Fix tests not to fail with OpenSSL 1.1.1 with TLSv1.3

MariaDB · Jan 25, 2019 · 74f184a · 74f184a
1 parent 31d0727
commit 74f184a
Show file tree

Hide file tree

Showing 9 changed files with 191 additions and 162 deletions.
diff --git a/mysql-test/r/openssl_1.result b/mysql-test/r/openssl_1.result
@@ -4,73 +4,54 @@ drop table if exists t1;
 create table t1(f1 int);
 insert into t1 values (5);
 grant select on test.* to ssl_user1@localhost require SSL;
-grant select on test.* to ssl_user2@localhost require cipher "AES256-SHA";
-grant select on test.* to ssl_user3@localhost require cipher "AES256-SHA" AND SUBJECT "/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB/CN=client";
-grant select on test.* to ssl_user4@localhost require cipher "AES256-SHA" AND SUBJECT "/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB/CN=client" ISSUER "/CN=cacert/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB";
-grant select on test.* to ssl_user5@localhost require cipher "AES256-SHA" AND SUBJECT "xxx";
+grant select on test.* to ssl_user3@localhost require SUBJECT "/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB/CN=client";
+grant select on test.* to ssl_user4@localhost require SUBJECT "/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB/CN=client" ISSUER "/CN=cacert/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB";
+grant select on test.* to ssl_user5@localhost require SUBJECT "xxx";
 flush privileges;
-connect  con1,localhost,ssl_user1,,,,,SSL-CIPHER=AES256-SHA;
-connect(localhost,ssl_user2,,test,MASTER_PORT,MASTER_SOCKET);
-connect  con2,localhost,ssl_user2,,,,,SSL-CIPHER=AES128-SHA;
-ERROR 28000: Access denied for user 'ssl_user2'@'localhost' (using password: NO)
-connect  con2,localhost,ssl_user2,,,,,SSL-CIPHER=AES256-SHA;
-connect  con3,localhost,ssl_user3,,,,,SSL-CIPHER=AES256-SHA;
-connect  con4,localhost,ssl_user4,,,,,SSL-CIPHER=AES256-SHA;
+connect  con1,localhost,ssl_user1,,,,,SSL;
+connect  con3,localhost,ssl_user3,,,,,SSL;
+connect  con4,localhost,ssl_user4,,,,,SSL;
 connect(localhost,ssl_user5,,test,MASTER_PORT,MASTER_SOCKET);
-connect  con5,localhost,ssl_user5,,,,,SSL-CIPHER=AES256-SHA;
+connect  con5,localhost,ssl_user5,,,,,SSL;
 ERROR 28000: Access denied for user 'ssl_user5'@'localhost' (using password: NO)
 connection con1;
-SHOW STATUS LIKE 'Ssl_cipher';
-Variable_name	Value
-Ssl_cipher	AES256-SHA
+SELECT VARIABLE_VALUE <> '' AS have_ssl FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_cipher';
+have_ssl
+1
 select * from t1;
 f1
 5
 delete from t1;
 ERROR 42000: DELETE command denied to user 'ssl_user1'@'localhost' for table 't1'
-connection con2;
-SHOW STATUS LIKE 'Ssl_cipher';
-Variable_name	Value
-Ssl_cipher	AES256-SHA
-select * from t1;
-f1
-5
-delete from t1;
-ERROR 42000: DELETE command denied to user 'ssl_user2'@'localhost' for table 't1'
 connection con3;
-SHOW STATUS LIKE 'Ssl_cipher';
-Variable_name	Value
-Ssl_cipher	AES256-SHA
+SELECT VARIABLE_VALUE <> '' AS have_ssl FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_cipher';
+have_ssl
+1
 select * from t1;
 f1
 5
 delete from t1;
 ERROR 42000: DELETE command denied to user 'ssl_user3'@'localhost' for table 't1'
 connection con4;
-SHOW STATUS LIKE 'Ssl_cipher';
-Variable_name	Value
-Ssl_cipher	AES256-SHA
+SELECT VARIABLE_VALUE <> '' AS have_ssl FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_cipher';
+have_ssl
+1
 select * from t1;
 f1
 5
 delete from t1;
 ERROR 42000: DELETE command denied to user 'ssl_user4'@'localhost' for table 't1'
 connection default;
 disconnect con1;
-disconnect con2;
 disconnect con3;
 disconnect con4;
-drop user ssl_user1@localhost, ssl_user2@localhost,
-ssl_user3@localhost, ssl_user4@localhost, ssl_user5@localhost;
+drop user ssl_user1@localhost, ssl_user3@localhost, ssl_user4@localhost, ssl_user5@localhost;
 drop table t1;
 mysqltest: Could not open connection 'default': 2026 SSL connection error: xxxx
 mysqltest: Could not open connection 'default': 2026 SSL connection error: xxxx
 mysqltest: Could not open connection 'default': 2026 SSL connection error: xxxx
 mysqltest: Could not open connection 'default': 2026 SSL connection error: xxxx
 mysqltest: Could not open connection 'default': 2026 SSL connection error: xxxx
-SHOW STATUS LIKE 'Ssl_cipher';
-Variable_name	Value
-Ssl_cipher	AES256-SHA
 have_ssl
 1
 End of 5.0 tests
@@ -94,13 +75,7 @@ SSL_ACCEPTS	#
 SSL_CALLBACK_CACHE_HITS	#
 DROP TABLE thread_status;
 SET GLOBAL event_scheduler=0;
-SHOW STATUS LIKE 'Ssl_cipher';
-Variable_name	Value
-Ssl_cipher	AES128-SHA
-SHOW STATUS LIKE 'Ssl_cipher';
-Variable_name	Value
-Ssl_cipher	AES128-SHA
-mysqltest: Could not open connection 'default': 2026 SSL connection error: xxxxCREATE TABLE t1(a int);
+CREATE TABLE t1(a int);
 INSERT INTO t1 VALUES (1), (2);
 
