File: gr_ssl_tls13_runtime_valid_configuration.result

package info (click to toggle)
mysql-8.0 8.0.43-3
  • links: PTS, VCS
  • area: main
  • in suites: sid
  • size: 1,273,924 kB
  • sloc: cpp: 4,684,605; ansic: 412,450; pascal: 108,398; java: 83,641; perl: 30,221; cs: 27,067; sql: 26,594; sh: 24,181; python: 21,816; yacc: 17,169; php: 11,522; xml: 7,388; javascript: 7,076; makefile: 2,194; lex: 1,075; awk: 670; asm: 520; objc: 183; ruby: 97; lisp: 86
file content (210 lines) | stat: -rw-r--r-- 10,594 bytes parent folder | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
include/group_replication.inc [rpl_server_count=3]
Warnings:
Note	####	Sending passwords in plain text without SSL/TLS is extremely insecure.
Note	####	Storing MySQL user name or password information in the connection metadata repository is not secure and is therefore not recommended. Please consider using the USER and PASSWORD connection options for START REPLICA; see the 'START REPLICA Syntax' in the MySQL Manual for more information.
[connection server1]

############################################################
# 0. Configure members to use encryption and save defaults.
[connection server1]
SET @tls_version_save= @@GLOBAL.tls_version;
SET @tls_ciphersuites_save= @@GLOBAL.tls_ciphersuites;
SET @ssl_cipher_save= @@GLOBAL.ssl_cipher;
SET @group_replication_ssl_mode_save= @@GLOBAL.group_replication_ssl_mode;
SET @group_replication_recovery_tls_version_save= @@GLOBAL.group_replication_recovery_tls_version;
SET @group_replication_recovery_tls_ciphersuites_save= @@GLOBAL.group_replication_recovery_tls_ciphersuites;
SET @@GLOBAL.group_replication_ssl_mode= REQUIRED;
[connection server2]
SET @tls_version_save= @@GLOBAL.tls_version;
SET @tls_ciphersuites_save= @@GLOBAL.tls_ciphersuites;
SET @ssl_cipher_save= @@GLOBAL.ssl_cipher;
SET @group_replication_ssl_mode_save= @@GLOBAL.group_replication_ssl_mode;
SET @group_replication_recovery_tls_version_save= @@GLOBAL.group_replication_recovery_tls_version;
SET @group_replication_recovery_tls_ciphersuites_save= @@GLOBAL.group_replication_recovery_tls_ciphersuites;
SET @@GLOBAL.group_replication_ssl_mode= REQUIRED;
SET SESSION sql_log_bin= 0;
call mtr.add_suppression("\\[GCS\\] Error connecting to all peers. Member join failed. Local port:*");
call mtr.add_suppression("\\[GCS\\] The member was unable to join the group.*");
call mtr.add_suppression("Timeout on wait for view after joining group");
call mtr.add_suppression("Error connecting to the local group communication engine instance");
SET SESSION sql_log_bin= 1;
[connection server3]
SET @tls_version_save= @@GLOBAL.tls_version;
SET @tls_ciphersuites_save= @@GLOBAL.tls_ciphersuites;
SET @ssl_cipher_save= @@GLOBAL.ssl_cipher;
SET @group_replication_ssl_mode_save= @@GLOBAL.group_replication_ssl_mode;
SET @group_replication_recovery_tls_version_save= @@GLOBAL.group_replication_recovery_tls_version;
SET @group_replication_recovery_tls_ciphersuites_save= @@GLOBAL.group_replication_recovery_tls_ciphersuites;
SET @@GLOBAL.group_replication_ssl_mode= REQUIRED;
SET SESSION sql_log_bin= 0;
call mtr.add_suppression("\\[GCS\\] Error connecting to all peers. Member join failed. Local port:*");
call mtr.add_suppression("\\[GCS\\] The member was unable to join the group.*");
call mtr.add_suppression("Timeout on wait for view after joining group");
call mtr.add_suppression("Error connecting to the local group communication engine instance");
SET SESSION sql_log_bin= 1;

