Bug #25988 openssl_1 Test Case Fails
Submitted: 31 Jan 2007 17:53 Modified: 7 Feb 2008 8:09
Reporter: BJ Dierkes Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Tests Severity:S3 (Non-critical)
Version:5.0.27, 5.0.33, 5.0.51 OS:Linux (Redhat Enterprise Linux 4)
Assigned to: Magnus Blåudd CPU Architecture:Any

[31 Jan 2007 17:53] BJ Dierkes 
Description:
Systems verified on:

OS: Redhat Enterprise Linux 4
Arch: i386
GCC: 3.4.6-3
GLIBC: 2.3.4-2.25

Upon running 'make test' the following test case fails every time:

openssl_1                      [ fail ]

Errors are (from /home/rpm-dev/usr/src/redhat/SOURCES/mysql-5.0.33/mysql-test/var/log/mysqltest-time) :
mysqltest: At line 20: query 'connect  con3,localhost,ssl_user3,,,,,SSL' failed: 1045: Access denied for user 'ssl_user3'@'localhost' (using password: NO)
(the last lines may be the most important ones)
Result from queries before failure can be found in r/openssl_1.log

Aborting: openssl_1 failed in default mode. To continue, re-run with '--force'.
Stopping All Servers
Shutting-down Instance Manager
make: *** [test] Error 1

The following is the output of 'r/openssl_1.log':

drop table if exists t1;
create table t1(f1 int);
insert into t1 values (5);
grant select on test.* to ssl_user1@localhost require SSL;
grant select on test.* to ssl_user2@localhost require cipher "DHE-RSA-AES256-SHA";
grant select on test.* to ssl_user3@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB";
grant select on test.* to ssl_user4@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB" ISSUER "/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB";
grant select on test.* to ssl_user5@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "xxx";
flush privileges;

The following is the configure line used:

./configure \
        --with-readline \
        --with-openssl \
        --without-debug \
        --enable-shared \
        --with-bench \
        --localstatedir=/var/lib/mysql \
        --with-unix-socket-path=/var/lib/mysql/mysql.sock \
        --with-mysqld-user="mysql" \
        --with-extra-charsets=all \
        --with-innodb \
        --with-berkeley-db \
        --enable-local-infile \
        --enable-largefile \
        --enable-thread-safe-client \
        --disable-dependency-tracking \
        --with-named-thread-libs="-lpthread"

How to repeat:
run 'configure', 'make', and then 'make test' or simply run the individual test case like so:

[rpm-dev@rhel-i386-es-4 mysql-test]$ ./mysql-test-run --with-openssl openssl_1
Logging: ./mysql-test-run --with-openssl openssl_1
MySQL Version 5.0.33
Skipping ndbcluster, mysqld not compiled with ndbcluster
Setting mysqld to support SSL connections
Using MTR_BUILD_THREAD      = 0
Using MASTER_MYPORT         = 9306
Using MASTER_MYPORT1        = 9307
Using SLAVE_MYPORT          = 9308
Using SLAVE_MYPORT1         = 9309
Using SLAVE_MYPORT2         = 9310
Using IM_PORT               = 9312
Using IM_MYSQLD1_PORT       = 9313
Using IM_MYSQLD2_PORT       = 9314
Killing Possible Leftover Processes
Removing Stale Files
Creating Directories
Installing Master Database
Installing Master Database
=======================================================
Starting Tests in the 'main' suite

TEST                           RESULT         TIME (ms)
-------------------------------------------------------

openssl_1                      [ fail ]

Errors are (from /home/rpm-dev/usr/src/redhat/SOURCES/mysql-5.0.33/mysql-test/var/log/mysqltest-time) :
mysqltest: At line 20: query 'connect  con3,localhost,ssl_user3,,,,,SSL' failed: 1045: Access denied for user 'ssl_user3'@'localhost' (using password: NO)
(the last lines may be the most important ones)
Result from queries before failure can be found in r/openssl_1.log

Aborting: openssl_1 failed in default mode. To continue, re-run with '--force'.
Stopping All Servers 

Suggested fix:
No idea yet.
[31 Jan 2007 17:56] BJ Dierkes 
Additionally, I forgot to mention the OpenSSL Version:

OpenSSL 0.9.7a
[31 Jan 2007 18:13] BJ Dierkes 
Test Case Fails on the following as well (same output as listed above):

OS: Red Hat Enterprise Linux ES release 3 (Taroon Update 8)
Arch: i386
GCC: 3.2.3-56
GLIBC: 2.3.2-95-44
OpenSSL: 0.9.7a-33.21
[1 Feb 2007 14:02] Magnus Blåudd 
Yes, this problem occurs when compiling MySQL to use OpenSSL library for SSL support.
[1 Feb 2007 14:09] Magnus Blåudd 
The log file from mysqld says:

070201 17:05:59 [Note] X509 subject mismatch: should be '/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB' but is '/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB/emailAddress=abstract.mysql.developer@mysql.com'
[1 Feb 2007 14:13] Magnus Blåudd 
Require the user to have a specific SUBJECT:
mysql> grant select on test.* to ssl_user3@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB"

Then connect and the call to "X509_NAME_oneline(X509_get_issuer_name(cert))" will return '/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB/emailAddress=abstract.mysql.developer@mysql.com' ie it also includes the emailAdress part.

