Bug #113258 TLS 1.3 tests fail
Submitted: 28 Nov 2023 14:34 Modified: 9 May 2024 10:29
Reporter: Laurynas Biveinis (OCA) Email Updates:
Status: Closed Impact on me:
None 
Category:Tests Severity:S3 (Non-critical)
Version:8.2.0, 8.3.0 OS:MacOS
Assigned to: CPU Architecture:Any

[28 Nov 2023 14:34] Laurynas Biveinis 
Description:
On macOS, 8.2.0 debug build:
$ ./mtr rpl.rpl_tlsv13
...
[ 25%] rpl.rpl_tlsv13 'mix'                      [ fail ]
        Test ended at 2023-11-28 16:33:17

CURRENT_TEST: rpl.rpl_tlsv13
mysqltest: At line 176: Error condition reached in include/wait_for_slave_param.inc
In included file ./include/wait_for_slave_param.inc: 177
included from ./include/wait_for_slave_io_to_start.inc: 48
included from ./include/wait_for_slave_to_start.inc: 34
included from ./include/start_slave.inc: 45
included from /Users/laurynas/vilniusdb/mysql-8.2.0/mysql-test/suite/rpl/t/rpl_tlsv13.test: 59

The result from queries just before the failure was:
14	./slave-relay-bin-channel_1.000001	4		0	0	0	1	channel_1	NULL	NULL	0	STREAM	OFF	
14	./slave-relay-bin-my_channel.000001	4	master-bin.000001	157	0	4	1	my_channel	NULL	NULL	0	STREAM	OFF	

**** slave_master_info on server_2 ****
SELECT * FROM mysql.slave_master_info;
Number_of_lines	Master_log_name	Master_log_pos	Host	User_name	User_password	Port	Connect_retry	Enabled_ssl	Ssl_ca	Ssl_capath	Ssl_cert	Ssl_cipher	Ssl_key	Ssl_verify_server_cert	Heartbeat	Bind	Ignored_server_ids	Uuid	Retry_count	Ssl_crl	Ssl_crlpath	Enabled_auto_position	Channel_name	Tls_version	Public_key_path	Get_public_key	Network_namespace	Master_compression_algorithm	Master_zstd_compression_level	Tls_ciphersuites	Source_connection_auto_failover	Gtid_only
33		4	127.0.0.1	root		13000	1	0						0	30		0		10			0channel_1			0		uncompressed	3	NULL	0	0
33	master-bin.000001	157	127.0.0.1	replssl	password	13000	60	1						0	30		0	106a9526-8dfb-11ee-b805-79ca8a54082a	10			0	my_channel			0		uncompressed	3	TLS_AES_128_CCM_8_SHA256	0	0

**** mysql.gtid_executed on server_2 ****
SELECT * FROM mysql.gtid_executed;
source_uuid	interval_start	interval_end

rpl_topology=1->2
extra debug info if any: ''
connection default;
1 tests executed in this mtr thread: rpl.rpl_tlsv13
last error log entry: SERVER_1:<none>; SERVER_2:<Thread: 19 Error: MY-010584: Replica I/O for channel 'my_channel': Error connecting to source 'replssl@127.0.0.1:13000'. This was attempt 1/10, with a delay of 60 seconds between attempts. Message: SSL connection error: error:0A0000B5:SSL routines::no ciphers available, Error_code: MY-002026>
rpl error summary: SERVER_2:( RECEIVERS:(CHANNEL:<my_channel> ERROR:<Error connecting to source 'replssl@127.0.0.1:13000'. This was attempt 1/10, with a delay of 60 seconds between attempts. Message: SSL connection error: error:0A0000B5:SSL routines::no ciphers available>))
connection slave;

How to repeat:
See above
[28 Nov 2023 15:10] Laurynas Biveinis 
[ 50%] auth_sec.wl15800_ciphers_tlsv13           [ fail ]
        Test ended at 2023-11-28 17:09:38

CURRENT_TEST: auth_sec.wl15800_ciphers_tlsv13
mysqltest: At line 59: Command "$MYSQL --protocol=TCP --host=127.0.0.1 -P $MASTER_MYPORT --ssl-mode=REQUIRED --tls-version=TLSv1.2 -u$USER --ssl-cipher=$CIPHER_NAME -e "SHOW STATUS LIKE 'Ssl_cipher'" 2>&1" failed.