############################################################
# 1. 3 members group with OpenSSL 1.1.1
#    Verify that it is possible to join a node which has TLS version 1.3
#    and lower versions to a group which doesn't have this version.
#    No --tls-ciphersuites
#    server1: --tls-version='TLSv1.2'
#    server2: --tls-version='TLSv1.2'
#    server3: --tls-version='TLSv1.2,TLSv1.3'
#    Outcome: group will work.
[connection server1]
SET @@GLOBAL.tls_version= 'TLSv1.2';
ALTER INSTANCE RELOAD TLS;
include/start_and_bootstrap_group_replication.inc
[connection server2]
SET @@GLOBAL.tls_version= 'TLSv1.2';
ALTER INSTANCE RELOAD TLS;
include/start_group_replication.inc
[connection server3]
SET @@GLOBAL.tls_version= 'TLSv1.2,TLSv1.3';
ALTER INSTANCE RELOAD TLS;
include/start_group_replication.inc
include/rpl_gr_wait_for_number_of_members.inc
[connection server1]
include/stop_group_replication.inc
[connection server2]
include/stop_group_replication.inc
[connection server3]
include/stop_group_replication.inc

############################################################
# 2. 2 members group with OpenSSL 1.1.1
#    Verify that it is possible to start group replication when :
#      * TLS version is 1.3
#      * A TLS ciphersuite compatible with this version is enabled
#    --tls-version='TLSv1.3'
#    --tls-ciphersuites='TLS_AES_128_CCM_SHA256' (disabled by default)
#    Outcome: group will work.
[connection server1]
SET @@GLOBAL.tls_version= 'TLSv1.3';
SET @@GLOBAL.tls_ciphersuites= 'TLS_AES_128_CCM_SHA256';
SET @@GLOBAL.group_replication_recovery_tls_version= 'TLSv1.3';
SET @@GLOBAL.group_replication_recovery_tls_ciphersuites= 'TLS_AES_128_CCM_SHA256';
ALTER INSTANCE RELOAD TLS;
include/start_and_bootstrap_group_replication.inc
[connection server2]
SET @@GLOBAL.tls_version= 'TLSv1.3';
SET @@GLOBAL.tls_ciphersuites= 'TLS_AES_128_CCM_SHA256';
SET @@GLOBAL.group_replication_recovery_tls_version= 'TLSv1.3';
SET @@GLOBAL.group_replication_recovery_tls_ciphersuites= 'TLS_AES_128_CCM_SHA256';
ALTER INSTANCE RELOAD TLS;
include/start_group_replication.inc
include/rpl_gr_wait_for_number_of_members.inc
[connection server1]
include/stop_group_replication.inc
[connection server2]
include/stop_group_replication.inc

############################################################
# 3. 3 members group with OpenSSL 1.1.1
#    Verify that it is possible to start group replication when:
#      * TLS version is 1.3
#      * Intersection of the allowed TLS chipersuites is non empty and valid.
#    --tls-version='TLSv1.3'
#    server1: --tls-ciphersuites='TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384'
#    server2: --tls-ciphersuites='TLS_AES_256_GCM_SHA384:TLS_AES_128_CCM_SHA256'
#    server3: --tls-ciphersuites='TLS_AES_128_CCM_8_SHA256: TLS_AES_256_GCM_SHA384'
#    Outcome: group will work.
[connection server1]
SET @@GLOBAL.tls_version= 'TLSv1.3';
SET @@GLOBAL.tls_ciphersuites= 'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384';
SET @@GLOBAL.group_replication_recovery_tls_version= 'TLSv1.3';
SET @@GLOBAL.group_replication_recovery_tls_ciphersuites= 'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384';
ALTER INSTANCE RELOAD TLS;
include/start_and_bootstrap_group_replication.inc
[connection server2]
SET @@GLOBAL.tls_version= 'TLSv1.3';
SET @@GLOBAL.tls_ciphersuites= 'TLS_AES_256_GCM_SHA384:TLS_AES_128_CCM_SHA256';
SET @@GLOBAL.group_replication_recovery_tls_version= 'TLSv1.3';
SET @@GLOBAL.group_replication_recovery_tls_ciphersuites= 'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384';
ALTER INSTANCE RELOAD TLS;
include/start_group_replication.inc
[connection server3]
SET @@GLOBAL.tls_version= 'TLSv1.3';
SET @@GLOBAL.tls_ciphersuites= 'TLS_AES_128_CCM_8_SHA256: TLS_AES_256_GCM_SHA384';
SET @@GLOBAL.group_replication_recovery_tls_version= 'TLSv1.3';
SET @@GLOBAL.group_replication_recovery_tls_ciphersuites= 'TLS_AES_128_CCM_8_SHA256: TLS_AES_256_GCM_SHA384';
ALTER INSTANCE RELOAD TLS;
include/start_group_replication.inc
include/rpl_gr_wait_for_number_of_members.inc
[connection server1]
include/stop_group_replication.inc
[connection server2]
include/stop_group_replication.inc
[connection server3]
include/stop_group_replication.inc