This is caused by a slight difference between how OpenSSL and yaSSL(the SSL library MySQL normally use) have implementer 'X509_NAME_oneline'
[1 Feb 2007 17:17] Magnus Blåudd 
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 1 (0x1)
        Signature Algorithm: md5WithRSAEncryption
        Issuer: C=SE, ST=Uppsala, L=Uppsala, O=MySQL AB
        Validity
            Not Before: May  3 08:55:39 2006 GMT
            Not After : Jan 27 08:55:39 2009 GMT
        Subject: C=SE, ST=Uppsala, L=Uppsala, O=MySQL AB/emailAddress=abstract.mysql.developer@mysql.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (512 bit)
                Modulus (512 bit):
                    00:d8:db:68:28:49:84:4d:d6:0f:5c:bc:3d:9a:ab:
                    70:d5:3e:f5:b5:17:ba:ef:e1:f8:87:54:30:22:1f:
                    81:07:bf:f9:24:7f:8a:54:10:e9:5f:e6:99:50:04:
                    d4:3b:55:a9:f1:52:ad:12:2b:5a:da:5c:be:8c:3e:
                    5b:9e:b0:5a:19
                Exponent: 65537 (0x10001)
    Signature Algorithm: md5WithRSAEncryption
        07:57:bf:07:92:c2:8e:86:24:6b:0a:bf:e5:31:21:44:c3:60:
        02:a6:ac:9e:f7:db:7a:6e:fc:4f:d4:7b:54:18:80:47:d2:4a:
        63:0e:e3:f8:af:6e:58:e3:97:5a:2b:82:5d:76:20:d1:33:a0:
        f5:43:a1:d1:51:f4:ca:c8:b3:1a:66:4e:0e:55:df:d2:e8:fa:
        83:18:42:f5:ec:66:40:f0:39:e8:f9:d7:cf:f6:dd:e4:7b:69:
        dd:0c:92:d8:52:95:43:6f:29:3d:f0:8d:4c:dd:52:ea:6b:a0:
        39:0f:dc:59:a7:5c:37:6b:8b:05:44:b7:69:ea:a3:58:e0:4e:
        ce:d6
-----BEGIN CERTIFICATE-----
MIIB5jCCAU8CAQEwDQYJKoZIhvcNAQEEBQAwRDELMAkGA1UEBhMCU0UxEDAOBgNV
BAgTB1VwcHNhbGExEDAOBgNVBAcTB1VwcHNhbGExETAPBgNVBAoTCE15U1FMIEFC
MB4XDTA2MDUwMzA4NTUzOVoXDTA5MDEyNzA4NTUzOVowdzELMAkGA1UEBhMCU0Ux
EDAOBgNVBAgTB1VwcHNhbGExEDAOBgNVBAcTB1VwcHNhbGExETAPBgNVBAoTCE15
U1FMIEFCMTEwLwYJKoZIhvcNAQkBFiJhYnN0cmFjdC5teXNxbC5kZXZlbG9wZXJA
bXlzcWwuY29tMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANjbaChJhE3WD1y8PZqr
cNU+9bUXuu/h+IdUMCIfgQe/+SR/ilQQ6V/mmVAE1DtVqfFSrRIrWtpcvow+W56w
WhkCAwEAATANBgkqhkiG9w0BAQQFAAOBgQAHV78HksKOhiRrCr/lMSFEw2ACpqye
99t6bvxP1HtUGIBH0kpjDuP4r25Y45daK4JddiDRM6D1Q6HRUfTKyLMaZk4OVd/S
6PqDGEL17GZA8Dno+dfP9t3ke2ndDJLYUpVDbyk98I1M3VLqa6A5D9xZp1w3a4sF
RLdp6qNY4E7O1g==
-----END CERTIFICATE-----
[6 Feb 2007 15:28] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/19406

ChangeSet@1.2402, 2007-02-06 16:28:36+01:00, msvensson@neptunus.(none) +3 -0
  Bug#25988 openssl_1 Test Case Fails
   - Small difference in output from 'X509_NAME_Oneline' between OpenSSL and yaSSL. OpenSSL uses
     an extension that allow's the email adress of the cert holder.   
   - Imported patch for yaSSL "add email to DN output"
[6 Feb 2007 17:53] BJ Dierkes 
Not sure where the issue is, however upon first use this is what I'm getting with said patch:

openssl_1                      [ fail ]

