File: ssl_autoverify.test

package info (click to toggle)
mariadb 1%3A11.8.3-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 772,520 kB
  • sloc: ansic: 2,414,714; cpp: 1,791,394; asm: 381,336; perl: 62,905; sh: 49,647; pascal: 40,897; java: 39,363; python: 20,791; yacc: 20,432; sql: 17,907; xml: 12,344; ruby: 8,544; cs: 6,542; makefile: 6,145; ada: 1,879; lex: 1,193; javascript: 996; objc: 80; tcl: 73; awk: 46; php: 22
file content (129 lines) | stat: -rw-r--r-- 6,317 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
 
source include/platform.inc;
source include/not_embedded.inc;
if (!$AUTH_ED25519_SO) {
  skip No auth_ed25519 plugin;
}
if (!$DIALOG_EXAMPLES_SO) {
  skip No dialog_examples plugin;
}

install soname 'auth_ed25519';
install plugin three_attempts soname 'dialog_examples';

create user native@'%' identified via mysql_native_password using password('foo');
create user ed@'%' identified via ed25519 using password('bar');
create user nohash@'%' identified via three_attempts using 'onetwothree';
create user multi@'%' identified via mysql_native_password using password('pw1')
                                  or ed25519 using password('pw2');
grant all privileges on test.* to native@'%';
grant all privileges on test.* to ed@'%';
grant all privileges on test.* to nohash@'%';
grant all privileges on test.* to multi@'%';

create function have_ssl() returns char(3)
  return (select if(variable_value > '','yes','no') as 'have_ssl'
  from information_schema.session_status
  where variable_name='ssl_cipher');

let host=;
if ($MTR_COMBINATION_WIN) {
  # 127.0.0.2 (and generally 127.0.0.0/8) works on Windows the same as 127.0.0.1,
  # i.e client can connect if server listens on IPv4 loopback
  #
  # We use 127.0.0.2 as it does not match any of "localhost","127.0.0.1","::1"
  # thus it is not considered "secure transport" by the connector/C
  let host=--host=127.0.0.2;
}
#
# root user, no password, so cannot validate cert.
#
--echo # mysql -uroot --disable-ssl-verify-server-cert -e "select test.have_ssl()"
--exec $MYSQL --protocol tcp -uroot --disable-ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
--echo # mysql -uroot --ssl-verify-server-cert -e "select test.have_ssl()"
--replace_regex /TLS\/SSL error.*certificate[^\n]*/TLS\/SSL error: Failed to verify the server certificate/
--error 1
--exec $MYSQL --protocol tcp $host -uroot --ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
#
# except if ssl-verify-server-cert is left on default (not explicitly enabled)
#
--let $csd=`select @@character_sets_dir`
--echo # mysql -uroot -e "select test.have_ssl()"
--exec $EXE_MYSQL --no-defaults --character-sets-dir=$csd --protocol tcp $host --port $MASTER_MYPORT -uroot -e "select test.have_ssl()" 2>&1
#
# or unless using a secure transport, like unix_socket or named pipes
#
# note that SSL works over unix_socket, and it doesn't work over named pipes
# but the connection is allowed either way, as the transport is secure
#
let proto=socket;
if ($MTR_COMBINATION_WIN) {
  let proto=pipe;
}
--echo # mysql --protocol $proto -uroot --ssl-verify-server-cert -e "select test.have_ssl()"
--exec $MYSQL --protocol $proto -uroot --ssl-verify-server-cert -e "select test.have_ssl()" 2>&1

#
# same for tcp via localhost
#
--echo # mysql --protocol tcp --host 127.0.0.1 -uroot --ssl-verify-server-cert -e "select test.have_ssl()"
--exec $MYSQL --protocol tcp --host 127.0.0.1 -uroot --ssl-verify-server-cert -e "select test.have_ssl()" 2>&1

