Bug #64461 assorted regression tests fail when built with openssl 1.0.1
Submitted: 27 Feb 2012 5:20 Modified: 21 Aug 2014 6:07
Reporter: [ name withheld ] Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Tests Severity:S3 (Non-critical)
Version:5.5.21, 5.5.23 OS:Any
Assigned to: CPU Architecture:Any
Triage: Needs Triage: D1 (Critical)

[27 Feb 2012 5:20] [ name withheld ]
Description:
When mysql is built with openssl 1.0.1, some of the regression tests fail.  This is a consequence of the default cipher selection having changed from DHE-RSA-AES256-SHA to DHE-RSA-AES256-SHA256.  The specific tests that assume they know the name of the default cipher are main.openssl_1 main.ssl main.ssl_8k_key and main.ssl_compress.

How to repeat:
1. Build against opensswl 1.0.1
2. Run regression tests (with --ssl switch).

Suggested fix:
Could be kind of a PITA to fix this in a way that works for yassl, older openssl, and new openssl.  I'm told there's no very easy way to force openssl to pick a specific cipher.  For a near-term fix in Fedora, I'm just going to patch out the specific tests that expect a given cipher name, but that doesn't seem like a satisfactory permanent solution.
[27 Feb 2012 21:04] Sveta Smirnova
Thank you for the report.

Verified as described.

Example of backtrace for last test:

Thread 1 (Thread 0x7f357a10d720 (LWP 29389)):
#0  0x0000003a4d00c6bc in pthread_kill () from /lib64/libpthread.so.0
#1  0x00000000008cf3ab in my_write_core (sig=11) at /home/sveta/src/mysql-5.5/mysys/stacktrace.c:433
#2  0x000000000075a8eb in handle_fatal_signal (sig=11) at /home/sveta/src/mysql-5.5/sql/signal_handler.cc:246
#3  <signal handler called>
#4  0x00000031d75259d6 in __strcmp_sse42 () from /lib64/libc.so.6
#5  0x000000320bab451a in ?? () from /usr/lib64/libcrypto.so.10
#6  0x000000320bab4866 in lh_insert () from /usr/lib64/libcrypto.so.10
#7  0x000000320ba6071b in OBJ_NAME_add () from /usr/lib64/libcrypto.so.10
#8  0x00007f357a539af5 in SSL_library_init () from /usr/local/ssl/lib/libssl.so.1.0.0
#9  0x0000000000b6b251 in check_ssl_init () at /home/sveta/src/mysql-5.5/vio/viosslfactories.c:151
#10 0x0000000000b6b348 in new_VioSSLFd (key_file=0x155d9da "/home/sveta/src/mysql-5.5/mysql-test/std_data/server-key.pem", cert_file=0x155d98b "/home/sveta/src/mysql-5.5/mysql-test/std_data/server-cert.pem", ca_file=0x155d941 "/home/sveta/src/mysql-5.5/mysql-test/std_data/cacert.pem", ca_path=0x0, cipher=0x0, method=0x7f357a74bbe0, error=0x7fff19b6e3dc) at /home/sveta/src/mysql-5.5/vio/viosslfactories.c:182
#11 0x0000000000b6b770 in new_VioSSLAcceptorFd (key_file=0x155d9da "/home/sveta/src/mysql-5.5/mysql-test/std_data/server-key.pem", cert_file=0x155d98b "/home/sveta/src/mysql-5.5/mysql-test/std_data/server-cert.pem", ca_file=0x155d941 "/home/sveta/src/mysql-5.5/mysql-test/std_data/cacert.pem", ca_path=0x0, cipher=0x0, error=0x7fff19b6e3dc) at /home/sveta/src/mysql-5.5/vio/viosslfactories.c:286
#12 0x000000000055babc in init_ssl () at /home/sveta/src/mysql-5.5/sql/mysqld.cc:3596
#13 0x000000000055cf8d in mysqld_main (argc=50, argv=0x155da50) at /home/sveta/src/mysql-5.5/sql/mysqld.cc:4395
#14 0x00000000005558e4 in main (argc=8, argv=0x7fff19b6e568) at /home/sveta/src/mysql-5.5/sql/main.cc:25
[9 Mar 2012 13:55] Honza Horak
As described above, we cannot rely on cipher name used in the tests, unless we specify the cipher explicitly. There are generally two situations where a cipher should be specified:

1) when executing a command using mysql utility in a test (see e.g. ssl_8k_key.test) - then we can use --ssl-cipher argument and specify cipher, that is expected by ssl_8k_key.result

2) when creating a new connection using 'connect' command in a test, which is sometimes used together with grants requiring specific cipher - see e.g. openssl_1.test. This is more tricky, because connect command accepts only general option SSL, but doesn't allow to specify a cipher currently. This means, that if we try to connect as a user, that is required to connect only using DHE-RSA-AES256-SHA, the test won't pass, because without specifying the cipher, the default value DHE-RSA-AES256-SHA256 will be used and it'll lead to connection refused.

I'll attach a patch, that extends 'connect' command to accept "CIPHER:DHE-RSA-AES256-SHA" option, same as SSL/COMPRESS or other options. Using this we can enhance tests to use correct cipher explicitly, which is also used in the patch, so all ssl-related tests pass regardless of default cipher value.

Please, consider using something like this patch, thanks.
[9 Mar 2012 13:57] Honza Horak
proposed patch - specify the cipher explicitely

Attachment: mysql-cipherspec.patch (text/x-patch), 4.82 KiB.

[9 Mar 2012 14:12] Honza Horak
proposed patch - specify the cipher explicitely (openssl_1.test fixed)

Attachment: mysql-cipherspec.patch (text/x-patch), 5.33 KiB.

[27 Mar 2012 6:26] Valeriy Kravchuk
Bug #64773 was marked as a duplicate of this one.
[21 Aug 2014 6:07] Murthy Sidagam
The tests were failing with openssl-1.0.1. These are passing with latest
openssl-1.0.1h version build
Hence, I feel there is no need to do any changes to test cases. And closing the bug