File: ssl_dynamic.result

package info (click to toggle)
mysql-8.0 8.0.43-3
  • links: PTS, VCS
  • area: main
  • in suites: sid
  • size: 1,273,924 kB
  • sloc: cpp: 4,684,605; ansic: 412,450; pascal: 108,398; java: 83,641; perl: 30,221; cs: 27,067; sql: 26,594; sh: 24,181; python: 21,816; yacc: 17,169; php: 11,522; xml: 7,388; javascript: 7,076; makefile: 2,194; lex: 1,075; awk: 670; asm: 520; objc: 183; ruby: 97; lisp: 86
file content (215 lines) | stat: -rw-r--r-- 8,104 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
 
call mtr.add_suppression("Failed to set up SSL because of the following SSL library error");
call mtr.add_suppression("Failed to initialize TLS for channel: mysql_main");
# Check if ssl is on
SELECT LENGTH(VARIABLE_VALUE) > 0 FROM performance_schema.session_status
WHERE VARIABLE_NAME='Ssl_cipher';
LENGTH(VARIABLE_VALUE) > 0
1
################## FR1.1 and FR 1.4: ALTER INSTANCE RELOAD TLS
ALTER INSTANCE RELOAD TLS;
# Check if ssl is still turned on after reload
SELECT LENGTH(VARIABLE_VALUE) > 0 FROM performance_schema.session_status
WHERE VARIABLE_NAME='Ssl_cipher';
LENGTH(VARIABLE_VALUE) > 0
1
# FR1.1: check if old sessions continue
SET @must_be_present= 'present';
ALTER INSTANCE RELOAD TLS;
# Success criteria: value must be present
SELECT @must_be_present;
@must_be_present
present
# cleanup
################## FR 1.2: check if new sessions get the new vals
# Save the defaults
SET @orig_ssl_cipher = @@global.ssl_cipher;
SET @orig_tls_version = @@global.tls_version;
# in ssl_con
# check if the session has the original values
SHOW STATUS LIKE 'Ssl_cipher';
Variable_name	Value
Ssl_cipher	orig_cipher
# in default connection
# setting new values for ssl_cipher
SET GLOBAL ssl_cipher = "ECDHE-RSA-AES256-GCM-SHA384";
SET GLOBAL tls_version = "TLSv1.2";
ALTER INSTANCE RELOAD TLS;
# in ssl_new_con
# Save the new defaults
# Check if the old and the new not afters differ
# in ssl_con
# the con session must have the original values
SHOW STATUS LIKE 'Ssl_cipher';
Variable_name	Value
Ssl_cipher	orig_cipher;
# cleanup
# in default connection
SET GLOBAL ssl_cipher = @orig_ssl_cipher;
SET GLOBAL tls_version = @orig_tls_version;
ALTER INSTANCE RELOAD TLS;
################## FR 1.5: new values effective only after RELOAD TLS
# Save the defaults
SET @orig_ssl_cipher = @@global.ssl_cipher;
# setting new values for ssl_cipher
SET GLOBAL ssl_cipher = "ECDHE-RSA-AES128-GCM-SHA256";
# in ssl_con
# Check if the old and the new not afters differ
# cleanup
# in default connection
SET GLOBAL ssl_cipher = @orig_ssl_cipher;
################## FR 1.7: CONNECTION_ADMIN will be required to execute
#  ALTER INSTANCE RELOAD TLS
CREATE USER test_connection_admin@localhost;
# in ssl_con
# Must fail
ALTER INSTANCE RELOAD TLS;
ERROR 42000: Access denied; you need (at least one of) the CONNECTION_ADMIN privilege(s) for this operation
