MDEV-33430 - Fix self-signed certificate errors on Windows

Adjust test after fixing the C/C. On Windows, use --host=127.0.0.2 to fake "insecure" transport with TCP connection for test purposes. 127.0.0.2 is loopback address, that can be used instead of usual 127.0.0.1 Unfortunately, this technique does not work on all *nixes the same, notably neither on BSDs nor Solaris. Thus default --host=localhost remains "insecure" transport,when TCP is used. but it is not that critical, the "self-signed" is not nearly as annoying on *nixes as it is on Windows.
MariaDB · Feb 9, 2024 · 4eac842 · 4eac842
1 parent 9500575
commit 4eac842
Show file tree

Hide file tree

Showing 6 changed files with 49 additions and 18 deletions.
diff --git a/libmariadb b/libmariadb
diff --git a/mysql-test/main/ssl_7937.test b/mysql-test/main/ssl_7937.test
@@ -20,9 +20,15 @@ create procedure have_ssl()
 --echo mysql --ssl-ca=cacert.pem --ssl-verify-server-cert -e "call test.have_ssl()"
 --exec $MYSQL --protocol tcp --ssl-ca=$MYSQL_TEST_DIR/std_data/cacert.pem --ssl-verify-server-cert -e "call test.have_ssl()" 2>&1
 
+let $is_win = `select convert(@@version_compile_os using latin1) IN ("Win32","Win64","Windows")`;
+let $host=;
+if($is_win)
+{
+  let $host=--host=127.0.0.2;
+}
 --echo mysql --ssl --ssl-verify-server-cert -e "call test.have_ssl()"
 --replace_regex /TLS\/SSL error.*certificate[^\n]*/TLS\/SSL error: Failed to verify the server certificate/
---exec $MYSQL --protocol tcp --ssl --ssl-verify-server-cert -e "call test.have_ssl()" 2>&1
+--exec $MYSQL --protocol tcp $host --ssl --ssl-verify-server-cert -e "call test.have_ssl()" 2>&1
 
 --echo #
 --echo # MDEV-27105 --ssl option set as default for mariadb CLI

diff --git a/mysql-test/main/ssl_autoverify,win.rdiff b/mysql-test/main/ssl_autoverify,win.rdiff
@@ -1,6 +1,6 @@
---- a/mysql-test/main/ssl_autoverify.result
-+++ b/mysql-test/main/ssl_autoverify.result
-@@ -22,9 +22,9 @@ ERROR 2026 (HY000): TLS/SSL error: Failed to verify the server certificate
+--- ssl_autoverify.result	2024-02-08 23:55:13.779166100 +0100
++++ ssl_autoverify,win.reject	2024-02-08 23:55:46.988212400 +0100
+@@ -22,9 +22,9 @@
  WARNING: option --ssl-verify-server-cert is disabled, because of an insecure passwordless login.
  test.have_ssl()
  yes
@@ -9,10 +9,10 @@
  test.have_ssl()
 -yes
 +no
- # mysql -unative -pfoo --ssl-verify-server-cert -e "select test.have_ssl()"
+ # mysql --protocol tcp --host 127.0.0.1 -uroot --ssl-verify-server-cert -e "select test.have_ssl()"
  test.have_ssl()
  yes
-@@ -42,16 +42,6 @@ yes
+@@ -45,16 +45,6 @@
  # mysql -umulti -ppw2 --ssl-verify-server-cert -e "select test.have_ssl()"
  test.have_ssl()
  yes

diff --git a/mysql-test/main/ssl_autoverify.result b/mysql-test/main/ssl_autoverify.result
@@ -25,6 +25,9 @@ yes
 # mysql --protocol socket -uroot --ssl-verify-server-cert -e "select test.have_ssl()"
 test.have_ssl()
 yes
+# mysql --protocol tcp --host 127.0.0.1 -uroot --ssl-verify-server-cert -e "select test.have_ssl()"
+test.have_ssl()
+yes
 # mysql -unative -pfoo --ssl-verify-server-cert -e "select test.have_ssl()"
 test.have_ssl()
 yes

diff --git a/mysql-test/main/ssl_autoverify.test b/mysql-test/main/ssl_autoverify.test
@@ -25,6 +25,15 @@ create function have_ssl() returns char(3)
   from information_schema.session_status
   where variable_name='ssl_cipher');
 
