commit 36a33f0436a586bb106ac7a4a96aa4b1169bcad8 Author: Laurynas Biveinis Date: Tue Sep 20 13:11:33 2016 +0300 Fix bug 82935 / PS-1737 (Cipher ECDHE-RSA-AES128-GCM-SHA256 listed in man/Ssl_cipher_list, not supported) Invoke OpenSSL eliptic curve setup functions so that EC-DHE ciphers are supported. Do this conditionally if the SSL library supports EC. Re-record testcases which now negotiate EC ciphers by default. diff --git a/mysql-test/r/mysql_ssl_default.result b/mysql-test/r/mysql_ssl_default.result index f627fb94a1e..2e9ed55e41b 100644 --- a/mysql-test/r/mysql_ssl_default.result +++ b/mysql-test/r/mysql_ssl_default.result @@ -4,13 +4,13 @@ # verify that mysql default connect with ssl channel when using TCP/IP # connection Variable_name Value -Ssl_cipher SSL_CIPHER +Ssl_cipher ECDHE-RSA-AES128-GCM-SHA256 # verify that mysql --ssl=0 connect with unencrypted channel Variable_name Value Ssl_cipher # verify that mysql --ssl=1 connect with ssl channel Variable_name Value -Ssl_cipher SSL_CIPHER +Ssl_cipher ECDHE-RSA-AES128-GCM-SHA256 CREATE USER u1@localhost IDENTIFIED BY 'secret' REQUIRE SSL; # verify that mysqladmin default connect with ssl channel mysqladmin: [Warning] Using a password on the command line interface can be insecure. diff --git a/mysql-test/r/openssl_1.result b/mysql-test/r/openssl_1.result index a08effdf34e..20af765811e 100644 --- a/mysql-test/r/openssl_1.result +++ b/mysql-test/r/openssl_1.result @@ -8,16 +8,16 @@ ssl_user5@localhost; grant select on test.* to ssl_user1@localhost, ssl_user2@localhost, ssl_user3@localhost, ssl_user4@localhost, ssl_user5@localhost; -alter user ssl_user2@localhost require cipher "SSL_CIPHER"; -alter user ssl_user3@localhost require cipher "SSL_CIPHER" AND SUBJECT "/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=Client"; -alter user ssl_user4@localhost require cipher "SSL_CIPHER" AND SUBJECT "/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=Client" ISSUER "/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=CA"; -alter user ssl_user5@localhost require cipher "SSL_CIPHER" AND SUBJECT "xxx"; +alter user ssl_user2@localhost require cipher "ECDHE-RSA-AES128-GCM-SHA256"; +alter user ssl_user3@localhost require cipher "ECDHE-RSA-AES128-GCM-SHA256" AND SUBJECT "/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=Client"; +alter user ssl_user4@localhost require cipher "ECDHE-RSA-AES128-GCM-SHA256" AND SUBJECT "/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=Client" ISSUER "/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=CA"; +alter user ssl_user5@localhost require cipher "ECDHE-RSA-AES128-GCM-SHA256" AND SUBJECT "xxx"; flush privileges; connect(localhost,ssl_user5,,test,MASTER_PORT,MASTER_SOCKET); ERROR 28000: Access denied for user 'ssl_user5'@'localhost' (using password: NO) SHOW STATUS LIKE 'Ssl_cipher'; Variable_name Value -Ssl_cipher SSL_CIPHER +Ssl_cipher ECDHE-RSA-AES128-GCM-SHA256 select * from t1; f1 5 @@ -25,7 +25,7 @@ delete from t1; ERROR 42000: DELETE command denied to user 'ssl_user1'@'localhost' for table 't1' SHOW STATUS LIKE 'Ssl_cipher'; Variable_name Value -Ssl_cipher SSL_CIPHER +Ssl_cipher ECDHE-RSA-AES128-GCM-SHA256 select * from t1; f1 5 @@ -33,7 +33,7 @@ delete from t1; ERROR 42000: DELETE command denied to user 'ssl_user2'@'localhost' for table 't1' SHOW STATUS LIKE 'Ssl_cipher'; Variable_name Value -Ssl_cipher SSL_CIPHER +Ssl_cipher ECDHE-RSA-AES128-GCM-SHA256 select * from t1; f1 5 @@ -41,7 +41,7 @@ delete from t1; ERROR 42000: DELETE command denied to user 'ssl_user3'@'localhost' for table 't1' SHOW STATUS LIKE 'Ssl_cipher'; Variable_name Value -Ssl_cipher SSL_CIPHER +Ssl_cipher ECDHE-RSA-AES128-GCM-SHA256 select * from t1; f1 5 @@ -64,7 +64,7 @@ Variable_name Value Ssl_cipher DHE-RSA-AES256-SHA WARNING: no verification of server certificate will be done. Use --ssl-mode=VERIFY_CA or VERIFY_IDENTITY. Variable_name Value -Ssl_cipher SSL_CIPHER +Ssl_cipher ECDHE-RSA-AES128-GCM-SHA256 End of 5.0 tests DROP TABLE IF EXISTS thread_status; DROP EVENT IF EXISTS event_status; @@ -220,7 +220,7 @@ GRANT SELECT ON test.