 /*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
@@ -204,19 +179,12 @@ UNLOCK TABLES;
 /*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */;
 /*!40111 SET SQL_NOTES=@OLD_SQL_NOTES */;
 
-mysqldump: Got error: 2026: SSL connection error: xxxx
+mysqldump: Got error: 2026: "SSL connection error: xxxx
 DROP TABLE t1;
-Variable_name	Value
-Ssl_cipher	AES256-SHA
-Variable_name	Value
-Ssl_cipher	AES128-SHA
-select 'is still running; no cipher request crashed the server' as result from dual;
-result
-is still running; no cipher request crashed the server
 GRANT SELECT ON test.* TO bug42158@localhost REQUIRE X509;
 FLUSH PRIVILEGES;
 connect con1,localhost,bug42158,,,,,SSL;
-SELECT (VARIABLE_VALUE <> '') AS have_ssl FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_cipher';
+SELECT VARIABLE_VALUE <> '' AS have_ssl FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_cipher';
 have_ssl
 1
 disconnect con1;

diff --git a/mysql-test/r/ssl.result b/mysql-test/r/ssl.result
@@ -2175,8 +2175,3 @@ still connected?
 still connected?
 connection default;
 disconnect ssl_con;
-create user mysqltest_1@localhost;
-grant usage on mysqltest.* to mysqltest_1@localhost require cipher "AES256-SHA";
-Variable_name	Value
-Ssl_cipher	AES256-SHA
-drop user mysqltest_1@localhost;
diff --git a/mysql-test/r/ssl_cipher.result b/mysql-test/r/ssl_cipher.result
@@ -1,12 +1,67 @@
-#
-# BUG#11760210 - SSL_CIPHER_LIST NOT SET OR RETURNED FOR "SHOW STATUS LIKE 'SSL_CIPHER_LIST'"
-#
+create user ssl_user1@localhost require SSL;
+create user ssl_user2@localhost require cipher 'AES256-SHA';
+create user ssl_user3@localhost require cipher 'AES256-SHA' AND SUBJECT '/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB/CN=client';
+create user ssl_user4@localhost require cipher 'AES256-SHA' AND SUBJECT '/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB/CN=client' ISSUER '/CN=cacert/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB';
+create user ssl_user5@localhost require cipher 'AES256-SHA' AND SUBJECT 'xxx';
+connect  con1,localhost,ssl_user1,,,,,SSL-CIPHER=AES256-SHA;
+connect(localhost,ssl_user2,,test,MASTER_PORT,MASTER_SOCKET);
+connect  con2,localhost,ssl_user2,,,,,SSL-CIPHER=AES128-SHA;
+ERROR 28000: Access denied for user 'ssl_user2'@'localhost' (using password: NO)
+connect  con2,localhost,ssl_user2,,,,,SSL-CIPHER=AES256-SHA;
