SSL test fixes

* fix CRL tests to work
* regenerate certificates to be at least 2048 bit
  (fixes buster and rhel8 in buildbot)
* update generate-ssl-cert.sh to generate crl files
* make all SSL tests to use certificates generated
  in generate-ssl-cert.sh, remove unused certificates

mysql-test/include/have_openssl.inc

@@ -1,7 +1,4 @@
--- source include/have_ssl_communication.inc
-let $crllen=`select length(trim(coalesce(@@ssl_crl, ''))) + length(trim(coalesce(@@ssl_crlpath, '')))`;
-if (!$crllen)
-{
+if (`SELECT count(*) = 0 FROM information_schema.GLOBAL_VARIABLES WHERE
+      VARIABLE_NAME = 'have_openssl' AND VARIABLE_VALUE = 'YES'`){
   skip Needs OpenSSL;
 }
-

mysql-test/lib/generate-ssl-certs.sh

@@ -10,35 +10,49 @@ rm -rf demoCA
 mkdir demoCA demoCA/newcerts
 touch demoCA/index.txt
 echo 01 > demoCA/serial
+echo 01 > demoCA/crlnumber
 
 # CA certificate, self-signed
 openssl req -x509 -newkey rsa:2048 -keyout cakey.pem -out cacert.pem -days 7300 -nodes -subj '/CN=cacert/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB' -text
 
 # server certificate signing request and private key. Note the very long subject (for MDEV-7859)
-openssl req -newkey rsa:1024 -keyout server-key.pem -out demoCA/server-req.pem -days 7300 -nodes -subj '/CN=localhost/C=FI/ST=state or province within country, in other certificates in this file it is the same as L/L=location, usually an address but often ambiguously used/OU=organizational unit name, a division name within an organization/O=organization name, typically a company name'
+openssl req -newkey rsa:2048 -keyout server-key.pem -out demoCA/server-req.pem -days 7300 -nodes -subj '/CN=localhost/C=FI/ST=state or province within country, in other certificates in this file it is the same as L/L=location, usually an address but often ambiguously used/OU=organizational unit name, a division name within an organization/O=organization name, typically a company name'
 # convert the key to yassl compatible format
 openssl rsa -in server-key.pem -out server-key.pem
 # sign the server certificate with CA certificate
-openssl ca -keyfile cakey.pem -days 7300 -batch -cert cacert.pem -policy policy_anything -out server-cert.pem -infiles demoCA/server-req.pem
+openssl ca -keyfile cakey.pem -days 7300 -batch -cert cacert.pem -policy policy_anything -out server-cert.pem -in demoCA/server-req.pem
 
-# Certificate with different validity period (MDEV-7598)
-openssl req -newkey rsa:1024 -keyout server-new-key.pem -out demoCA/server-new-req.pem -days 7301 -nodes -subj '/CN=server-new/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB'
+# server certificate with different validity period (MDEV-7598)
+openssl req -newkey rsa:2048 -keyout server-new-key.pem -out demoCA/server-new-req.pem -days 7301 -nodes -subj '/CN=server-new/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB'
 openssl rsa -in server-new-key.pem -out server-new-key.pem
-openssl ca -keyfile cakey.pem -days 7301 -batch -cert cacert.pem -policy policy_anything -out server-new-cert.pem -infiles demoCA/server-new-req.pem
+openssl ca -keyfile cakey.pem -days 7301 -batch -cert cacert.pem -policy policy_anything -out server-new-cert.pem -in demoCA/server-new-req.pem
 
