
......@@ -20,6 +21,7 @@ SHOW STATUS LIKE 'Compression';
-- source include/common-tests.inc
# Check ssl turned on
--replace_result DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA
SHOW STATUS LIKE 'Ssl_cipher';
# Check compression turned on
......
......@@ -190,8 +190,8 @@ new_VioSSLFd(const char *key_file, const char *cert_file,
DBUG_RETURN(0);
if (!(ssl_fd->ssl_context= SSL_CTX_new(is_client_method ?
TLSv1_client_method() :
TLSv1_server_method())))
SSLv23_client_method() :
SSLv23_server_method())))
{
*error= SSL_INITERR_MEMFAIL;
DBUG_PRINT("error", ("%s", sslGetErrString(*error)));
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment