Bug #73281 openssl_1 tries to test a removed cipher on CentOS 7
Submitted: 13 Jul 2014 12:42 Modified: 15 Jul 2014 12:27
Reporter: Laurynas Biveinis (OCA) Email Updates:
Status: Verified Impact on me:
None 
Category:Tests: Server Severity:S3 (Non-critical)
Version:5.5, 5.5.38 OS:Linux (CentOS 7)
Assigned to: CPU Architecture:Any
Tags: mtr, openssl, SSL

[13 Jul 2014 12:42] Laurynas Biveinis
Description:
Server built with -DWITH_SSL=system on CentOS 7 fails to use EDH-RSA-DES-CBC-SHA cipher, which has been removed there.

How to repeat:
Workaround bug 73280 and run openssl_1:

$ OPENSSL_ENABLE_MD5_VERIFY=yes ./mysql-test-run openssl_1

ain.openssl_1                           [ fail ]
        Test ended at 2014-07-13 15:32:17

CURRENT_TEST: main.openssl_1
ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)
mysqltest: At line 217: command "$MYSQL --host=localhost -e "SHOW STATUS LIKE 'Ssl_cipher';" --ssl-cipher=EDH-RSA-DES-CBC-SHA" failed

Output from before failure:
exec of '/home/laurynas/percona/lp-mysql-server/5.5/obj-debug/client//mysql --defaults-file=/home/laurynas/percona/lp-mysql-server/5.5/obj-debug/mysql-test/var/my.cnf --host=localhost -e "SHOW STATUS LIKE 'Ssl_cipher';" --ssl-cipher=EDH-RSA-DES-CBC-SHA' failed, error: 256, status: 1, errno: 0

Inspect openssl ciphers -v output to see that EDH-RSA-DES-CBC-SHA is not present.

Suggested fix:
All DES ciphers have been removed from OpenSSL in CentOS 7 as weak, google openssl-1.0.1e-weak-ciphers.patch. If they are weak, then simply remove them from the testcase?
[15 Jul 2014 10:56] Umesh Shastry
Hello Laurynas,

Than you for the report.
I'm not seeing this issue, is there anything else I'm missing?

ushastry@localhost mysql-test]$ OPENSSL_ENABLE_MD5_VERIFY=yes ./mysql-test-run openssl_1
..
..
MySQL Version 5.6.19
Checking supported features...
 - SSL connections supported
Collecting tests...
Checking leftover processes...
Removing old var directory...
Creating var directory '/home/ushastry/Downloads/mysql-5.6.19/mysql-test/var'...
Installing system database...

==============================================================================

TEST                                      RESULT   TIME (ms) or COMMENT
--------------------------------------------------------------------------

worker[1] Using MTR_BUILD_THREAD 300, with reserved ports 13000..13009
main.openssl_1                           [ pass ]   1101
--------------------------------------------------------------------------
The servers were restarted 0 times
Spent 1.101 of 7 seconds executing testcases

Completed: All 1 tests were successful.

[ushastry@localhost mysql-test]$ OPENSSL_ENABLE_MD5_VERIFY=yes ./mysql-test-run ssl
Logging: ./mysql-test-run  ssl
..
..
MySQL Version 5.6.19
Checking supported features...
 - SSL connections supported
Collecting tests...
Checking leftover processes...
Removing old var directory...
Creating var directory '/home/ushastry/Downloads/mysql-5.6.19/mysql-test/var'...
Installing system database...

==============================================================================

TEST                                      RESULT   TIME (ms) or COMMENT
--------------------------------------------------------------------------

worker[1] Using MTR_BUILD_THREAD 300, with reserved ports 13000..13009
main.ssl                                 [ pass ]   6339
--------------------------------------------------------------------------
The servers were restarted 0 times
Spent 6.339 of 11 seconds executing testcases

Completed: All 1 tests were successful.

Thanks,
Umesh
[15 Jul 2014 11:03] Laurynas Biveinis
Umesh -

Please try with 5.5.

5.6 has replaced that cipher with AES256-SHA in the testcase, commit rev 5747. It references Bug #18047796 MTR TEST MAIN.OPENSSL_1 FAILS ON FEDORA 19 WITH OPENSSL 1.0.1E, which appears to be the exact same issue. Thus this bug is a backport request for 5.5.
[15 Jul 2014 12:27] Umesh Shastry
Thank you for the feedback, I'm able to repeat with 5.5.38.

