-
Notifications
You must be signed in to change notification settings - Fork 3.8k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Description: - Added blocked cipher handling for following variables - ssl-cipher - admin-ssl-cipher - tls-ciphersuites - admin-tls-ciphersuites - Updated tests to remove blocked ciphers - Added new FIPS tests without using weak ciphers - Added test to check blocked cipher handling Change-Id: I91721e4cc0f3690e25d802493fa36313a479f641
- Loading branch information
1 parent
60f76ef
commit 38e7e1c
Showing
42 changed files
with
2,037 additions
and
2,085 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,7 +1,7 @@ | ||
# | ||
# List of allowed TLSv1.2 and TLSv1.3 ciphers which will be | ||
# List of TLSv1.2 and TLSv1.3 ciphers which will be | ||
# replaced with "SSL_CIPHER" in the result files. | ||
# Usage: --replace_regex $ALLOWED_CIPHERS_REGEX | ||
# | ||
|
||
LET $ALLOWED_CIPHERS_REGEX = /ECDHE-RSA-AES128-GCM-SHA256|DHE-RSA-AES128-GCM-SHA256|DHE-RSA-AES256-SHA|ECDHE-RSA-AES128-SHA256|TLS_AES_128_GCM_SHA256|TLS_AES_256_GCM_SHA384|TLS_CHACHA20_POLY1305_SHA256/SSL_CIPHER/; | ||
LET $ALLOWED_CIPHERS_REGEX = /ECDHE-RSA-AES128-GCM-SHA256|DHE-RSA-AES128-GCM-SHA256|DHE-RSA-AES256-SHA|ECDHE-RSA-AES128-SHA256|TLS_AES_128_GCM_SHA256|TLS_AES_256_GCM_SHA384|TLS_CHACHA20_POLY1305_SHA256|DHE-RSA-CHACHA20-POLY1305/SSL_CIPHER/; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
51 changes: 51 additions & 0 deletions
51
mysql-test/suite/auth_sec/r/ciphers_configuration_at_startup.result
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,51 @@ | ||
CALL mtr.add_suppression("Value for option .* contains cipher .* that is blocked."); | ||
# | ||
# WL#15801: Remove weak ciphers usage | ||
# | ||
# Stop server | ||
# Server should fail to start: Invalid --ssl-cipher value | ||
# Must find error for ECDHE-RSA-AES128-SHA256 for ssl-cipher | ||
Pattern "Value for option 'ssl_cipher' contains cipher 'ECDHE-RSA-AES128-SHA256' that is blocked" found | ||
Pattern "Value for option 'admin_ssl_cipher' contains cipher 'ECDHE-RSA-AES128-SHA256' that is blocked" not found | ||
# Server should fail to start: Invalid --admin-ssl-cipher value | ||
# Must find error for ECDHE-RSA-AES128-SHA256 for admin-ssl-cipher | ||
Pattern "Value for option 'ssl_cipher' contains cipher 'ECDHE-RSA-AES128-SHA256' that is blocked" not found | ||
Pattern "Value for option 'admin_ssl_cipher' contains cipher 'ECDHE-RSA-AES128-SHA256' that is blocked" found | ||
# Server should fail to start: Valid and invalid --ssl-cipher values | ||
# Must not find error for ECDHE-RSA-AES128-GCM-SHA256 | ||
Pattern "Value for option 'ssl_cipher' contains cipher 'ECDHE-RSA-AES128-GCM-SHA256' that is blocked" not found | ||
Pattern "Value for option 'admin_ssl_cipher' contains cipher 'ECDHE-RSA-AES128-GCM-SHA256' that is blocked" not found | ||
# Must find error for ECDHE-RSA-AES128-SHA256 for ssl-cipher | ||
Pattern "Value for option 'ssl_cipher' contains cipher 'ECDHE-RSA-AES128-SHA256' that is blocked" found | ||
Pattern "Value for option 'admin_ssl_cipher' contains cipher 'ECDHE-RSA-AES128-SHA256' that is blocked" not found | ||
# Server should fail to start: Valid and invalid --admin-ssl-cipher values | ||
# Must not find error for ECDHE-RSA-AES128-GCM-SHA256 | ||
Pattern "Value for option 'ssl_cipher' contains cipher 'ECDHE-RSA-AES128-GCM-SHA256' that is blocked" not found | ||
Pattern "Value for option 'admin_ssl_cipher' contains cipher 'ECDHE-RSA-AES128-GCM-SHA256' that is blocked" not found | ||
# Must find error for ECDHE-RSA-AES128-SHA256 for admin-ssl-cipher | ||
Pattern "Value for option 'ssl_cipher' contains cipher 'ECDHE-RSA-AES128-SHA256' that is blocked" not found | ||
Pattern "Value for option 'admin_ssl_cipher' contains cipher 'ECDHE-RSA-AES128-SHA256' that is blocked" found | ||
# Server should fail to start: Invalid --tls-ciphersuites value | ||
# Must find error for TLS_AES_128_CCM_8_SHA256 for tls-ciphersuites | ||
Pattern "Value for option 'tls_ciphersuites' contains cipher 'TLS_AES_128_CCM_8_SHA256' that is blocked" found | ||
Pattern "Value for option 'admin_tls_ciphersuites' contains cipher 'TLS_AES_128_CCM_8_SHA256' that is blocked" not found | ||
# Server should fail to start: Invalid --admin-tls-ciphersuites value | ||
# Must find error for TLS_AES_128_CCM_8_SHA256 for admin-tls-ciphersuites | ||
Pattern "Value for option 'tls_ciphersuites' contains cipher 'TLS_AES_128_CCM_8_SHA256' that is blocked" not found | ||
Pattern "Value for option 'admin_tls_ciphersuites' contains cipher 'TLS_AES_128_CCM_8_SHA256' that is blocked" found | ||
# Server should fail to start: Valid and invalid --tls-ciphersuites values | ||
# Must not find error for TLS_AES_128_GCM_SHA256 | ||
Pattern "Value for option 'tls_ciphersuites' contains cipher 'TLS_AES_128_GCM_SHA256' that is blocked" not found | ||
Pattern "Value for option 'admin_tls_ciphersuites' contains cipher 'TLS_AES_128_GCM_SHA256' that is blocked" not found | ||
# Must find error for TLS_AES_128_CCM_8_SHA256 for tls-ciphersuites | ||
Pattern "Value for option 'tls_ciphersuites' contains cipher 'TLS_AES_128_CCM_8_SHA256' that is blocked" found | ||
Pattern "Value for option 'admin_tls_ciphersuites' contains cipher 'TLS_AES_128_CCM_8_SHA256' that is blocked" not found | ||
# Server should fail to start: Valid and invalid --admin-tls-ciphersuites values | ||
# Must not find error for TLS_AES_128_GCM_SHA256 | ||
Pattern "Value for option 'tls_ciphersuites' contains cipher 'TLS_AES_128_GCM_SHA256' that is blocked" not found | ||
Pattern "Value for option 'admin_tls_ciphersuites' contains cipher 'TLS_AES_128_GCM_SHA256' that is blocked" not found | ||
# Must find error for TLS_AES_128_CCM_8_SHA256 for admin-tls-ciphersuites | ||
Pattern "Value for option 'tls_ciphersuites' contains cipher 'TLS_AES_128_CCM_8_SHA256' that is blocked" not found | ||
Pattern "Value for option 'admin_tls_ciphersuites' contains cipher 'TLS_AES_128_CCM_8_SHA256' that is blocked" found | ||
# start server with all defaults | ||
# restart |
Oops, something went wrong.