Output from before failure:
ERROR 2026 (HY000): SSL connection error: error:0A0000B5:SSL routines::no ciphers available
exec of '/Users/laurynas/vilniusdb/mysql-8.2.0/_build-debug/runtime_output_directory//mysql --defaults-file=/Users/laurynas/vilniusdb/mysql-8.2.0/_build-debug/mysql-test/var/my.cnf --protocol=TCP --host=127.0.0.1 -P 13000 --ssl-mode=REQUIRED --tls-version=TLSv1.2 -uarthurdent --ssl-cipher=DHE-RSA-AES256-CCM8 -e "SHOW STATUS LIKE 'Ssl_cipher'" 2>&1' failed, error: 256, status: 1, errno: 22.

In included file ./suite/auth_sec/include/wl15800_cipher_test.inc: 60
included from /Users/laurynas/vilniusdb/mysql-8.2.0/mysql-test/suite/auth_sec/t/wl15800_ciphers_tlsv13.test: 181

The result from queries just before the failure was:
Ssl_cipher	DHE-RSA-AES128-CCM
# Expecting connection success with cipher: DHE-RSA-CHACHA20-POLY1305 on main channel
Variable_name	Value
Ssl_cipher	DHE-RSA-CHACHA20-POLY1305
# Expecting connection success with cipher: DHE-RSA-CHACHA20-POLY1305 on admin channel
Variable_name	Value
Ssl_cipher	DHE-RSA-CHACHA20-POLY1305

#-----------------------------------------------------------------------

#-----------------------------------------------------------------------

# Checking deprecated ciphers
# Setting server ciphers: DHE-RSA-AES256-CCM8:DHE-RSA-AES128-CCM8:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-CAMELLIA256-SHA256:DHE-RSA-CAMELLIA128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-CAMELLIA128-SHA:AES128-GCM-SHA256:AES128-CCM:AES128-CCM8:AES256-GCM-SHA384:AES256-CCM:AES256-CCM8:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:CAMELLIA256-SHA:CAMELLIA128-SHA
Pattern "Value for option 'ssl_cipher' contains cipher 'DHE-RSA-AES256-CCM8' that is either blocked or deprecated" found
Pattern "Value for option 'admin_ssl_cipher' contains cipher 'DHE-RSA-AES256-CCM8' that is either blocked or deprecated" found
# Expecting connection success with cipher: DHE-RSA-AES256-CCM8 on main channel
ERROR 2026 (HY000): SSL connection error: error:0A0000B5:SSL routines::no ciphers available
exec of '/Users/laurynas/vilniusdb/mysql-8.2.0/_build-debug/runtime_output_directory//mysql --defaults-file=/Users/laurynas/vilniusdb/mysql-8.2.0/_build-debug/mysql-test/var/my.cnf --protocol=TCP --host=127.0.0.1 -P 13000 --ssl-mode=REQUIRED --tls-version=TLSv1.2 -uarthurdent --ssl-cipher=DHE-RSA-AES256-CCM8 -e "SHOW STATUS LIKE 'Ssl_cipher'" 2>&1' failed, error: 256, status: 1, errno: 22.
safe_process[14569]: Child process: 14570, exit: 1
[28 Nov 2023 16:29] MySQL Verification Team 
Hi Mr. Biveinis,

Thank you for your bug report.

We have not hit upon the above error, but we have hit upon many other warnings and errors, like:

unknown variable 'loose-mysqlx-*' (8 times)

Error messages about non-existing directories .....

Errors and warnings in /var/log/rpl.rpl_tlsv13-stmt/rpl_tlsv13.log file.

This all stems from the fact that test scripts are not reading all cmake options, hence they use defaults instead of the values that were passed through the running of the command-line cmake.

Verified as reported.
[23 Jan 2024 10:32] Laurynas Biveinis 
Same on 8.3.0
[23 Jan 2024 11:13] MySQL Verification Team 
Thank you, Mr. Beiveinis.
[10 Mar 2024 1:21] Alfred Wingate 
I've experienced the same failures with MySQL 8.0.36 on Gentoo Linux if the system OpenSSL is 3.2 but not if the system OpenSSL is 3.0.

This appears to be a symptom of CCM8 ciphers getting their security level downgraded to 0 and are therefore unusable for MySQL which sets its security level to 2.

https://github.com/openssl/openssl/commit/1a473d1cc67e04ae9fea517b36dc332143250cf5
https://github.com/openssl/openssl/commit/e07102220afe4059bc45aa3d7073b7678329e26e
[11 Mar 2024 11:23] MySQL Verification Team 
Thank you for your contribution.

This is still a verified bug and we do not know when will it be fixed.
[8 May 2024 13:19] Laurynas Biveinis 
No longer can reproduce on 8.0.37 / 8.4.0
[9 May 2024 10:29] MySQL Verification Team 
Thank you Mr. Beveinis for your feedback.

This report is now closed.