+connect  con3,localhost,ssl_user3,,,,,SSL-CIPHER=AES256-SHA;
+connect  con4,localhost,ssl_user4,,,,,SSL-CIPHER=AES256-SHA;
+connect(localhost,ssl_user5,,test,MASTER_PORT,MASTER_SOCKET);
+connect  con5,localhost,ssl_user5,,,,,SSL-CIPHER=AES256-SHA;
+ERROR 28000: Access denied for user 'ssl_user5'@'localhost' (using password: NO)
+connection con1;
+SHOW STATUS LIKE 'Ssl_cipher';
+Variable_name	Value
+Ssl_cipher	AES256-SHA
+disconnect con1;
+connection con2;
+SHOW STATUS LIKE 'Ssl_cipher';
+Variable_name	Value
+Ssl_cipher	AES256-SHA
+disconnect con2;
+connection con3;
+SHOW STATUS LIKE 'Ssl_cipher';
+Variable_name	Value
+Ssl_cipher	AES256-SHA
+disconnect con3;
+connection con4;
+SHOW STATUS LIKE 'Ssl_cipher';
+Variable_name	Value
+Ssl_cipher	AES256-SHA
+disconnect con4;
+connection default;
+drop user ssl_user1@localhost, ssl_user2@localhost, ssl_user3@localhost, ssl_user4@localhost, ssl_user5@localhost;
+SHOW STATUS LIKE 'Ssl_cipher';
+Variable_name	Value
+Ssl_cipher	AES256-SHA
+SHOW STATUS LIKE 'Ssl_cipher';
+Variable_name	Value
+Ssl_cipher	AES128-SHA
+SHOW STATUS LIKE 'Ssl_cipher';
+Variable_name	Value
+Ssl_cipher	AES128-SHA
+mysqltest: Could not open connection 'default': 2026 SSL connection error: xxxxVariable_name	Value
+Ssl_cipher	AES256-SHA
+Variable_name	Value
+Ssl_cipher	AES128-SHA
+select 'is still running; no cipher request crashed the server' as result from dual;
+result
+is still running; no cipher request crashed the server
+create user mysqltest_1@localhost;
+grant usage on mysqltest.* to mysqltest_1@localhost require cipher "AES256-SHA";
+Variable_name	Value
+Ssl_cipher	AES256-SHA
+drop user mysqltest_1@localhost;
 connect  ssl_con,localhost,root,,,,,SSL;
 SHOW STATUS LIKE 'Ssl_cipher';
 Variable_name	Value
 Ssl_cipher	AES128-SHA
 SHOW STATUS LIKE 'Ssl_cipher_list';
 Variable_name	Value
 Ssl_cipher_list	AES128-SHA
-connection default;
 disconnect ssl_con;
+connection default;
diff --git a/mysql-test/suite.pm b/mysql-test/suite.pm
@@ -70,9 +70,9 @@ sub skip_combinations {
   }
   $skip{'include/check_ipv6.inc'} = 'No IPv6' unless ipv6_ok();
 
-  $skip{'t/openssl_6975.test'} = 'no or too old openssl'
+  $skip{'t/openssl_6975.test'} = 'no or wrong openssl version'
     unless $::mysqld_variables{'version-ssl-library'} =~ /OpenSSL (\S+)/
-       and $1 ge "1.0.1d";
+       and $1 ge "1.0.1d" and $1 lt "1.1.1";
 