+# 8K cert
 openssl req -newkey rsa:8192 -keyout server8k-key.pem -out demoCA/server8k-req.pem -days 7300 -nodes -subj '/CN=server8k/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB'
 openssl rsa -in server8k-key.pem -out server8k-key.pem
-openssl ca -keyfile cakey.pem -days 7300 -batch -cert cacert.pem -policy policy_anything -out server8k-cert.pem -infiles demoCA/server8k-req.pem
-
-openssl req -newkey rsa:1024 -keyout client-key.pem -out demoCA/client-req.pem -days 7300 -nodes -subj '/CN=client/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB'
-openssl rsa -in client-key.pem -out client-key.pem
-openssl ca -keyfile cakey.pem -days 7300 -batch -cert cacert.pem -policy policy_anything -out client-cert.pem -infiles demoCA/client-req.pem
+openssl ca -keyfile cakey.pem -days 7300 -batch -cert cacert.pem -policy policy_anything -out server8k-cert.pem -in demoCA/server8k-req.pem
 
 # with SubjectAltName, only for OpenSSL 1.0.2+
 cat > demoCA/sanext.conf <<EOF
 subjectAltName=DNS:localhost
 EOF
-openssl req -newkey rsa:1024 -keyout serversan-key.pem -out demoCA/serversan-req.pem -days 7300 -nodes -subj '/CN=server/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB'
-openssl ca -keyfile cakey.pem -extfile demoCA/sanext.conf -days 7300 -batch -cert cacert.pem -policy policy_anything -out serversan-cert.pem -infiles demoCA/serversan-req.pem
+openssl req -newkey rsa:2048 -keyout serversan-key.pem -out demoCA/serversan-req.pem -days 7300 -nodes -subj '/CN=server/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB'
+openssl ca -keyfile cakey.pem -extfile demoCA/sanext.conf -days 7300 -batch -cert cacert.pem -policy policy_anything -out serversan-cert.pem -in demoCA/serversan-req.pem
+
+# client cert
+openssl req -newkey rsa:2048 -keyout client-key.pem -out demoCA/client-req.pem -days 7300 -nodes -subj '/CN=client/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB'
+openssl rsa -in client-key.pem -out client-key.pem
+openssl ca -keyfile cakey.pem -days 7300 -batch -cert cacert.pem -policy policy_anything -out client-cert.pem -in demoCA/client-req.pem
+
+# generate crls
+openssl ca -revoke server-cert.pem -keyfile cakey.pem -batch -cert cacert.pem
+openssl ca -gencrl -keyfile cakey.pem -crldays 7300 -batch -cert cacert.pem -out server-cert.crl
+# we only want to have one certificate per CRL. Un-revoke server-cert.crl
+cp demoCA/index.txt.old demoCA/index.txt
+openssl ca -revoke client-cert.pem -keyfile cakey.pem -batch -cert cacert.pem
+openssl ca -gencrl -keyfile cakey.pem -crldays 7300 -batch -cert cacert.pem -out client-cert.crl
+
+rm -fv crldir/*
+cp -v client-cert.crl crldir/`openssl x509 -in client-cert.pem -noout -issuer_hash`.r0
 
 rm -rf demoCA

mysql-test/main/disabled.def

@@ -14,9 +14,6 @@ events_time_zone         : Test is not predictable as it depends on precise timi
 read_many_rows_innodb    : Bug#11748886 2010-11-15 mattiasj report already exists
 mysql_embedded           : Bug#12561297 2011-05-14 Anitha Dependent on PB2 changes - eventum#41836
 #show_explain  : Psergey: random timeout in range-checked-for-each record query.
-ssl_crl_clients_valid    : broken upstream
-ssl_crl                  : broken upstream
-ssl_crl_clrpath          : broken upstream
 innodb-wl5522-debug-zip  : broken upstream
 innodb_bug12902967       : broken upstream
 file_contents            : MDEV-6526 these files are not installed anymore

mysql-test/main/ssl.result

@@ -4,10 +4,10 @@ have_ssl
 1
 SHOW STATUS LIKE 'Ssl_server_not_before';
 Variable_name	Value
-Ssl_server_not_before	Apr 25 20:52:21 2017 GMT
+Ssl_server_not_before	Jan 27 10:11:10 2019 GMT
 SHOW STATUS LIKE 'Ssl_server_not_after';
 Variable_name	Value
-Ssl_server_not_after	Apr 20 20:52:21 2037 GMT
+Ssl_server_not_after	Jan 22 10:11:10 2039 GMT
 drop table if exists t1,t2,t3,t4;
 CREATE TABLE t1 (
 Period smallint(4) unsigned zerofill DEFAULT '0000' NOT NULL,