############################################################
# 4. 3 members group with OpenSSL 1.1.1
#    Verify that is is possible to join a node to a group when:
#      * List of TLS version of the group includes v1.3 and lower versions
#      * TLS chipersuites of the node is compatible  with the group,
#         therefore TLS v1.3 is supported
#      * SLL cipher of the node is incompatible with the group, therefore
#         TLS versions lower than 1.3 are not supported
#    --tls-version='TLSv1.2,TLSv1.3'
#    server1: --tls-ciphersuites='TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384'
#    server1: --ssl-cipher='ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384'
#    server2: --tls-ciphersuites='TLS_AES_256_GCM_SHA384:TLS_AES_128_CCM_SHA256'
#    server2: --ssl-cipher='DHE-RSA-AES256-GCM-SHA384'
#    server3: --tls-ciphersuites='TLS_AES_256_GCM_SHA384'
#    server3: --ssl-cipher='DHE-RSA-AES128-GCM-SHA256'
#    Outcome: group will work.
[connection server1]
SET @@GLOBAL.tls_version= 'TLSv1.2,TLSv1.3';
SET @@GLOBAL.ssl_cipher= 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384';
SET @@GLOBAL.tls_ciphersuites= 'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384';
ALTER INSTANCE RELOAD TLS;
include/start_and_bootstrap_group_replication.inc
[connection server2]
SET @@GLOBAL.tls_version= 'TLSv1.2,TLSv1.3';
SET @@GLOBAL.ssl_cipher= 'DHE-RSA-AES256-GCM-SHA384';
SET @@GLOBAL.tls_ciphersuites  ='TLS_AES_256_GCM_SHA384:TLS_AES_128_CCM_SHA256';
ALTER INSTANCE RELOAD TLS;
include/start_group_replication.inc
[connection server3]
SET @@GLOBAL.tls_version= 'TLSv1.2,TLSv1.3';
SET @@GLOBAL.ssl_cipher = 'DHE-RSA-AES128-GCM-SHA256';
SET @@GLOBAL.tls_ciphersuites = 'TLS_AES_256_GCM_SHA384';
ALTER INSTANCE RELOAD TLS;
include/start_group_replication.inc
include/rpl_gr_wait_for_number_of_members.inc
[connection server1]
include/stop_group_replication.inc
[connection server2]
include/stop_group_replication.inc
[connection server3]
include/stop_group_replication.inc

############################################################
# 5. Clean up.
[connection server1]
SET @@GLOBAL.group_replication_ssl_mode= @group_replication_ssl_mode_save;
SET @@GLOBAL.tls_version= @tls_version_save;
SET @@GLOBAL.tls_ciphersuites= @tls_ciphersuites_save;
SET @@GLOBAL.ssl_cipher = @ssl_cipher_save;
SET @@GLOBAL.group_replication_recovery_tls_version= @group_replication_recovery_tls_version_save;
SET @@GLOBAL.group_replication_recovery_tls_ciphersuites= @group_replication_recovery_tls_ciphersuites_save;
ALTER INSTANCE RELOAD TLS;
[connection server2]
SET @@GLOBAL.group_replication_ssl_mode= @group_replication_ssl_mode_save;
SET @@GLOBAL.tls_version= @tls_version_save;
SET @@GLOBAL.tls_ciphersuites= @tls_ciphersuites_save;
SET @@GLOBAL.ssl_cipher = @ssl_cipher_save;
SET @@GLOBAL.group_replication_recovery_tls_version= @group_replication_recovery_tls_version_save;
SET @@GLOBAL.group_replication_recovery_tls_ciphersuites= @group_replication_recovery_tls_ciphersuites_save;
ALTER INSTANCE RELOAD TLS;
[connection server3]
SET @@GLOBAL.group_replication_ssl_mode= @group_replication_ssl_mode_save;
SET @@GLOBAL.tls_version= @tls_version_save;
SET @@GLOBAL.tls_ciphersuites = @tls_ciphersuites_save;
SET @@GLOBAL.ssl_cipher = @ssl_cipher_save;
SET @@GLOBAL.group_replication_recovery_tls_version= @group_replication_recovery_tls_version_save;
SET @@GLOBAL.group_replication_recovery_tls_ciphersuites= @group_replication_recovery_tls_ciphersuites_save;
ALTER INSTANCE RELOAD TLS;
include/group_replication_end.inc