commit 2bf7aef0158436e48bc9f66830fc0b8ca8a8463f Author: Laurynas Biveinis Date: Tue Sep 20 13:11:33 2016 +0300 Fix bug 82935 / 1622034 (Cipher ECDHE-RSA-AES128-GCM-SHA256 listed in man/Ssl_cipher_list, not supported) Invoke OpenSSL eliptic curve setup functions so that EC-DHE ciphers are supported. Do this conditionally if the SSL library supports EC. Re-record testcases which now negotiate EC ciphers by default. diff --git a/mysql-test/r/ssl_crl.result b/mysql-test/r/ssl_crl.result index 5a34bb78546..fff6b0a5d66 100644 --- a/mysql-test/r/ssl_crl.result +++ b/mysql-test/r/ssl_crl.result @@ -28,8 +28,8 @@ ssl_key MYSQL_TEST_DIR/std_data/crl-server-key.pem # try to connect with '--ssl-crl' option using tilde home directoy # path substitution : should connect Variable_name Value -Ssl_cipher DHE-RSA-AES128-GCM-SHA256 +Ssl_cipher ECDHE-RSA-AES128-GCM-SHA256 # try to connect with '--ssl-crlpath' option using tilde home directoy # path substitution : should connect Variable_name Value -Ssl_cipher DHE-RSA-AES128-GCM-SHA256 +Ssl_cipher ECDHE-RSA-AES128-GCM-SHA256 diff --git a/mysql-test/r/ssl_ecdh.result b/mysql-test/r/ssl_ecdh.result new file mode 100644 index 00000000000..1d1e8c4e58a --- /dev/null +++ b/mysql-test/r/ssl_ecdh.result @@ -0,0 +1,18 @@ +# +# Bug 82935: Cipher ECDHE-RSA-AES128-GCM-SHA256 listed in man/Ssl_cipher_list, not supported +# +SET @orig_sql_mode= @@sql_mode; +SET sql_mode= (SELECT REPLACE(@@sql_mode,'NO_AUTO_CREATE_USER','')); +Warnings: +Warning 3090 Changing sql mode 'NO_AUTO_CREATE_USER' is deprecated. It will be removed in a future release. +GRANT SELECT ON test.* TO ecdh@localhost REQUIRE CIPHER "ECDHE-RSA-AES128-GCM-SHA256"; +Warnings: +Warning 1287 Using GRANT for creating new user is deprecated and will be removed in future release. Create new user with CREATE USER statement. +FLUSH PRIVILEGES; +SHOW STATUS LIKE 'Ssl_cipher'; +Variable_name Value +Ssl_cipher ECDHE-RSA-AES128-GCM-SHA256 +DROP USER ecdh@localhost; +SET sql_mode= @orig_sql_mode; +Warnings: +Warning 3090 Changing sql mode 'NO_AUTO_CREATE_USER' is deprecated. It will be removed in a future release. diff --git a/mysql-test/suite/auth_sec/t/mysql_ssl_connection.test b/mysql-test/suite/auth_sec/t/mysql_ssl_connection.test index e3b4bb817f8..d52e2e5b94f 100644 --- a/mysql-test/suite/auth_sec/t/mysql_ssl_connection.test +++ b/mysql-test/suite/auth_sec/t/mysql_ssl_connection.test @@ -7,7 +7,7 @@ connection default; CREATE USER u_20693153@localhost IDENTIFIED BY 'abcd'; ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER --exec $MYSQL --protocol=TCP -uu_20693153 -pabcd --ssl-ca=$MYSQL_TEST_DIR/std_data/cacert.pem -e "SHOW STATUS LIKE 'Ssl_cipher';" DROP USER u_20693153@localhost; diff --git a/mysql-test/suite/auth_sec/t/openssl_cert_generation.test b/mysql-test/suite/auth_sec/t/openssl_cert_generation.test index c1e31d6c580..f5d4ec332eb 100644 --- a/mysql-test/suite/auth_sec/t/openssl_cert_generation.test +++ b/mysql-test/suite/auth_sec/t/openssl_cert_generation.test @@ -182,7 +182,7 @@ let SEARCH_PATTERN= Auto generated SSL certificates are placed in data directory --file_exists $MYSQLTEST_VARDIR/mysqld.1/data/public_key.pem --echo # Ensure that server is ssl enabled ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER --exec $MYSQL -uroot --ssl-mode=REQUIRED -e "show status like 'Ssl_cipher'" #----------------------------------------------------------------------------- @@ -284,7 +284,7 @@ grant usage on *.