mysql-test/main/ssl_crl.combinations

@@ -0,0 +1,5 @@
+[file]
+ssl-crl=$MYSQL_TEST_DIR/std_data/client-cert.crl
+
+[path]
+ssl-crlpath=$MYSQL_TEST_DIR/std_data/crldir

mysql-test/main/ssl_crl.result

@@ -1,23 +1,5 @@
-# test --crl for the client : should connect
+# try logging in with a certificate not in the server's --ssl-crl : should succeed
 Variable_name	Value
-have_openssl	YES
-have_ssl	YES
-ssl_ca	MYSQL_TEST_DIR/std_data/crl-ca-cert.pem
-ssl_capath	
-ssl_cert	MYSQL_TEST_DIR/std_data/crl-server-cert.pem
-ssl_cipher	
-ssl_crl	MYSQL_TEST_DIR/std_data/crl-client-revoked.crl
-ssl_crlpath	
-ssl_key	MYSQL_TEST_DIR/std_data/crl-server-key.pem
-# test --crlpath for the client : should connect
-Variable_name	Value
-have_openssl	YES
-have_ssl	YES
-ssl_ca	MYSQL_TEST_DIR/std_data/crl-ca-cert.pem
-ssl_capath	
-ssl_cert	MYSQL_TEST_DIR/std_data/crl-server-cert.pem
-ssl_cipher	
-ssl_crl	MYSQL_TEST_DIR/std_data/crl-client-revoked.crl
-ssl_crlpath	
-ssl_key	MYSQL_TEST_DIR/std_data/crl-server-key.pem
+Ssl_version	TLS_VERSION
 # try logging in with a certificate in the server's --ssl-crl : should fail
+ERROR 2026 (HY000): SSL connection error: sslv3 alert certificate revoked

mysql-test/main/ssl_crl.test

@@ -2,15 +2,12 @@
 -- source include/not_embedded.inc
 -- source include/have_openssl.inc
 
---echo # test --crl for the client : should connect
---replace_result $MYSQL_TEST_DIR MYSQL_TEST_DIR
---exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-valid-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-valid-cert.pem test --ssl-crl=$MYSQL_TEST_DIR/std_data/crl-client-revoked.crl -e "SHOW VARIABLES like '%ssl%';"
-
---echo # test --crlpath for the client : should connect
---replace_result $MYSQL_TEST_DIR MYSQL_TEST_DIR
---exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-valid-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-valid-cert.pem --ssl-crlpath=$MYSQL_TEST_DIR/std_data/crldir test -e "SHOW VARIABLES like '%ssl%';"
+--echo # try logging in with a certificate not in the server's --ssl-crl : should succeed
+--replace_result TLSv1.3 TLS_VERSION TLSv1.2 TLS_VERSION TLSv1.1 TLS_VERSION TLSv1 TLS_VERSION
+--exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/cacert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/server-new-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/server-new-cert.pem test -e "SHOW STATUS LIKE 'Ssl_version'"
 
 --echo # try logging in with a certificate in the server's --ssl-crl : should fail
---replace_result $MYSQL_TEST_DIR MYSQL_TEST_DIR
+# OpenSSL 1.1.1a correctly rejects the certificate, but the error message is wrong
+--replace_result "ERROR 2013 (HY000): Lost connection to MySQL server at 'reading authorization packet', system error: 0" "ERROR 2026 (HY000): SSL connection error: sslv3 alert certificate revoked"
 --error 1
---exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-cert.pem test -e "SHOW VARIABLES like '%ssl%';"
+--exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/cacert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem test -e "SHOW STATUS LIKE 'Ssl_version'" 2>&1

