1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
|
# Want to skip this test from daily Valgrind execution
--source include/no_valgrind_without_big.inc
# Save the initial number of concurrent sessions
--source include/count_sessions.inc
# The SSL library may fail initializing during this one
call mtr.add_suppression("Failed to set up SSL because of the following SSL library error");
call mtr.add_suppression("Failed to initialize TLS for channel: mysql_main");
--echo # Check if ssl is on
SELECT LENGTH(VARIABLE_VALUE) > 0 FROM performance_schema.session_status
WHERE VARIABLE_NAME='Ssl_cipher';
--echo ################## FR1.1 and FR 1.4: ALTER INSTANCE RELOAD TLS
ALTER INSTANCE RELOAD TLS;
--echo # Check if ssl is still turned on after reload
SELECT LENGTH(VARIABLE_VALUE) > 0 FROM performance_schema.session_status
WHERE VARIABLE_NAME='Ssl_cipher';
--echo # FR1.1: check if old sessions continue
connect (ssl_con,localhost,root,,,,,SSL);
SET @must_be_present= 'present';
connection default;
ALTER INSTANCE RELOAD TLS;
connection ssl_con;
--echo # Success criteria: value must be present
SELECT @must_be_present;
connection default;
disconnect ssl_con;
--echo # cleanup
# Wait until all sessions are disconnected
--source include/wait_until_count_sessions.inc
--echo ################## FR 1.2: check if new sessions get the new vals
--echo # Save the defaults
let $orig_cipher= query_get_value(SHOW STATUS LIKE 'Ssl_cipher', Value, 1);
SET @orig_ssl_cipher = @@global.ssl_cipher;
SET @orig_tls_version = @@global.tls_version;
--echo # in ssl_con
connect (ssl_con,localhost,root,,,,,SSL);
--echo # check if the session has the original values
--replace_result $orig_cipher orig_cipher
SHOW STATUS LIKE 'Ssl_cipher';
--echo # in default connection
connection default;
--echo # setting new values for ssl_cipher
SET GLOBAL ssl_cipher = "ECDHE-RSA-AES256-GCM-SHA384";
SET GLOBAL tls_version = "TLSv1.2";
ALTER INSTANCE RELOAD TLS;
--echo # in ssl_new_con
connect (ssl_new_con,localhost,root,,,,,SSL);
--echo # Save the new defaults
let $new_cipher= query_get_value(SHOW STATUS LIKE 'Ssl_cipher', Value, 1);
--echo # Check if the old and the new not afters differ
let $the_same=`SELECT "$new_cipher" = "$orig_cipher"`;
if ($the_same == 1)
{
die the not-after values must be different;
}
--echo # in ssl_con
connection ssl_con;
--echo # the con session must have the original values
--replace_result $orig_cipher orig_cipher;
SHOW STATUS LIKE 'Ssl_cipher';
--echo # cleanup
--echo # in default connection
connection default;
disconnect ssl_con;
disconnect ssl_new_con;
SET GLOBAL ssl_cipher = @orig_ssl_cipher;
SET GLOBAL tls_version = @orig_tls_version;
ALTER INSTANCE RELOAD TLS;
# Wait till all disconnects are completed
--source include/wait_until_count_sessions.inc
--echo ################## FR 1.5: new values effective only after RELOAD TLS
--echo # Save the defaults