# in default connection
GRANT SUPER ON *.* TO test_connection_admin@localhost;
Warnings:
Warning	1287	The SUPER privilege identifier is deprecated
# in ssl_con
# Must fail
ALTER INSTANCE RELOAD TLS;
ERROR 42000: Access denied; you need (at least one of) the CONNECTION_ADMIN privilege(s) for this operation
# in default connection
REVOKE SUPER ON *.* FROM test_connection_admin@localhost;
Warnings:
Warning	1287	The SUPER privilege identifier is deprecated
GRANT CONNECTION_ADMIN ON *.* TO test_connection_admin@localhost;
# in ssl_con
# Must pass
ALTER INSTANCE RELOAD TLS;
# cleanup
# in default connection
DROP USER test_connection_admin@localhost;
################## FR 1.8 and 1.9: disable SSL on wrong values
# Save the defaults
SET @orig_ssl_ca= @@global.ssl_ca;
# Seet CA to invalid value
SET GLOBAL ssl_ca = 'gizmo';
# Must fail and not change the SSL params
ALTER INSTANCE RELOAD TLS;
ERROR HY000: Failed to set up SSL because of the following SSL library error: SSL_CTX_set_default_verify_paths failed
# Must be 1
SELECT COUNT(*) FROM performance_schema.session_status
WHERE VARIABLE_NAME = 'Current_tls_ca' AND VARIABLE_VALUE = @orig_ssl_ca;
COUNT(*)
1
# Must return gizmo
SELECT @@global.ssl_ca;
@@global.ssl_ca
gizmo
# Must connect successfully
1
1
# Must pass with a warning and disable SSL
ALTER INSTANCE RELOAD TLS NO ROLLBACK ON ERROR;
Warnings:
Warning	3888	Failed to set up SSL because of the following SSL library error: SSL_CTX_set_default_verify_paths failed
# Must be 1
SELECT COUNT(*) FROM performance_schema.session_status
WHERE VARIABLE_NAME = 'Current_tls_ca' AND VARIABLE_VALUE = 'gizmo';
COUNT(*)
1
# Must fail to connect
# cleanup
SET GLOBAL ssl_ca = @orig_ssl_ca;
ALTER INSTANCE RELOAD TLS;
# FR 1.9: Must connect successfully
1
1
################## FR2 and FR6: --ssl-* variables settable at runtime.
SET @orig_ssl_ca= @@global.ssl_ca;
SET @orig_ssl_cert= @@global.ssl_cert;
SET @orig_ssl_key= @@global.ssl_key;
SET @orig_ssl_capath= @@global.ssl_capath;
SET @orig_ssl_crl= @@global.ssl_crl;
SET @orig_ssl_crlpath= @@global.ssl_crlpath;
SET @orig_ssl_cipher= @@global.ssl_cipher;
SET @orig_tls_cipher= @@global.tls_ciphersuites;
SET @orig_tls_version= @@global.tls_version;
# Must pass
SET GLOBAL ssl_ca = 'gizmo';
SET GLOBAL ssl_cert = 'gizmo';
SET GLOBAL ssl_key = 'gizmo';
SET GLOBAL ssl_capath = 'gizmo';
SET GLOBAL ssl_crl = 'gizmo';
SET GLOBAL ssl_crlpath = 'gizmo';
SET GLOBAL ssl_cipher = 'gizmo';
SET GLOBAL tls_ciphersuites = 'gizmo';
SET GLOBAL tls_version = 'gizmo';
ERROR 42000: Variable 'tls_version' can't be set to the value of 'gizmo'
# Must fail
SET SESSION ssl_ca = 'gizmo';
ERROR HY000: Variable 'ssl_ca' is a GLOBAL variable and should be set with SET GLOBAL
SET SESSION ssl_cert = 'gizmo';
ERROR HY000: Variable 'ssl_cert' is a GLOBAL variable and should be set with SET GLOBAL
SET SESSION ssl_key = 'gizmo';