mysql-test/main/ssl_crl_clients.result

@@ -1,7 +1,13 @@
 # Test clients with and without CRL lists
 ############ Test mysql ##############
 # Test mysql connecting to a server with a certificate revoked by -crl
+ERROR 2026 (HY000): SSL connection error: certificate revoked
 # Test mysql connecting to a server with a certificate revoked by -crlpath
+ERROR 2026 (HY000): SSL connection error: certificate revoked
 ############ Test mysqladmin ##############
 # Test mysqladmin connecting to a server with a certificate revoked by -crl
+mysqladmin: connect to server at 'localhost' failed
+error: 'SSL connection error: certificate revoked'
 # Test mysqladmin connecting to a server with a certificate revoked by -crlpath
+mysqladmin: connect to server at 'localhost' failed
+error: 'SSL connection error: certificate revoked'

mysql-test/main/ssl_crl_clients.test

@@ -4,38 +4,33 @@
 
 --echo # Test clients with and without CRL lists
 
-let $ssl_base = --ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/crl-server-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-server-cert.pem;
-let $ssl_crl = $ssl_base --ssl-crl=$MYSQL_TEST_DIR/std_data/crl-client-revoked.crl;
-let $ssl_crlpath = $ssl_base --ssl-crlpath=$MYSQL_TEST_DIR/std_data/crldir;
+let $ssl_base = --ssl-ca=$MYSQL_TEST_DIR/std_data/cacert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem --ssl-verify-server-cert;
+let $ssl_crl = $ssl_base --ssl-crl=$MYSQL_TEST_DIR/std_data/server-cert.crl;
+let $ssl_crlpath = $ssl_base --ssl-crlpath=$MYSQL_TMP_DIR;
 
+# See `openssl x509 -in server-cert.pem -noout -issuer_hash`
+copy_file $MYSQL_TEST_DIR/std_data/server-cert.crl $MYSQL_TMP_DIR/ed1f42db.r0;
 
 --echo ############ Test mysql ##############
 
 --echo # Test mysql connecting to a server with a certificate revoked by -crl
---replace_result $MYSQL_TEST_DIR MYSQL_TEST_DIR
 --error 1
---exec $MYSQL $ssl_crl test -e "SHOW VARIABLES like '%ssl%';"
+--exec $MYSQL $ssl_crl test -e "SHOW STATUS LIKE 'Ssl_version'" 2>&1
 
 --echo # Test mysql connecting to a server with a certificate revoked by -crlpath
---replace_result $MYSQL_TEST_DIR MYSQL_TEST_DIR
 --error 1
---exec $MYSQL $ssl_crlpath test -e "SHOW VARIABLES like '%ssl%';"
+--exec $MYSQL $ssl_crlpath test -e "SHOW STATUS LIKE 'Ssl_version'" 2>&1
 
 
 --echo ############ Test mysqladmin ##############
-let $admin_prefix = --no-defaults;
 let $admin_suffix = --default-character-set=latin1 -S $MASTER_MYSOCK -P $MASTER_MYPORT -u root --password= ping;
 
 --echo # Test mysqladmin connecting to a server with a certificate revoked by -crl
---disable_result_log
---replace_regex /.*mysqladmin.*: connect/mysqladmin: connect/
---error 2
---exec $MYSQLADMIN $admin_prefix $ssl_crl $admin_suffix 2>&1
---enable_result_log
+--replace_regex /.*mysqladmin.*:/mysqladmin:/
+--error 1
+--exec $MYSQLADMIN $ssl_crl $admin_suffix 2>&1
 
---disable_result_log
 --echo # Test mysqladmin connecting to a server with a certificate revoked by -crlpath
---replace_regex /.*mysqladmin.*: connect/mysqladmin: connect/
---error 2
---exec $MYSQLADMIN $admin_prefix $ssl_crlpath $admin_suffix 2>&1
---enable_result_log
+--replace_regex /.*mysqladmin.*:/mysqladmin:/
+--error 1
+--exec $MYSQLADMIN $ssl_crlpath $admin_suffix 2>&1