[ushastry@localhost mysql-test]$ OPENSSL_ENABLE_MD5_VERIFY=yes ./mysql-test-run openssl_1
defined(@array) is deprecated at lib/mtr_cases.pm line 339.
	(Maybe you should just omit the defined()?)
defined(@array) is deprecated at ./mysql-test-run line 491.
	(Maybe you should just omit the defined()?)
Logging: ./mysql-test-run  openssl_1
MySQL Version 5.5.38
Checking supported features...
 - SSL connections supported
Collecting tests...
Removing old var directory...
Creating var directory '/home/ushastry/Downloads/mysql-5.5.38/mysql-test/var'...
Installing system database...

====================================
==========================================

TEST                                      RESULT   TIME (ms) or COMMENT
--------------------------------------------------------------------------

worker[1] Using MTR_BUILD_THREAD 300, with reserved ports 13000..13009
main.openssl_1                           [ fail ]
        Test ended at 2014-07-15 07:50:34

CURRENT_TEST: main.openssl_1
ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)
mysqltest: At line 217: command "$MYSQL --host=localhost -e "SHOW STATUS LIKE 'Ssl_cipher';" --ssl-cipher=EDH-RSA-DES-CBC-SHA" failed

Output from before failure:
exec of '/home/ushastry/Downloads/mysql-5.5.38/client//mysql --defaults-file=/home/ushastry/Downloads/mysql-5.5.38/mysql-test/var/my.cnf --host=localhost -e "SHOW STATUS LIKE 'Ssl_cipher';" --ssl-cipher=EDH-RSA-DES-CBC-SHA' failed, error: 256, status: 1, errno: 0

The result from queries just before the failure was:
< snip >
INSERT INTO `t1` VALUES (1),(2);
/*!40000 ALTER TABLE `t1` ENABLE KEYS */;
UNLOCK TABLES;
/*!40103 SET TIME_ZONE=@OLD_TIME_ZONE */;

/*!40101 SET SQL_MODE=@OLD_SQL_MODE */;
/*!40014 SET FOREIGN_KEY_CHECKS=@OLD_FOREIGN_KEY_CHECKS */;
/*!40014 SET UNIQUE_CHECKS=@OLD_UNIQUE_CHECKS */;
/*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */;
/*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */;
/*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */;
/*!40111 SET SQL_NOTES=@OLD_SQL_NOTES */;

SSL error: Unable to get private key from 'MYSQL_TEST_DIR/std_data/client-cert.pem'
mysqldump: Got error: 2026: SSL connection error: Unable to get private key when trying to connect
DROP TABLE t1;
Variable_name	Value
Ssl_cipher	DHE-RSA-AES256-SHA
Variable_name	Value
Ssl_cipher	EDH-RSA-DES-CBC3-SHA

More results from queries before failure can be found in /home/ushastry/Downloads/mysql-5.5.38/mysql-test/var/log/openssl_1.log

 - saving '/home/ushastry/Downloads/mysql-5.5.38/mysql-test/var/log/main.openssl_1/' to '/home/ushastry/Downloads/mysql-5.5.38/mysql-test/var/log/main.openssl_1/'
--------------------------------------------------------------------------
The servers were restarted 0 times
Spent 0.000 of 7 seconds executing testcases

Completed: Failed 1/1 tests, 0.00% were successful.

Failing test(s): main.openssl_1

The log files in var/log may give you some hint of what went wrong.

If you want to report this error, please read first the documentation
at http://dev.mysql.com/doc/mysql/en/mysql-test-suite.html

mysql-test-run: *** ERROR: there were failing test cases

########################
Not repeatable with ssl..

[ushastry@localhost mysql-test]$ OPENSSL_ENABLE_MD5_VERIFY=yes ./mysql-test-run ssl
..
==============================================================================

TEST                                      RESULT   TIME (ms) or COMMENT
--------------------------------------------------------------------------

worker[1] Using MTR_BUILD_THREAD 300, with reserved ports 13000..13009
main.ssl                                 [ pass ]  27975
--------------------------------------------------------------------------
The servers were restarted 0 times
Spent 27.975 of 35 seconds executing testcases

Completed: All 1 tests were successful.

Thanks,
Umesh