let $orig_cipher= query_get_value(SHOW STATUS LIKE 'Ssl_cipher', Value, 1);
SET @orig_ssl_cipher = @@global.ssl_cipher;
--echo # setting new values for ssl_cipher
SET GLOBAL ssl_cipher = "ECDHE-RSA-AES128-GCM-SHA256";
--echo # in ssl_con
connect (ssl_con,localhost,root,,,,,SSL);
let $new_cipher= query_get_value(SHOW STATUS LIKE 'Ssl_cipher', Value, 1);
--echo # Check if the old and the new not afters differ
let $the_same=`SELECT "$new_cipher" = "$orig_cipher"`;
if ($the_same == 0)
{
die the old non-after must still be active;
}
--echo # cleanup
--echo # in default connection
connection default;
disconnect ssl_con;
SET GLOBAL ssl_cipher = @orig_ssl_cipher;
# Wait till all disconnects are completed
--source include/wait_until_count_sessions.inc
--echo ################## FR 1.7: CONNECTION_ADMIN will be required to execute
--echo # ALTER INSTANCE RELOAD TLS
CREATE USER test_connection_admin@localhost;
--echo # in ssl_con
connect (ssl_con,localhost,test_connection_admin,,,,,SSL);
--echo # Must fail
--error ER_SPECIFIC_ACCESS_DENIED_ERROR
ALTER INSTANCE RELOAD TLS;
--echo # in default connection
connection default;
GRANT SUPER ON *.* TO test_connection_admin@localhost;
--echo # in ssl_con
connection ssl_con;
--echo # Must fail
--error ER_SPECIFIC_ACCESS_DENIED_ERROR
ALTER INSTANCE RELOAD TLS;
--echo # in default connection
connection default;
REVOKE SUPER ON *.* FROM test_connection_admin@localhost;
GRANT CONNECTION_ADMIN ON *.* TO test_connection_admin@localhost;
--echo # in ssl_con
connection ssl_con;
--echo # Must pass
ALTER INSTANCE RELOAD TLS;
--echo # cleanup
--echo # in default connection
connection default;
disconnect ssl_con;
# Wait till all disconnects are completed
--source include/wait_until_count_sessions.inc
DROP USER test_connection_admin@localhost;
--echo ################## FR 1.8 and 1.9: disable SSL on wrong values
--echo # Save the defaults
SET @orig_ssl_ca= @@global.ssl_ca;
--echo # Seet CA to invalid value
SET GLOBAL ssl_ca = 'gizmo';
--echo # Must fail and not change the SSL params
--error ER_DA_SSL_LIBRARY_ERROR
ALTER INSTANCE RELOAD TLS;
--echo # Must be 1
SELECT COUNT(*) FROM performance_schema.session_status
WHERE VARIABLE_NAME = 'Current_tls_ca' AND VARIABLE_VALUE = @orig_ssl_ca;
--echo # Must return gizmo
SELECT @@global.ssl_ca;
--echo # Must connect successfully
--exec $MYSQL --ssl-mode=required -e "SELECT 1"
--echo # Must pass with a warning and disable SSL
ALTER INSTANCE RELOAD TLS NO ROLLBACK ON ERROR;
--echo # Must be 1
SELECT COUNT(*) FROM performance_schema.session_status
WHERE VARIABLE_NAME = 'Current_tls_ca' AND VARIABLE_VALUE = 'gizmo';
--echo # Must fail to connect
--error 1
--exec $MYSQL --ssl-mode=required -e "SELECT 1"
--echo # cleanup
SET GLOBAL ssl_ca = @orig_ssl_ca;
ALTER INSTANCE RELOAD TLS;
--echo # FR 1.9: Must connect successfully
--exec $MYSQL --ssl-mode=required -e "SELECT 1"
--echo ################## FR2 and FR6: --ssl-* variables settable at runtime.
