Bug #44957 SSL certificate for openssl is inconsistent with test case
Submitted: 19 May 2009 18:11
Reporter: Joerg Bruehe Email Updates:
Status: Won't fix Impact on me:
Category:Tests: Server Severity:S3 (Non-critical)
Version:5.0.74sp1 OS:Any
Assigned to: CPU Architecture:Any
Tags: SSL certificate

[19 May 2009 18:11] Joerg Bruehe
This bug entry is just for reference (documentation) purposes,
no action will be taken (and none is needed).

In several test runs of 5.0.74sp1, the test "openssl_1" fails like this:

openssl_1                      [ fail ]

mysqltest: At line NNN: query 'connect  con3,localhost,ssl_user3,,,,,SSL' failed: 1045: Access denied for user 'ssl_user3'@'localhost' (using password: NO)

The result from queries just before the failure was:
drop table if exists t1;
create table t1(f1 int);
insert into t1 values (5);
grant select on test.* to ssl_user1@localhost require SSL;
grant select on test.* to ssl_user2@localhost require cipher "DHE-RSA-AES256-SHA";
grant select on test.* to ssl_user3@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB/emailAddress=abstract.mysql.developer@mysql.com";
grant select on test.* to ssl_user4@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB/emailAddress=abstract.mysql.developer@mysql.com" ISSUER "/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB";
grant select on test.* to ssl_user5@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "xxx";
flush privileges;

More results from queries before failure can be found in /PATH/mysql-test/var/log/openssl_1.log

Stopping All Servers

This is caused by the condition "L=Uppsala" in the "grant" for user3,
which was valid with the test certificates we used previously.

When these expired (see bug#42366), the new ones did not have this part, and the tests were changed - so everything passed.
(See versions 5.0.78 and up.)

Now the 5.0.74sp1 build is based on 5.0.74 which used the old tests, just the new certificates were incorporated into the sources as a backport.
This causes the failure quoted above.

How to repeat:
Do a build and run the tests, using the sources of 5.0.74sp1.

Suggested fix:
To avoid re-creating the sources, I modified the test case and dropped the "L=Uppsala" part: Now the test matches the (new) certificate, and passes.

Note that we do yet know whether we will merge this fix back into the source tree.

This sounds more critical than it really is, because the current sources are consistent, the problem is only with 5.0.74sp1 which is based on the old test.