#
# mysql_native_password with password works fine
#
--echo # mysql -unative -pfoo --ssl-verify-server-cert -e "select test.have_ssl()"
--exec $MYSQL --protocol tcp $host -unative -pfoo --ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
#
# ed25519 with password works fine
#
--echo # mysql -ued -pbar --ssl-verify-server-cert -e "select test.have_ssl()"
--exec $MYSQL --protocol tcp $host -ued -pbar --ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
#
# three_attempts uses auth string as is, doesn't hash.
# so it's not safe over untrusted connection and thus cannot validate cert
#
--echo # mysql -unohash -ponetwothree --disable-ssl-verify-server-cert -e "select test.have_ssl()"
--exec $MYSQL --protocol tcp $host -unohash -ponetwothree --disable-ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
--echo # mysql -unohash -ponetwothree --ssl-verify-server-cert -e "select test.have_ssl()"
--replace_regex /TLS\/SSL error.*certificate[^\n]*/TLS\/SSL error: Failed to verify the server certificate/
--error 1
--exec $MYSQL --protocol tcp $host -unohash -ponetwothree --ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
#
# multi-auth case, both client and server must use
# the same plugin for cert validation
#
--echo # mysql -umulti -ppw1 --ssl-verify-server-cert -e "select test.have_ssl()"
--exec $MYSQL --protocol tcp $host -umulti -ppw1 --ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
--echo # mysql -umulti -ppw2 --ssl-verify-server-cert -e "select test.have_ssl()"
--exec $MYSQL --protocol tcp $host -umulti -ppw2 --ssl-verify-server-cert -e "select test.have_ssl()" 2>&1

#
# Now try MitM
#
if (!$MTR_COMBINATION_WIN) {
let mitm_port=$MASTER_MYPORT;
inc $mitm_port;
--exec perl lib/ssl-mitm.pl --listen-on $mitm_port --connect-to $MASTER_MYPORT --ssl-ca std_data/cacert.pem --ssl-key std_data/server-new-key.pem --ssl-cert std_data/server-new-cert.pem
--echo # mysql -uroot --disable-ssl-verify-server-cert -e "select 'Detecting MitM' as MitM, test.have_ssl()"
--exec $MYSQL --port $mitm_port --disable-ssl-verify-server-cert -uroot -e "select 'Detecting MitM' as MitM, test.have_ssl()" 2>&1

--exec perl lib/ssl-mitm.pl --listen-on $mitm_port --connect-to $MASTER_MYPORT --ssl-ca std_data/cacert.pem --ssl-key std_data/server-new-key.pem --ssl-cert std_data/server-new-cert.pem
--echo # mysql -unative -pfoo --ssl-verify-server-cert -e "select 'Detecting MitM', test.have_ssl()"
--replace_regex /TLS\/SSL error.*certificate[^\n]*/TLS\/SSL error: Failed to verify the server certificate/
--error 1
--exec $MYSQL --port $mitm_port -unative -pfoo --ssl-verify-server-cert -e "select 'Detecting MitM', test.have_ssl()" 2>&1

--exec perl lib/ssl-mitm.pl --listen-on $mitm_port --connect-to $MASTER_MYPORT --ssl-ca std_data/cacert.pem --ssl-key std_data/server-new-key.pem --ssl-cert std_data/server-new-cert.pem
--echo # mysql -ued -pbar --ssl-verify-server-cert -e "select 'Detecting MitM', test.have_ssl()"
--replace_regex /TLS\/SSL error.*certificate[^\n]*/TLS\/SSL error: Failed to verify the server certificate/
--error 1
--exec $MYSQL --port $mitm_port -ued -pbar --ssl-verify-server-cert -e "select 'Detecting MitM', test.have_ssl()" 2>&1
}

drop function have_ssl;
drop user native@'%';
drop user ed@'%';
drop user nohash@'%';
drop user multi@'%';
uninstall plugin ed25519;
uninstall plugin three_attempts;