SET @orig_ssl_ca= @@global.ssl_ca;
SET @orig_ssl_cert= @@global.ssl_cert;
SET @orig_ssl_key= @@global.ssl_key;
SET @orig_ssl_capath= @@global.ssl_capath;
SET @orig_ssl_crl= @@global.ssl_crl;
SET @orig_ssl_crlpath= @@global.ssl_crlpath;
SET @orig_ssl_cipher= @@global.ssl_cipher;
SET @orig_tls_cipher= @@global.tls_ciphersuites;
SET @orig_tls_version= @@global.tls_version;
--echo # Must pass
SET GLOBAL ssl_ca = 'gizmo';
SET GLOBAL ssl_cert = 'gizmo';
SET GLOBAL ssl_key = 'gizmo';
SET GLOBAL ssl_capath = 'gizmo';
SET GLOBAL ssl_crl = 'gizmo';
SET GLOBAL ssl_crlpath = 'gizmo';
SET GLOBAL ssl_cipher = 'gizmo';
SET GLOBAL tls_ciphersuites = 'gizmo';
--error ER_WRONG_VALUE_FOR_VAR
SET GLOBAL tls_version = 'gizmo';
--echo # Must fail
--error ER_GLOBAL_VARIABLE
SET SESSION ssl_ca = 'gizmo';
--error ER_GLOBAL_VARIABLE
SET SESSION ssl_cert = 'gizmo';
--error ER_GLOBAL_VARIABLE
SET SESSION ssl_key = 'gizmo';
--error ER_GLOBAL_VARIABLE
SET SESSION ssl_capath = 'gizmo';
--error ER_GLOBAL_VARIABLE
SET SESSION ssl_crl = 'gizmo';
--error ER_GLOBAL_VARIABLE
SET SESSION ssl_crlpath = 'gizmo';
--error ER_GLOBAL_VARIABLE
SET SESSION ssl_cipher = 'gizmo';
--error ER_GLOBAL_VARIABLE
SET SESSION tls_ciphersuites = 'gizmo';
--error ER_GLOBAL_VARIABLE
SET SESSION tls_version = 'gizmo';
--echo # FR6: Must return 9
SELECT VARIABLE_NAME FROM performance_schema.session_status WHERE
VARIABLE_NAME IN
('Current_tls_ca', 'Current_tls_capath', 'Current_tls_cert',
'Current_tls_key', 'Current_tls_version', 'Current_tls_cipher',
'Current_tls_ciphersuites', 'Current_tls_crl', 'Current_tls_crlpath') AND
VARIABLE_VALUE != 'gizmo'
ORDER BY VARIABLE_NAME;
--echo # cleanup
SET GLOBAL ssl_ca = @orig_ssl_ca;
SET GLOBAL ssl_cert = @orig_ssl_cert;
SET GLOBAL ssl_key = @orig_ssl_key;
SET GLOBAL ssl_capath = @orig_ssl_capath;
SET GLOBAL ssl_crl = @orig_ssl_crl;
SET GLOBAL ssl_crlpath = @orig_ssl_crlpath;
SET GLOBAL ssl_cipher = @orig_ssl_cipher;
SET GLOBAL tls_ciphersuites = @orig_tls_ciphersuites;
SET GLOBAL tls_version = @orig_tls_version;
--echo ################## FR8: X plugin do not follow
--echo # Save the defaults
SET @orig_ssl_ca= @@global.ssl_ca;
SET @orig_ssl_cert= @@global.ssl_cert;
SET @orig_ssl_key= @@global.ssl_key;
SET @orig_mysqlx_ssl_ca= @@global.mysqlx_ssl_ca;
SET @orig_mysqlx_ssl_cert= @@global.mysqlx_ssl_cert;
SET @orig_mysqlx_ssl_key= @@global.mysqlx_ssl_key;
--echo # setting new values for ssl_cert, ssl_key and ssl_ca
--replace_result "$MYSQL_TEST_DIR" MYSQL_TEST_DIR
eval SET GLOBAL ssl_cert = "$MYSQL_TEST_DIR/std_data/server-cert-sha512.pem";
--replace_result "$MYSQL_TEST_DIR" MYSQL_TEST_DIR
eval SET GLOBAL ssl_key = "$MYSQL_TEST_DIR/std_data/server-key-sha512.pem";
--replace_result "$MYSQL_TEST_DIR" MYSQL_TEST_DIR
eval SET GLOBAL ssl_ca = "$MYSQL_TEST_DIR/std_data/ca-sha512.pem";
ALTER INSTANCE RELOAD TLS;
--echo # Check that X variables match the initial ones
--vertical_results
SELECT @@global.mysqlx_ssl_ca = @orig_mysqlx_ssl_ca,
@@global.mysqlx_ssl_cert = @orig_mysqlx_ssl_cert,
@@global.mysqlx_ssl_key = @orig_mysqlx_ssl_key;
--echo # cleanup
SET GLOBAL ssl_cert = @orig_ssl_cert;
SET GLOBAL ssl_key = @orig_ssl_key;
SET GLOBAL ssl_ca = @orig_ssl_ca;
ALTER INSTANCE RELOAD TLS;
--echo ################## End of dynamic SSL tests
|