+let host=;
+if ($MTR_COMBINATION_WIN) {
+  # 127.0.0.2 (and generally 127.0.0.0/8) works on Windows the same as 127.0.0.1,
+  # i.e client can connect if server listens on IPv4 loopback
+  #
+  # We use 127.0.0.2 as it does not match any of "localhost","127.0.0.1","::1"
+  # thus it is not considered "secure transport" by the connector/C
+  let host=--host=127.0.0.2;
+}
 #
 # root user, no password, so cannot validate cert.
 #
@@ -33,13 +42,13 @@ create function have_ssl() returns char(3)
 --echo # mysql -uroot --ssl-verify-server-cert -e "select test.have_ssl()"
 --replace_regex /TLS\/SSL error.*certificate[^\n]*/TLS\/SSL error: Failed to verify the server certificate/
 --error 1
---exec $MYSQL --protocol tcp -uroot --ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
+--exec $MYSQL --protocol tcp $host -uroot --ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
 #
 # except if ssl-verify-server-cert is left on default (not explicitly enabled)
 #
 --let $csd=`select @@character_sets_dir`
 --echo # mysql -uroot -e "select test.have_ssl()"
---exec $EXE_MYSQL --no-defaults --character-sets-dir=$csd --protocol tcp --port $MASTER_MYPORT -uroot -e "select test.have_ssl()" 2>&1
+--exec $EXE_MYSQL --no-defaults --character-sets-dir=$csd --protocol tcp $host --port $MASTER_MYPORT -uroot -e "select test.have_ssl()" 2>&1
 #
 # or unless using a secure transport, like unix_socket or named pipes
 #
@@ -52,34 +61,41 @@ if ($MTR_COMBINATION_WIN) {
 }
 --echo # mysql --protocol $proto -uroot --ssl-verify-server-cert -e "select test.have_ssl()"
 --exec $MYSQL --protocol $proto -uroot --ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
+
+#
+# same for tcp via localhost
+#
+--echo # mysql --protocol tcp --host 127.0.0.1 -uroot --ssl-verify-server-cert -e "select test.have_ssl()"
+--exec $MYSQL --protocol tcp --host 127.0.0.1 -uroot --ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
+
 #
 # mysql_native_password with password works fine
 #
 --echo # mysql -unative -pfoo --ssl-verify-server-cert -e "select test.have_ssl()"
---exec $MYSQL --protocol tcp -unative -pfoo --ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
+--exec $MYSQL --protocol tcp $host -unative -pfoo --ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
 #
 # ed25519 with password works fine
 #
 --echo # mysql -ued -pbar --ssl-verify-server-cert -e "select test.have_ssl()"
---exec $MYSQL --protocol tcp -ued -pbar --ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
+--exec $MYSQL --protocol tcp $host -ued -pbar --ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
 #
 # three_attempts uses auth string as is, doesn't hash.
 # so it's not safe over untrusted connection and thus cannot validate cert
 #
 --echo # mysql -unohash -ponetwothree --disable-ssl-verify-server-cert -e "select test.have_ssl()"
---exec $MYSQL --protocol tcp -unohash -ponetwothree --disable-ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
+--exec $MYSQL --protocol tcp $host -unohash -ponetwothree --disable-ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
 --echo # mysql -unohash -ponetwothree --ssl-verify-server-cert -e "select test.have_ssl()"
 --replace_regex /TLS\/SSL error.*certificate[^\n]*/TLS\/SSL error: Failed to verify the server certificate/
 --error 1
---exec $MYSQL --protocol tcp -unohash -ponetwothree --ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
+--exec $MYSQL --protocol tcp $host -unohash -ponetwothree --ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
 #
 # multi-auth case, both client and server must use
 # the same plugin for cert validation
 #
 --echo # mysql -umulti -ppw1 --ssl-verify-server-cert -e "select test.have_ssl()"
---exec $MYSQL --protocol tcp -umulti -ppw1 --ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
+--exec $MYSQL --protocol tcp $host -umulti -ppw1 --ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
 --echo # mysql -umulti -ppw2 --ssl-verify-server-cert -e "select test.have_ssl()"
---exec $MYSQL --protocol tcp -umulti -ppw2 --ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
+--exec $MYSQL --protocol tcp $host -umulti -ppw2 --ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
 
 #
 # Now try MitM

diff --git a/mysql-test/main/ssl_fp.test b/mysql-test/main/ssl_fp.test
@@ -5,23 +5,29 @@ create function have_ssl() returns char(3)
   from information_schema.session_status
   where variable_name='ssl_cipher');
 
+let $is_win = `select convert(@@version_compile_os using latin1) IN ("Win32","Win64","Windows")`;
+let $host=;
+if($is_win)
+{
+  let $host=--host=127.0.0.2;
+}
 #
 # passwordless root cannot connect w/o fingerprint:
 #
 --echo # mysql --protocol tcp -uroot --ssl-verify-server-cert -e "select test.have_ssl()"
 --replace_regex /TLS\/SSL error.*certificate[^\n]*/TLS\/SSL error: Failed to verify the server certificate/
 --error 1
---exec $MYSQL --protocol tcp -uroot --ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
+--exec $MYSQL --protocol tcp $host -uroot --ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
 #
 # fingerprint based cert verification:
 #
 --echo # mysql --protocol tcp -uroot --ssl-fp=F1:D0:08:AF:A1:D2:F4:15:79:B4:39:06:41:F4:20:96:F1:90:A9:65 --ssl-verify-server-cert -e "select test.have_ssl()"
---exec $MYSQL --protocol tcp -uroot --ssl-fp=F1:D0:08:AF:A1:D2:F4:15:79:B4:39:06:41:F4:20:96:F1:90:A9:65 --ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
+--exec $MYSQL --protocol tcp $host -uroot --ssl-fp=F1:D0:08:AF:A1:D2:F4:15:79:B4:39:06:41:F4:20:96:F1:90:A9:65 --ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
 #
 # wrong fingerprint fails even with --disable-ssl-verify-server-cert
 #
 --echo # mysql --protocol tcp -uroot --ssl-fp=00:11:22:33:44:55:66:77:88:99:AA:BB:CC:DD:EE:FF:00:11:22:33 --disable-ssl-verify-server-cert -e "select test.have_ssl()"
 --error 1
---exec $MYSQL --protocol tcp -uroot --ssl-fp=00:11:22:33:44:55:66:77:88:99:AA:BB:CC:DD:EE:FF:00:11:22:33 --disable-ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
+--exec $MYSQL --protocol tcp $host -uroot --ssl-fp=00:11:22:33:44:55:66:77:88:99:AA:BB:CC:DD:EE:FF:00:11:22:33 --disable-ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
 
 drop function have_ssl;