   $skip{'t/ssl_7937.combinations'} = [ 'x509v3' ]
     unless $::mysqld_variables{'version-ssl-library'} =~ /OpenSSL (\S+)/

diff --git a/mysql-test/t/openssl_1.test b/mysql-test/t/openssl_1.test
@@ -16,58 +16,45 @@ create table t1(f1 int);
 insert into t1 values (5);
 
 grant select on test.* to ssl_user1@localhost require SSL;
-grant select on test.* to ssl_user2@localhost require cipher "AES256-SHA";
-grant select on test.* to ssl_user3@localhost require cipher "AES256-SHA" AND SUBJECT "/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB/CN=client";
-grant select on test.* to ssl_user4@localhost require cipher "AES256-SHA" AND SUBJECT "/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB/CN=client" ISSUER "/CN=cacert/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB";
-grant select on test.* to ssl_user5@localhost require cipher "AES256-SHA" AND SUBJECT "xxx";
+grant select on test.* to ssl_user3@localhost require SUBJECT "/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB/CN=client";
+grant select on test.* to ssl_user4@localhost require SUBJECT "/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB/CN=client" ISSUER "/CN=cacert/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB";
+grant select on test.* to ssl_user5@localhost require SUBJECT "xxx";
 flush privileges;
 
-connect (con1,localhost,ssl_user1,,,,,SSL-CIPHER=AES256-SHA);
+connect (con1,localhost,ssl_user1,,,,,SSL);
 --replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT
---error ER_ACCESS_DENIED_ERROR
-connect (con2,localhost,ssl_user2,,,,,SSL-CIPHER=AES128-SHA);
-connect (con2,localhost,ssl_user2,,,,,SSL-CIPHER=AES256-SHA);
-connect (con3,localhost,ssl_user3,,,,,SSL-CIPHER=AES256-SHA);
-connect (con4,localhost,ssl_user4,,,,,SSL-CIPHER=AES256-SHA);
+connect (con3,localhost,ssl_user3,,,,,SSL);
+connect (con4,localhost,ssl_user4,,,,,SSL);
 --replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT
 --error ER_ACCESS_DENIED_ERROR
-connect (con5,localhost,ssl_user5,,,,,SSL-CIPHER=AES256-SHA);
+connect (con5,localhost,ssl_user5,,,,,SSL);
 
 connection con1;
 # Check ssl turned on
-SHOW STATUS LIKE 'Ssl_cipher';
-select * from t1;
---error ER_TABLEACCESS_DENIED_ERROR
-delete from t1;
-
-connection con2;
-# Check ssl turned on
-SHOW STATUS LIKE 'Ssl_cipher';
+SELECT VARIABLE_VALUE <> '' AS have_ssl FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_cipher';
 select * from t1;
 --error ER_TABLEACCESS_DENIED_ERROR
 delete from t1;
 
 connection con3;
 # Check ssl turned on
-SHOW STATUS LIKE 'Ssl_cipher';
+SELECT VARIABLE_VALUE <> '' AS have_ssl FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_cipher';
 select * from t1;
 --error ER_TABLEACCESS_DENIED_ERROR
 delete from t1;
 
 connection con4;
 # Check ssl turned on
-SHOW STATUS LIKE 'Ssl_cipher';
+SELECT VARIABLE_VALUE <> '' AS have_ssl FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_cipher';
 select * from t1;
 --error ER_TABLEACCESS_DENIED_ERROR
 delete from t1;
 
 connection default;
 disconnect con1;
-disconnect con2;
 disconnect con3;
 disconnect con4;
-drop user ssl_user1@localhost, ssl_user2@localhost,
-ssl_user3@localhost, ssl_user4@localhost, ssl_user5@localhost;
+drop user ssl_user1@localhost, ssl_user3@localhost, ssl_user4@localhost, ssl_user5@localhost;
 
 drop table t1;
 
@@ -120,22 +107,14 @@ drop table t1;
 --exec $MYSQL_TEST --ssl-cert= --max-connect-retries=1 < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1
 --echo
 
-#
-# Bug#21611 Slave can't connect when master-ssl-cipher specified
-# - Apparently selecting a cipher doesn't work at all
-# - Use a cipher that both yaSSL and OpenSSL supports
-#
---exec echo "SHOW STATUS LIKE 'Ssl_cipher'; exit;" > $MYSQLTEST_VARDIR/tmp/test.sql
---exec $MYSQL_TEST --ssl-cipher=AES256-SHA < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1
-
 #
 # Bug#25309 SSL connections without CA certificate broken since MySQL 5.0.23
 #
 # Test that we can open encrypted connection to server without
 # verification of servers certificate by setting both ca certificate
 # and ca path to NULL
 #
---exec $MYSQL --ssl --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem -e "SELECT (VARIABLE_VALUE <> '') AS have_ssl FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_cipher'" 2>&1
+--exec $MYSQL --ssl --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem -e "SELECT VARIABLE_VALUE <> '' AS have_ssl FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_cipher'" 2>&1
 --echo End of 5.0 tests
 
