1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
|
################################################################################
# Base test to verify the basic TLS 1.3 support on Asynchronous Replication.
#
# Test:
# 0. The test requires two servers: M1 and M2.
# 1. Check replication with TLSv1.3 and some default ciphersuite.
# 2. Check replication with TLSv1.3 and a non-default ciphersuite.
# 3. RESET SLAVE does not clean MASTER_TLS_CIPHERSUITES.
# 4. Check replication with TLSv1.3 and different ciphersuite on master
# and slave will fail.
# 5. Check replication with TLSv1.3 and empty ciphersuite on slave will
# fail.
# 6. Clean up.
################################################################################
--source include/not_group_replication_plugin.inc
--source include/have_tlsv13.inc
--source include/have_slave_repository_type_table.inc
--let $rpl_multi_source= 1
--let $rpl_skip_start_slave= 1
--let $rpl_privilege_checks_user_grant_option = 1
--source include/set_privilege_checks_user_as_system_user.inc
--source include/master-slave.inc
--echo ########################################################################
--echo # 1. Check replication with TLSv1.3 and some default ciphersuite.
SET SESSION sql_log_bin=0;
CREATE USER 'replssl'@'%' IDENTIFIED BY 'password' REQUIRE SSL;
GRANT REPLICATION SLAVE ON *.* TO 'replssl'@'%';
SET SESSION sql_log_bin=1;
SET @tls_version_saved= @@GLOBAL.tls_version;
SET GLOBAL tls_version='TLSv1.3';
ALTER INSTANCE RELOAD TLS;
--source include/rpl_connection_slave.inc
--replace_result $MASTER_MYPORT MASTER_PORT
--eval CHANGE REPLICATION SOURCE TO SOURCE_HOST='127.0.0.1', SOURCE_PORT=$MASTER_MYPORT, SOURCE_USER='replssl', SOURCE_PASSWORD='password', SOURCE_SSL=1 FOR CHANNEL 'my_channel'
--let $rpl_channel_name= 'my_channel'
--source include/start_slave.inc
--let $tls_ciphersuites= query_get_value(SELECT TLS_CIPHERSUITES FROM performance_schema.replication_connection_configuration where CHANNEL_NAME = 'my_channel', TLS_CIPHERSUITES, 1)
--let $assert_text = TLS_CIPHERSUITES has the default NULL value
--let $assert_cond = "$tls_ciphersuites" = "NULL"
--source include/assert.inc
--echo ########################################################################
--echo # 2. Check replication with TLSv1.3 and a non-default ciphersuite.
--let $rpl_channel_name= 'my_channel'
--source include/stop_slave.inc
--source include/rpl_connection_master.inc
SET @tls_ciphersuites_saved= @@GLOBAL.tls_ciphersuites;
SET GLOBAL tls_ciphersuites='TLS_AES_128_CCM_8_SHA256';
ALTER INSTANCE RELOAD TLS;
--source include/rpl_connection_slave.inc
CHANGE REPLICATION SOURCE TO SOURCE_TLS_CIPHERSUITES='TLS_AES_128_CCM_8_SHA256' FOR CHANNEL 'my_channel';
--source include/start_slave.inc
--let $assert_text = TLS_CIPHERSUITES has the value TLS_AES_128_CCM_8_SHA256
--let $assert_cond = "[SELECT TLS_CIPHERSUITES FROM performance_schema.replication_connection_configuration where CHANNEL_NAME = \'my_channel\']" = "TLS_AES_128_CCM_8_SHA256"
--source include/assert.inc
--echo ########################################################################
--echo # 3. RESET SLAVE does not clean MASTER_TLS_CIPHERSUITES.
--source include/rpl_connection_slave.inc
--let $rpl_channel_name= 'my_channel'
--source include/stop_slave.inc
RESET SLAVE FOR CHANNEL 'my_channel';
--let $assert_text = TLS_CIPHERSUITES has the value TLS_AES_128_CCM_8_SHA256
--let $assert_cond = "[SELECT TLS_CIPHERSUITES FROM performance_schema.replication_connection_configuration where CHANNEL_NAME = \'my_channel\']" = "TLS_AES_128_CCM_8_SHA256"
--source include/assert.inc
--echo ########################################################################
--echo # 4. Check replication with TLSv1.3 and different ciphersuite on master
--echo # and slave will fail.
CHANGE REPLICATION SOURCE TO SOURCE_TLS_CIPHERSUITES='TLS_AES_128_CCM_SHA256', SOURCE_RETRY_COUNT=1 FOR CHANNEL 'my_channel';
START SLAVE IO_THREAD FOR CHANNEL 'my_channel';
#CR_SSL_CONNECTION_ERROR
--let $slave_io_errno= 2026
--source include/wait_for_slave_io_error.inc
--echo ########################################################################
--echo # 5. Check replication with TLSv1.3 and empty ciphersuite on slave will
--echo # fail.
--source include/rpl_connection_master.inc
SET @@GLOBAL.tls_ciphersuites= @tls_ciphersuites_saved;
ALTER INSTANCE RELOAD TLS;
--source include/rpl_connection_slave.inc
CHANGE REPLICATION SOURCE TO SOURCE_TLS_CIPHERSUITES='' FOR CHANNEL 'my_channel';
--let $assert_text = TLS_CIPHERSUITES has the value ""
--let $assert_cond = "[SELECT TLS_CIPHERSUITES FROM performance_schema.replication_connection_configuration where CHANNEL_NAME = \'my_channel\']" = ""
--source include/assert.inc
START SLAVE IO_THREAD FOR CHANNEL 'my_channel';
#CR_SSL_CONNECTION_ERROR
--let $slave_io_errno= 2026
--source include/wait_for_slave_io_error.inc
--echo ########################################################################
--echo # 6. Clean-up.
# Clean error state.
--source include/rpl_connection_slave.inc
CHANGE REPLICATION SOURCE TO SOURCE_TLS_CIPHERSUITES=NULL FOR CHANNEL 'my_channel';
--let $tls_ciphersuites= query_get_value(SELECT TLS_CIPHERSUITES FROM performance_schema.replication_connection_configuration where CHANNEL_NAME = 'my_channel', TLS_CIPHERSUITES, 1)
--let $assert_text = TLS_CIPHERSUITES has the default NULL value
--let $assert_cond = "$tls_ciphersuites" = "NULL"
--source include/assert.inc
--source include/start_slave.inc
--source include/stop_slave.inc
--source include/rpl_connection_master.inc
SET @@GLOBAL.tls_version= @tls_version_saved;
SET @@GLOBAL.tls_ciphersuites= @tls_ciphersuites_saved;
ALTER INSTANCE RELOAD TLS;
SET SESSION sql_log_bin=0;
DROP USER 'replssl';
SET SESSION sql_log_bin=1;
--let $rpl_skip_sync= 1
--source include/rpl_end.inc
--source include/rpl_connection_slave.inc
RESET SLAVE ALL FOR CHANNEL 'my_channel';
|
