File: tlsv13.test

package info (click to toggle)
mariadb 1%3A11.8.3-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 772,520 kB
  • sloc: ansic: 2,414,714; cpp: 1,791,394; asm: 381,336; perl: 62,905; sh: 49,647; pascal: 40,897; java: 39,363; python: 20,791; yacc: 20,432; sql: 17,907; xml: 12,344; ruby: 8,544; cs: 6,542; makefile: 6,145; ada: 1,879; lex: 1,193; javascript: 996; objc: 80; tcl: 73; awk: 46; php: 22
file content (43 lines) | stat: -rw-r--r-- 2,510 bytes parent folder | download | duplicates (4) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
 
--source include/have_ssl_communication.inc
--source include/require_openssl_client.inc
--source include/have_tlsv13.inc

#
# BUG - SSL_CIPHER SYSTEM VARIABLE CANNOT CONFIGURE TLSV1.3 AND TLSV1.2 CIPHERS AT THE SAME TIME
#
# If users specify TLSv1.3 and TLSv1.2 ciphers, it will only configure the
# TLSv1.3 ciphers correctly but then it will keep all TLSv1.2 ciphers enabled.
#
# This is a potential security vulnerability because users trying to restrict
# secure TLSv1.3 and TLSv1.2 ciphers will unintentionally have insecure TLSv1.2
# ciphers enabled on the database.
#
let $restart_parameters=--ssl-cipher=TLS_AES_128_GCM_SHA256:ECDHE-RSA-AES256-GCM-SHA384;
source include/restart_mysqld.inc;

--exec $MYSQL --host=localhost --ssl-cipher=TLS_AES_128_GCM_SHA256 --tls-version=TLSv1.3 -e "SHOW STATUS LIKE 'Ssl_cipher%';"
--exec $MYSQL --host=localhost --ssl-cipher=ECDHE-RSA-AES256-GCM-SHA384 --tls-version=TLSv1.2 -e "SHOW STATUS LIKE 'Ssl_cipher%';"

# Check that other ciphers are correctly not supported by the server
--replace_regex /sslv3 alert handshake failure/ssl\/tls alert handshake failure/
--error 1
--exec $MYSQL --host=localhost --ssl-cipher=TLS_AES_256_GCM_SHA384 --tls-version=TLSv1.3 -e "SHOW STATUS LIKE 'Ssl_cipher';" 2>&1

--replace_regex /sslv3 alert handshake failure/ssl\/tls alert handshake failure/
--error 1
--exec $MYSQL --host=localhost --ssl-cipher=ECDHE-RSA-AES128-GCM-SHA256 --tls-version=TLSv1.2 -e "SHOW STATUS LIKE 'Ssl_cipher';" 2>&1

# TLSv1.3 ciphers are still supported if only TLSv1.2 ciphers are passed to --ssl-cipher
let $restart_parameters=--ssl-cipher=ECDHE-RSA-AES256-GCM-SHA384;
source include/restart_mysqld.inc;
--exec $MYSQL --host=localhost --ssl-cipher=TLS_AES_128_GCM_SHA256 --tls-version=TLSv1.3 -e "SHOW STATUS LIKE 'Ssl_cipher';"
--exec $MYSQL --host=localhost --ssl-cipher=ECDHE-RSA-AES256-GCM-SHA384 --tls-version=TLSv1.2 -e "SHOW STATUS LIKE 'Ssl_cipher';"
--error 1
--exec $MYSQL --host=localhost --ssl-cipher=ECDHE-RSA-AES128-GCM-SHA256 --tls-version=TLSv1.2 -e "SHOW STATUS LIKE 'Ssl_cipher';"

# TLSv1.2 ciphers are not supported if only TLSv1.3 ciphers are passed to --ssl-cipher
let $restart_parameters=--ssl-cipher=TLS_AES_128_GCM_SHA256;
source include/restart_mysqld.inc;
--exec $MYSQL --host=localhost --ssl-cipher=TLS_AES_128_GCM_SHA256 --tls-version=TLSv1.3 -e "SHOW STATUS LIKE 'Ssl_cipher%';"
--error 1
--exec $MYSQL --host=localhost --ssl-cipher=ECDHE-RSA-AES128-GCM-SHA256 --tls-version=TLSv1.2 -e "SHOW STATUS LIKE 'Ssl_cipher';"