 #
@@ -176,25 +155,6 @@ SELECT variable_name, variable_value FROM thread_status;
 DROP TABLE thread_status;
 SET GLOBAL event_scheduler=0;
 
-#
-# Test to connect using a list of ciphers
-#
---exec echo "SHOW STATUS LIKE 'Ssl_cipher'; exit;" > $MYSQLTEST_VARDIR/tmp/test.sql
---exec $MYSQL_TEST --ssl-cipher=UNKNOWN-CIPHER:AES128-SHA < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1
-
-
-# Test to connect using a specifi cipher
-#
---exec echo "SHOW STATUS LIKE 'Ssl_cipher'; exit;" > $MYSQLTEST_VARDIR/tmp/test.sql
---exec $MYSQL_TEST --ssl-cipher=AES128-SHA < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1
-
-# Test to connect using an unknown cipher
-#
---exec echo "SHOW STATUS LIKE 'Ssl_cipher'; exit" > $MYSQLTEST_VARDIR/tmp/test.sql
---replace_regex /2026 SSL connection error.*/2026 SSL connection error: xxxx/
---error 1
---exec $MYSQL_TEST --ssl-cipher=UNKNOWN-CIPHER < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1
-
 #
 # Bug#27669 mysqldump: SSL connection error when trying to connect
 #
@@ -211,44 +171,21 @@ INSERT INTO t1 VALUES (1), (2);
 
 # With wrong parameters
 --replace_result $MYSQL_TEST_DIR MYSQL_TEST_DIR mysqldump.exe mysqldump
---replace_regex /\"SSL connection error.*/SSL connection error: xxxx/
+--replace_regex /SSL connection error.*/SSL connection error: xxxx/
 --error 2
 --exec $MYSQL_DUMP --skip-create-options --skip-comments --ssl --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem test 2>&1
 --echo
 DROP TABLE t1;
 --remove_file $MYSQLTEST_VARDIR/tmp/test.sql
 
-#
-# Bug#39172 Asking for DH+non-RSA key with server set to use other key caused
-#           YaSSL to crash the server.
-#
-
-# Common ciphers to openssl and yassl
---exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'Ssl_cipher';" --ssl-cipher=AES256-SHA
---exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'Ssl_cipher';" --ssl-cipher=AES128-SHA
---disable_query_log
---disable_result_log
-
-# Below here caused crashes.  ################
---error 1,0
---exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'Ssl-cipher';" --ssl-cipher=NOT----EXIST
-# These probably exist but the server's keys can't be used to accept these kinds of connections.
---error 1,0
---exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'Ssl-cipher';" --ssl-cipher=AES128-RMD
-
-# If this gives a result, then the bug is fixed.
---enable_result_log
---enable_query_log
-select 'is still running; no cipher request crashed the server' as result from dual;
-
 #
 # Bug#42158: leak: SSL_get_peer_certificate() doesn't have matching X509_free()
 #
 
 GRANT SELECT ON test.* TO bug42158@localhost REQUIRE X509;
 FLUSH PRIVILEGES;
 connect(con1,localhost,bug42158,,,,,SSL);
-SELECT (VARIABLE_VALUE <> '') AS have_ssl FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_cipher';
+SELECT VARIABLE_VALUE <> '' AS have_ssl FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_cipher';
 disconnect con1;
 connection default;
 DROP USER bug42158@localhost;

diff --git a/mysql-test/t/ssl.test b/mysql-test/t/ssl.test
@@ -32,10 +32,5 @@ select 'still connected?';
 connection default;
 disconnect ssl_con;
 
-create user mysqltest_1@localhost;
-grant usage on mysqltest.* to mysqltest_1@localhost require cipher "AES256-SHA";
---exec $MYSQL -umysqltest_1 --ssl-cipher=AES256-SHA -e "show status like 'ssl_cipher'" 2>&1
-drop user mysqltest_1@localhost;
-
 # Wait till all disconnects are completed
 --source include/wait_until_count_sessions.inc