* to wl7699_sha256 identified by 'abcd'; # Using SSL certificates --echo # Should be able to connect to server using generated SSL certificates. ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER --exec $MYSQL -uwl7699_sha256 -pabcd --ssl-mode=REQUIRED -e "show status like 'Ssl_cipher'" # Using RSA key pair --echo # Should be able to connect to server using RSA key pair. @@ -350,7 +350,7 @@ show variables like 'sha256%'; --echo # 6.3 : SSL connection --echo # Should be able to connect to server using generated SSL certificates. ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER --exec $MYSQL -uroot --ssl-mode=REQUIRED -e "show status like 'Ssl_cipher'" @@ -361,7 +361,7 @@ grant usage on *.* to wl7699_sha256 identified by 'abcd'; # Using SSL certificates --echo # Should be able to connect to server using generated SSL certificates. ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER --exec $MYSQL -uwl7699_sha256 -pabcd --ssl-mode=REQUIRED -e "show status like 'Ssl_cipher'" # Using RSA key pair --echo # Should be able to connect to server using RSA key pair. diff --git a/mysql-test/suite/auth_sec/t/ssl_auto_detect.test b/mysql-test/suite/auth_sec/t/ssl_auto_detect.test index e996930f5e7..9f5f21ac02e 100644 --- a/mysql-test/suite/auth_sec/t/ssl_auto_detect.test +++ b/mysql-test/suite/auth_sec/t/ssl_auto_detect.test @@ -53,7 +53,7 @@ let SEARCH_PATTERN= CA certificate .* is self signed.; --echo # Try to establish SSL connection : This must succeed. connect (ssl_root_1,localhost,root,,,,,SSL); ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER SHOW STATUS LIKE 'Ssl_cipher'; SHOW VARIABLES LIKE 'have_ssl'; @@ -67,7 +67,7 @@ connection default; disconnect ssl_root_1; --echo # Connect using mysql client : This must succeed. ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER --exec $MYSQL -uroot --ssl-mode=REQUIRED -e "show status like 'Ssl_cipher';" @@ -139,7 +139,7 @@ let SEARCH_PATTERN= CA certificate .* is self signed.; --source include/search_pattern_in_file.inc --echo # Try creating SSL connection ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER --exec $MYSQL -uroot --ssl-mode=REQUIRED -e "show status like 'Ssl_cipher';" diff --git a/mysql-test/suite/auth_sec/t/tls.test b/mysql-test/suite/auth_sec/t/tls.test index f591650c319..1023086c144 100644 --- a/mysql-test/suite/auth_sec/t/tls.test +++ b/mysql-test/suite/auth_sec/t/tls.test @@ -36,7 +36,7 @@ let $cipher_default= DHE-RSA-AES256-SHA; let $tls_default= TLSv1.1; let $openssl= query_get_value("SHOW STATUS LIKE 'Rsa_public_key'", Variable_name, 1); if ($openssl == 'Rsa_public_key'){ - let $cipher_default= DHE-RSA-AES128-GCM-SHA256; + let $cipher_default= ECDHE-RSA-AES128-GCM-SHA256; let $tls_default= TLSv1.2; } --echo #T1: Default TLS connection diff --git a/mysql-test/t/mysql_ssl_default.test b/mysql-test/t/mysql_ssl_default.test index ec6dcd64165..628347ee0ed 100644 --- a/mysql-test/t/mysql_ssl_default.test +++ b/mysql-test/t/mysql_ssl_default.test @@ -11,15 +11,15 @@ --echo # verify that mysql default connect with ssl channel when using TCP/IP --echo # connection ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER --exec $MYSQL --host=127.0.0.1 -P $MASTER_MYPORT -e "SHOW STATUS like 'Ssl_cipher'" --echo # verify that mysql --ssl=0 connect with unencrypted channel ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER --exec $MYSQL --host=127.0.0.1 -P $MASTER_MYPORT -e "SHOW STATUS like 'Ssl_cipher'" --ssl-mode=DISABLED --echo # verify that mysql --ssl=1 connect with ssl channel ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER --exec $MYSQL --host=127.0.0.1 -P $MASTER_MYPORT -e "SHOW STATUS like 'Ssl_cipher'" --ssl-mode=REQUIRED CREATE USER u1@localhost IDENTIFIED BY 'secret' REQUIRE SSL; diff --git a/mysql-test/t/openssl_1.test b/mysql-test/t/openssl_1.test index 3d1cc31af29..877430d3d94 100644 --- a/mysql-test/t/openssl_1.test +++ b/mysql-test/t/openssl_1.test @@ -19,17 +19,17 @@ insert into t1 values (5); let $cipher_val= "DHE-RSA-AES256-SHA"; let $shavars= query_get_value("SHOW STATUS LIKE 'Rsa_public_key'", Variable_name, 1); if ($shavars == 'Rsa_public_key'){ - let $cipher_val= "DHE-RSA-AES128-GCM-SHA256"; + let $cipher_val= "ECDHE-RSA-AES128-GCM-SHA256"; } grant select on test.* to ssl_user1@localhost require SSL; ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER -- eval grant select on test.* to ssl_user2@localhost require cipher $cipher_val ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER -- eval grant select on test.* to ssl_user3@localhost require cipher $cipher_val AND SUBJECT "/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=Client" ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER -- eval grant select on test.* to ssl_user4@localhost require cipher $cipher_val AND SUBJECT "/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=Client" ISSUER "/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=CA" ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER -- eval grant select on test.* to ssl_user5@localhost require cipher $cipher_val AND SUBJECT "xxx" flush privileges; @@ -43,7 +43,7 @@ connect (con5,localhost,ssl_user5,,,,,SSL); connection con1; # Check ssl turned on ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER SHOW STATUS LIKE 'Ssl_cipher'; select * from t1; --error ER_TABLEACCESS_DENIED_ERROR @@ -51,7 +51,7 @@ delete from t1; connection con2; # Check ssl turned on ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER SHOW STATUS LIKE 'Ssl_cipher'; select * from t1; --error ER_TABLEACCESS_DENIED_ERROR @@ -59,7 +59,7 @@ delete from t1; connection con3; # Check ssl turned on ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER SHOW STATUS LIKE 'Ssl_cipher'; select * from t1; --error ER_TABLEACCESS_DENIED_ERROR @@ -67,7 +67,7 @@ delete from t1; connection con4; # Check ssl turned on ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER SHOW STATUS LIKE 'Ssl_cipher'; select * from t1; --error ER_TABLEACCESS_DENIED_ERROR @@ -142,7 +142,7 @@ drop table t1; # verification of servers certificate by setting both ca certificate # and ca path to NULL # ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER --exec $MYSQL --ssl-mode=REQUIRED --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem -e "SHOW STATUS LIKE 'ssl_Cipher'" 2>&1 --echo End of 5.0 tests @@ -269,7 +269,7 @@ select 'is still running; no cipher request crashed the server' as result from d GRANT SELECT ON test.