Errors are (from /home/rpm-dev/usr/src/redhat/BUILD/mysql-5.0.27/mysql-test/var/log/mysqltest-time) :
mysqltest: Result length mismatch
(the last lines may be the most important ones)
Below are the diffs between actual and expected results:
-------------------------------------------------------
*** r/openssl_1.result  2007-02-06 20:16:28.000000000 +0300
--- r/openssl_1.reject  2007-02-06 20:46:18.000000000 +0300
***************
*** 47,53 ****
  mysqltest: Could not open connection 'default': 2026 SSL connection error
  mysqltest: Could not open connection 'default': 2026 SSL connection error
  mysqltest: Could not open connection 'default': 2026 SSL connection error
! Error when connection to server using SSL:Unable to get private key from ''
  mysqltest: Could not open connection 'default': 2026 SSL connection error
! Error when connection to server using SSL:Unable to get certificate from ''
  mysqltest: Could not open connection 'default': 2026 SSL connection error
--- 47,59 ----
  mysqltest: Could not open connection 'default': 2026 SSL connection error
  mysqltest: Could not open connection 'default': 2026 SSL connection error
  mysqltest: Could not open connection 'default': 2026 SSL connection error
! Error when connection to server using SSL:15402:error:02001002:system library:fopen:No such file or directory:bss_file.c:259:fopen('','r')
! 15402:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:261:
! 15402:error:140B0002:SSL routines:SSL_CTX_use_PrivateKey_file:system lib:ssl_rsa.c:691:
! Unable to get private key from ''
  mysqltest: Could not open connection 'default': 2026 SSL connection error
! Error when connection to server using SSL:15417:error:02001002:system library:fopen:No such file or directory:bss_file.c:259:fopen('','r')
! 15417:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:261:
! 15417:error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib:ssl_rsa.c:513:
! Unable to get certificate from ''
  mysqltest: Could not open connection 'default': 2026 SSL connection error
-------------------------------------------------------
Please follow the instructions outlined at
http://dev.mysql.com/doc/mysql/en/reporting-mysqltest-bugs.html
to find the reason to this problem and how to report this.

Aborting: openssl_1 failed in default mode. To continue, re-run with '--force'.

Ending Tests
Shutting-down MySQL daemon

Master shutdown finished
Slave shutdown finished
make: *** [test] Error 1
[6 Feb 2007 17:55] BJ Dierkes 
The comment above was against version 5.0.27 (experiencing the same issue as 5.0.33).   Patch was re-written to patch source properly.
[8 Feb 2007 9:47] Magnus Blåudd 
You are right. I fixed the remaining problems with that testcase as part of "Bug#24157 openssl_1 regression test is broken two different ways".

Please note that it's just the testcase that is failing due to the error messages produced when a connection fails are a little different between yaSSL and OpenSSL, functionality of SSL connectiosn are working as expected.
[8 Feb 2007 20:28] BJ Dierkes 
Sorry, but still having issues after applying both patches:

[rpm-dev@rhel-i386-es-4 mysql-test]$ ./mysql-test-run --with-openssl openssl_1
Using MTR_BUILD_THREAD   = 11
Using MASTER_MYPORT      = 10110
Using MYSQL_MANAGER_PORT = 10112
Using SLAVE_MYPORT       = 10113
Using NDBCLUSTER_PORT    = 10116
Logging: ./mysql-test-run --with-openssl openssl_1
Installing Test Databases
Removing Stale Files
Installing Master Databases
running  ../sql/mysqld --no-defaults --bootstrap --skip-grant-tables     --basedir=. --datadir=./var/master-data --skip-innodb --skip-ndbcluster --skip-bdb     --language=../sql/share/english/ --character-sets-dir=../sql/share/charsets/
Installing Slave Databases
running  ../sql/mysqld --no-defaults --bootstrap --skip-grant-tables     --basedir=. --datadir=./var/slave-data --skip-innodb --skip-ndbcluster --skip-bdb     --language=../sql/share/english/ --character-sets-dir=../sql/share/charsets/
Manager disabled, skipping manager start.
Loading Standard Test Databases
Starting Tests

TEST                            RESULT
-------------------------------------------------------
openssl_1                      [ fail ]