ERROR HY000: Variable 'ssl_key' is a GLOBAL variable and should be set with SET GLOBAL
SET SESSION ssl_capath = 'gizmo';
ERROR HY000: Variable 'ssl_capath' is a GLOBAL variable and should be set with SET GLOBAL
SET SESSION ssl_crl = 'gizmo';
ERROR HY000: Variable 'ssl_crl' is a GLOBAL variable and should be set with SET GLOBAL
SET SESSION ssl_crlpath = 'gizmo';
ERROR HY000: Variable 'ssl_crlpath' is a GLOBAL variable and should be set with SET GLOBAL
SET SESSION ssl_cipher = 'gizmo';
ERROR HY000: Variable 'ssl_cipher' is a GLOBAL variable and should be set with SET GLOBAL
SET SESSION tls_ciphersuites = 'gizmo';
ERROR HY000: Variable 'tls_ciphersuites' is a GLOBAL variable and should be set with SET GLOBAL
SET SESSION tls_version = 'gizmo';
ERROR HY000: Variable 'tls_version' is a GLOBAL variable and should be set with SET GLOBAL
# FR6: Must return 9
SELECT VARIABLE_NAME FROM performance_schema.session_status WHERE
VARIABLE_NAME IN
('Current_tls_ca', 'Current_tls_capath', 'Current_tls_cert',
'Current_tls_key', 'Current_tls_version', 'Current_tls_cipher',
'Current_tls_ciphersuites', 'Current_tls_crl', 'Current_tls_crlpath') AND
VARIABLE_VALUE != 'gizmo'
  ORDER BY VARIABLE_NAME;
VARIABLE_NAME
Current_tls_ca
Current_tls_capath
Current_tls_cert
Current_tls_cipher
Current_tls_ciphersuites
Current_tls_crl
Current_tls_crlpath
Current_tls_key
Current_tls_version
# cleanup
SET GLOBAL ssl_ca = @orig_ssl_ca;
SET GLOBAL ssl_cert = @orig_ssl_cert;
SET GLOBAL ssl_key = @orig_ssl_key;
SET GLOBAL ssl_capath = @orig_ssl_capath;
SET GLOBAL ssl_crl = @orig_ssl_crl;
SET GLOBAL ssl_crlpath = @orig_ssl_crlpath;
SET GLOBAL ssl_cipher = @orig_ssl_cipher;
SET GLOBAL tls_ciphersuites = @orig_tls_ciphersuites;
SET GLOBAL tls_version = @orig_tls_version;
################## FR8: X plugin do not follow
# Save the defaults
SET @orig_ssl_ca= @@global.ssl_ca;
SET @orig_ssl_cert= @@global.ssl_cert;
SET @orig_ssl_key= @@global.ssl_key;
SET @orig_mysqlx_ssl_ca= @@global.mysqlx_ssl_ca;
SET @orig_mysqlx_ssl_cert= @@global.mysqlx_ssl_cert;
SET @orig_mysqlx_ssl_key= @@global.mysqlx_ssl_key;
# setting new values for ssl_cert, ssl_key and ssl_ca
SET GLOBAL ssl_cert = "MYSQL_TEST_DIR/std_data/server-cert-sha512.pem";
SET GLOBAL ssl_key = "MYSQL_TEST_DIR/std_data/server-key-sha512.pem";
SET GLOBAL ssl_ca = "MYSQL_TEST_DIR/std_data/ca-sha512.pem";
ALTER INSTANCE RELOAD TLS;
# Check that X variables match the initial ones
SELECT @@global.mysqlx_ssl_ca = @orig_mysqlx_ssl_ca,
@@global.mysqlx_ssl_cert = @orig_mysqlx_ssl_cert,
@@global.mysqlx_ssl_key = @orig_mysqlx_ssl_key;
@@global.mysqlx_ssl_ca = @orig_mysqlx_ssl_ca	1
@@global.mysqlx_ssl_cert = @orig_mysqlx_ssl_cert	1
@@global.mysqlx_ssl_key = @orig_mysqlx_ssl_key	1
# cleanup
SET GLOBAL ssl_cert = @orig_ssl_cert;
SET GLOBAL ssl_key = @orig_ssl_key;
SET GLOBAL ssl_ca = @orig_ssl_ca;
ALTER INSTANCE RELOAD TLS;
################## End of dynamic SSL tests