* TO bug42158@localhost REQUIRE X509; FLUSH PRIVILEGES; connect(con1,localhost,bug42158,,,,,SSL); ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER SHOW STATUS LIKE 'Ssl_cipher'; disconnect con1; connection default; diff --git a/mysql-test/t/plugin_auth_sha256_tls.test b/mysql-test/t/plugin_auth_sha256_tls.test index afbb0c5e6eb..58fb38dcd7c 100644 --- a/mysql-test/t/plugin_auth_sha256_tls.test +++ b/mysql-test/t/plugin_auth_sha256_tls.test @@ -1,7 +1,7 @@ --source include/have_ssl.inc connect (ssl_con,localhost,root,,,,,SSL); ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER SHOW STATUS LIKE 'Ssl_cipher'; CREATE USER 'kristofer' IDENTIFIED WITH 'sha256_password'; diff --git a/mysql-test/t/ssl.test b/mysql-test/t/ssl.test index 4e308bbd0d8..1af92c03191 100644 --- a/mysql-test/t/ssl.test +++ b/mysql-test/t/ssl.test @@ -11,7 +11,7 @@ connect (ssl_con,localhost,root,,,,,SSL); # Check ssl turned on ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER SHOW STATUS LIKE 'Ssl_cipher'; # Check ssl expiration @@ -22,7 +22,7 @@ SHOW STATUS LIKE 'Ssl_server_not_after'; -- source include/common-tests.inc # Check ssl turned on ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER SHOW STATUS LIKE 'Ssl_cipher'; connection default; diff --git a/mysql-test/t/ssl_8k_key.test b/mysql-test/t/ssl_8k_key.test index 4cf899a31b4..a68849fa227 100644 --- a/mysql-test/t/ssl_8k_key.test +++ b/mysql-test/t/ssl_8k_key.test @@ -4,7 +4,7 @@ # # Bug#29784 YaSSL assertion failure when reading 8k key. # ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER --exec $MYSQL --ssl-mode=REQUIRED --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem -e "SHOW STATUS LIKE 'ssl_Cipher'" 2>&1 ## This test file is for testing encrypted communication only, not other diff --git a/mysql-test/t/ssl_ca.test b/mysql-test/t/ssl_ca.test index d68cb2b6e73..946da5ace69 100644 --- a/mysql-test/t/ssl_ca.test +++ b/mysql-test/t/ssl_ca.test @@ -9,7 +9,7 @@ --exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/wrong-crl-ca-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-cert.pem test -e "SHOW STATUS LIKE 'Ssl_cipher'" 2>&1 --echo # try to connect with correct '--ssl-ca' path : should connect ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER --exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-cert.pem test -e "SHOW STATUS LIKE 'Ssl_cipher'" --echo # @@ -21,15 +21,15 @@ --echo # try to connect with '--ssl-ca' option using tilde home directoy --echo # path substitution : should connect ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER --exec $MYSQL --ssl-ca=$mysql_test_dir_path/std_data/crl-ca-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-cert.pem test -e "SHOW STATUS LIKE 'Ssl_cipher'" --echo # try to connect with '--ssl-key' option using tilde home directoy --echo # path substitution : should connect ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER --exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem --ssl-key=$mysql_test_dir_path/std_data/crl-client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-cert.pem test -e "SHOW STATUS LIKE 'Ssl_cipher'" --echo # try to connect with '--ssl-cert' option using tilde home directoy --echo # path substitution : should connect ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER --exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-key.pem --ssl-cert=$mysql_test_dir_path/std_data/crl-client-cert.pem test -e "SHOW STATUS LIKE 'Ssl_cipher'" diff --git a/mysql-test/t/ssl_compress.test b/mysql-test/t/ssl_compress.test index 4d4a1a12b05..2b93115aa06 100644 --- a/mysql-test/t/ssl_compress.test +++ b/mysql-test/t/ssl_compress.test @@ -11,7 +11,7 @@ connect (ssl_compress_con,localhost,root,,,,,SSL COMPRESS); # Check ssl turned on ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER SHOW STATUS LIKE 'Ssl_cipher'; # Check compression turned on @@ -21,7 +21,7 @@ SHOW STATUS LIKE 'Compression'; -- source include/common-tests.inc # Check ssl turned on ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER SHOW STATUS LIKE 'Ssl_cipher'; # Check compression turned on diff --git a/mysql-test/t/ssl_ecdh-client.opt b/mysql-test/t/ssl_ecdh-client.opt new file mode 100644 index 00000000000..88ed9f04cf4 --- /dev/null +++ b/mysql-test/t/ssl_ecdh-client.opt @@ -0,0 +1,4 @@ +--ssl-mode=VERIFY_CA +--ssl-ca=$MYSQL_TEST_DIR/std_data/cacert.pem +--ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem +--ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem diff --git a/mysql-test/t/ssl_ecdh.test b/mysql-test/t/ssl_ecdh.test new file mode 100644 index 00000000000..4d9bc262727 --- /dev/null +++ b/mysql-test/t/ssl_ecdh.test @@ -0,0 +1,25 @@ +--source include/have_ssl.inc +--source include/have_openssl.inc + +--source include/count_sessions.inc + +--echo # +--echo # Bug 82935: Cipher ECDHE-RSA-AES128-GCM-SHA256 listed in man/Ssl_cipher_list, not supported +--echo # + +SET @orig_sql_mode= @@sql_mode; +SET sql_mode= (SELECT REPLACE(@@sql_mode,'NO_AUTO_CREATE_USER','')); + +GRANT SELECT ON test.* TO ecdh@localhost REQUIRE CIPHER "ECDHE-RSA-AES128-GCM-SHA256"; +FLUSH PRIVILEGES; + +connect (con1,localhost,ecdh,,,,,SSL); +SHOW STATUS LIKE 'Ssl_cipher'; +disconnect con1; +connection default; + +DROP USER ecdh@localhost; + +SET sql_mode= @orig_sql_mode; + +--source include/wait_until_count_sessions.inc diff --git a/vio/viosslfactories.cc b/vio/viosslfactories.cc index f639bd976f9..d6c1c2d58f7 100644 --- a/vio/viosslfactories.cc +++ b/vio/viosslfactories.cc @@ -654,6 +654,45 @@ new_VioSSLFd(const char *key_file, const char *cert_file, } DH_free(dh); +#ifndef HAVE_YASSL +#if OPENSSL_VERSION_NUMBER < 0x10002000L + const auto ecdh= EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); + if (!ecdh) + { + *error= SSL_INITERR_DHFAIL; + DBUG_PRINT("error", ("%s", sslGetErrString(*error))); + report_errors(); + SSL_CTX_free(ssl_fd->ssl_context); + my_free(ssl_fd); + DBUG_RETURN(nullptr); + } + + if (SSL_CTX_set_tmp_ecdh(ssl_fd->ssl_context, ecdh) != 1) + { + *error= SSL_INITERR_DHFAIL; + DBUG_PRINT("error", ("%s", sslGetErrString(*error))); + report_errors(); + EC_KEY_free(ecdh); + SSL_CTX_free(ssl_fd->ssl_context); + my_free(ssl_fd); + DBUG_RETURN(nullptr); + } + EC_KEY_free(ecdh); + +#else /* OPENSSL_VERSION_NUMBER < 0x10002000L */ + + if (SSL_CTX_set_ecdh_auto(ssl_fd->ssl_context, 1) != 1) + { + *error= SSL_INITERR_DHFAIL; + DBUG_PRINT("error", ("%s", sslGetErrString(*error))); + report_errors(); + SSL_CTX_free(ssl_fd->ssl_context); + my_free(ssl_fd); + DBUG_RETURN(nullptr); + } +#endif /* OPENSSL_VERSION_NUMBER < 0x10002000L */ +#endif /* !HAVE_YASSL */ + DBUG_PRINT("exit", ("OK 1")); DBUG_RETURN(ssl_fd);