Errors are (from /home/rpm-dev/usr/src/redhat/BUILD/mysql-5.0.27/mysql-test/var/log/mysqltest-time) :
mysqltest: Result length mismatch
(the last lines may be the most important ones)
Below are the diffs between actual and expected results:
-------------------------------------------------------
*** r/openssl_1.result  2007-02-08 20:50:55.000000000 +0300
--- r/openssl_1.reject  2007-02-08 22:59:22.000000000 +0300
***************
*** 47,53 ****
  mysqltest: Could not open connection 'default': 2026 SSL connection error
  mysqltest: Could not open connection 'default': 2026 SSL connection error
  mysqltest: Could not open connection 'default': 2026 SSL connection error
! Error when connection to server using SSL:Unable to get private key from ''
  mysqltest: Could not open connection 'default': 2026 SSL connection error
! Error when connection to server using SSL:Unable to get certificate from ''
  mysqltest: Could not open connection 'default': 2026 SSL connection error
--- 47,53 ----
  mysqltest: Could not open connection 'default': 2026 SSL connection error
  mysqltest: Could not open connection 'default': 2026 SSL connection error
  mysqltest: Could not open connection 'default': 2026 SSL connection error
! SSL error: Unable to get private key from ''
  mysqltest: Could not open connection 'default': 2026 SSL connection error
! SSL error: Unable to get certificate from ''
  mysqltest: Could not open connection 'default': 2026 SSL connection error
-------------------------------------------------------
Please follow the instructions outlined at
http://dev.mysql.com/doc/mysql/en/reporting-mysqltest-bugs.html
to find the reason to this problem and how to report this.

Aborting: openssl_1 failed in default mode. To continue, re-run with '--force'.

Ending Tests
Shutting-down MySQL daemon

Master shutdown finished
Slave shutdown finished
[9 Feb 2007 16:47] Magnus Blåudd 
It's still just the error message being wrong. Maybe I forgot to commit the .result file. Will check next week.

We really want to give the user a possibility to diagnose why the connection failed, so I updated the error messages here to be consistent and inform the user of what happened.
[14 Feb 2007 15:11] Chad MILLER 
Available in 5.0.36 and 5.1.16-beta.
[14 Feb 2007 16:50] Paul DuBois 
Change to test suite. No changelog entry needed.
[10 Dec 2007 19:43] BJ Dierkes 
I pulled openssl_1 from disabled.def since it was suppose to be fixed several releases ago.  Unfortunately, with the latest sources it still fails:

Version 5.0.51:

odbc                           [ pass ]            152
olap                           [ pass ]           1030
openssl_1                      [ fail ]

mysqltest: At line 19: query 'connect  con1,localhost,ssl_user1,,,,,SSL' failed: 2026: SSL connection error

The result from queries just before the failure was:
drop table if exists t1;
create table t1(f1 int);
insert into t1 values (5);
grant select on test.* to ssl_user1@localhost require SSL;
grant select on test.* to ssl_user2@localhost require cipher "DHE-RSA-AES256-SHA";
grant select on test.* to ssl_user3@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB/emailAddress=abstract.mysql.developer@mysql.com";
grant select on test.* to ssl_user4@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB/emailAddress=abstract.mysql.developer@mysql.com" ISSUER "/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB";
grant select on test.* to ssl_user5@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "xxx";
flush privileges;

More results from queries before failure can be found in /builddir/build/BUILD/mysql-5.0.51/mysql-test/var/log/openssl_1.log

Aborting: openssl_1 failed in default mode. 
To continue, re-run with '--force'.
Stopping All Servers
make: *** [test-ns] Error 1
[7 Feb 2008 7:17] Magnus Blåudd 
T@-1221637: info: client_character_set: 8
T@-1221637: info: client capabilities: 1073982093
T@-1221637: info: IO layer change in progress...
T@-1221637: >sslaccept
T@-1221637: <sslaccept
T@-1221637: >sslconnect
T@-1221637: | enter: ptr: 0x864ea90, sd: 25  ctx: 0x864eb08
T@-1221637: | >vio_blocking
T@-1221637: | | enter: set_blocking_mode: 1  old_mode: 0
T@-1221637: | | exit: 0
T@-1221637: | <vio_blocking
T@-1221637: | info: ssl: 0x867fcb8 timeout: 60
T@-1221637: | error: SSL_do_handshake failure
T@-1221637: | >report_errors
T@-1221637: | | error: OpenSSL: error:140B4090:SSL routines:SSL_do_handshake:connection type not set:ssl_lib.c:2034:

T@-1221637: | | error: error: error:00000005:lib(0):func(0):DH lib
T@-1221637: | | info: socket_errno: 0
T@-1221637: | <report_errors
T@-1221637: | >vio_blocking
T@-1221637: | | enter: set_blocking_mode: 0  old_mode: 1
T@-1221637: | | exit: 0
T@-1221637: | <vio_blocking
T@-1221637: <sslconnect
T@-1221637: error: Failed to accept new SSL connection
[7 Feb 2008 7:23] Magnus Blåudd 
BUG#33050 seems to fix this.
[7 Feb 2008 8:09] Magnus Blåudd 
Setting this bug back to the stae it was before being reopened, please see bug#33050 that is tracking the new issue.