* TO bug42158@localhost; FLUSH PRIVILEGES; SHOW STATUS LIKE 'Ssl_cipher'; Variable_name Value -Ssl_cipher SSL_CIPHER +Ssl_cipher ECDHE-RSA-AES128-GCM-SHA256 DROP USER bug42158@localhost; set sql_mode= @orig_sql_mode; End of 5.1 tests diff --git a/mysql-test/r/plugin_auth_sha256_tls.result b/mysql-test/r/plugin_auth_sha256_tls.result index 883b088625c..cccfdd6e74a 100644 --- a/mysql-test/r/plugin_auth_sha256_tls.result +++ b/mysql-test/r/plugin_auth_sha256_tls.result @@ -1,6 +1,6 @@ SHOW STATUS LIKE 'Ssl_cipher'; Variable_name Value -Ssl_cipher SSL_CIPHER +Ssl_cipher ECDHE-RSA-AES128-GCM-SHA256 CREATE USER 'kristofer' IDENTIFIED WITH 'sha256_password'; ALTER USER 'kristofer' IDENTIFIED BY 'secret'; DROP USER 'kristofer'; diff --git a/mysql-test/r/ssl.result b/mysql-test/r/ssl.result index 0952341c5d5..b3d82eb54ab 100644 --- a/mysql-test/r/ssl.result +++ b/mysql-test/r/ssl.result @@ -1,6 +1,6 @@ SHOW STATUS LIKE 'Ssl_cipher'; Variable_name Value -Ssl_cipher SSL_CIPHER +Ssl_cipher DHE-RSA-AES256-SHA SHOW STATUS LIKE 'Ssl_server_not_before'; Variable_name Value Ssl_server_not_before Dec 5 04:48:40 2014 GMT @@ -2238,7 +2238,7 @@ Warning 1052 Column 'kundentyp' in group statement is ambiguous drop table t1; SHOW STATUS LIKE 'Ssl_cipher'; Variable_name Value -Ssl_cipher SSL_CIPHER +Ssl_cipher DHE-RSA-AES256-SHA # # Bug#54790: Use of non-blocking mode for sockets limits performance # diff --git a/mysql-test/r/ssl_8k_key.result b/mysql-test/r/ssl_8k_key.result index b36d9c12c75..c948ab630b3 100644 --- a/mysql-test/r/ssl_8k_key.result +++ b/mysql-test/r/ssl_8k_key.result @@ -1,2 +1,2 @@ Variable_name Value -Ssl_cipher SSL_CIPHER +Ssl_cipher ECDHE-RSA-AES128-GCM-SHA256 diff --git a/mysql-test/r/ssl_ca.result b/mysql-test/r/ssl_ca.result index 818d05eec87..58abe2e78b4 100644 --- a/mysql-test/r/ssl_ca.result +++ b/mysql-test/r/ssl_ca.result @@ -5,7 +5,7 @@ ERROR 2026 (HY000): SSL connection error: SSL_CTX_set_default_verify_paths failed # try to connect with correct '--ssl-ca' path : should connect Variable_name Value -Ssl_cipher SSL_CIPHER +Ssl_cipher ECDHE-RSA-AES128-GCM-SHA256 # # Bug#21920678: SSL-CA DOES NOT ACCEPT ~USER TILDE HOME DIRECTORY # PATH SUBSTITUTION @@ -13,12 +13,12 @@ Ssl_cipher SSL_CIPHER # try to connect with '--ssl-ca' option using tilde home directoy # path substitution : should connect Variable_name Value -Ssl_cipher SSL_CIPHER +Ssl_cipher ECDHE-RSA-AES128-GCM-SHA256 # try to connect with '--ssl-key' option using tilde home directoy # path substitution : should connect Variable_name Value -Ssl_cipher SSL_CIPHER +Ssl_cipher ECDHE-RSA-AES128-GCM-SHA256 # try to connect with '--ssl-cert' option using tilde home directoy # path substitution : should connect Variable_name Value -Ssl_cipher SSL_CIPHER +Ssl_cipher ECDHE-RSA-AES128-GCM-SHA256 diff --git a/mysql-test/r/ssl_compress.result b/mysql-test/r/ssl_compress.result index 89b7e8800e7..16e499b5f21 100644 --- a/mysql-test/r/ssl_compress.result +++ b/mysql-test/r/ssl_compress.result @@ -1,6 +1,6 @@ SHOW STATUS LIKE 'Ssl_cipher'; Variable_name Value -Ssl_cipher SSL_CIPHER +Ssl_cipher ECDHE-RSA-AES128-GCM-SHA256 SHOW STATUS LIKE 'Compression'; Variable_name Value Compression ON @@ -2235,7 +2235,7 @@ Warning 1052 Column 'kundentyp' in group statement is ambiguous drop table t1; SHOW STATUS LIKE 'Ssl_cipher'; Variable_name Value -Ssl_cipher SSL_CIPHER +Ssl_cipher ECDHE-RSA-AES128-GCM-SHA256 SHOW STATUS LIKE 'Compression'; Variable_name Value Compression ON diff --git a/mysql-test/r/ssl_crl.result b/mysql-test/r/ssl_crl.result index e63f86cac97..fb88f72f6d9 100644 --- a/mysql-test/r/ssl_crl.result +++ b/mysql-test/r/ssl_crl.result @@ -30,8 +30,8 @@ ssl_key MYSQL_TEST_DIR/std_data/crl-server-key.pem # try to connect with '--ssl-crl' option using tilde home directoy # path substitution : should connect Variable_name Value -Ssl_cipher SSL_CIPHER +Ssl_cipher ECDHE-RSA-AES128-GCM-SHA256 # try to connect with '--ssl-crlpath' option using tilde home directoy # path substitution : should connect Variable_name Value -Ssl_cipher SSL_CIPHER +Ssl_cipher ECDHE-RSA-AES128-GCM-SHA256 diff --git a/mysql-test/suite/auth_sec/r/mysql_ssl_connection.result b/mysql-test/suite/auth_sec/r/mysql_ssl_connection.result index a918306b6ee..d978f2447a2 100644 --- a/mysql-test/suite/auth_sec/r/mysql_ssl_connection.result +++ b/mysql-test/suite/auth_sec/r/mysql_ssl_connection.result @@ -3,5 +3,5 @@ # CREATE USER u_20693153@localhost IDENTIFIED BY 'abcd'; Variable_name Value -Ssl_cipher SSL_CIPHER +Ssl_cipher ECDHE-RSA-AES128-GCM-SHA256 DROP USER u_20693153@localhost; diff --git a/mysql-test/suite/auth_sec/r/openssl_cert_generation.result b/mysql-test/suite/auth_sec/r/openssl_cert_generation.result index 94318a283c3..8bd85904f2e 100644 --- a/mysql-test/suite/auth_sec/r/openssl_cert_generation.result +++ b/mysql-test/suite/auth_sec/r/openssl_cert_generation.result @@ -41,7 +41,7 @@ Pattern "Auto generated SSL certificates are placed in data directory." found # Ensure that RSA files are not there in data directory # Ensure that server is ssl enabled Variable_name Value -Ssl_cipher SSL_CIPHER +Ssl_cipher ECDHE-RSA-AES128-GCM-SHA256 # Test 4 : RSA key pair # 4.1 : Restarting mysqld with : # --sha256_password_auto_generate_rsa_keys=1 @@ -87,7 +87,7 @@ sha256_password_public_key_path public_key.pem create user wl7699_sha256 identified with 'sha256_password' by 'abcd'; # Should be able to connect to server using generated SSL certificates. Variable_name Value -Ssl_cipher SSL_CIPHER +Ssl_cipher ECDHE-RSA-AES128-GCM-SHA256 # Should be able to connect to server using RSA key pair. current_user() wl7699_sha256@% @@ -126,12 +126,12 @@ sha256_password_public_key_path public_key.pem # 6.3 : SSL connection # Should be able to connect to server using generated SSL certificates. Variable_name Value -Ssl_cipher SSL_CIPHER +Ssl_cipher ECDHE-RSA-AES128-GCM-SHA256 # 6.4 : SHA256_password user create user wl7699_sha256 identified with 'sha256_password' by 'abcd'; # Should be able to connect to server using generated SSL certificates. Variable_name Value -Ssl_cipher SSL_CIPHER +Ssl_cipher ECDHE-RSA-AES128-GCM-SHA256 # Should be able to connect to server using RSA key pair. current_user() wl7699_sha256@% diff --git a/mysql-test/suite/auth_sec/r/ssl_auto_detect.result b/mysql-test/suite/auth_sec/r/ssl_auto_detect.result index c7283812ef3..19c43ae260f 100644 --- a/mysql-test/suite/auth_sec/r/ssl_auto_detect.result +++ b/mysql-test/suite/auth_sec/r/ssl_auto_detect.result @@ -13,7 +13,7 @@ Pattern "CA certificate .* is self signed." found # Try to establish SSL connection : This must succeed. SHOW STATUS LIKE 'Ssl_cipher'; Variable_name Value -Ssl_cipher SSL_CIPHER +Ssl_cipher ECDHE-RSA-AES128-GCM-SHA256 SHOW VARIABLES LIKE 'have_ssl'; Variable_name Value have_ssl YES @@ -30,7 +30,7 @@ Variable_name Value ssl_key server-key.pem # Connect using mysql client : This must succeed. Variable_name Value -Ssl_cipher SSL_CIPHER +Ssl_cipher ECDHE-RSA-AES128-GCM-SHA256 # Case 2 : Remove server-key.pem and observe that server starts # without SSL capability # Remove one of the certificates/keys. @@ -50,5 +50,5 @@ Pattern "Found ca.pem, server-cert.pem and server-key.pem in data directory. Try Pattern "CA certificate .* is self signed." found # Try creating SSL connection Variable_name Value -Ssl_cipher SSL_CIPHER +Ssl_cipher DHE-RSA-AES256-SHA # Global Cleanup diff --git a/mysql-test/suite/auth_sec/r/tls.result b/mysql-test/suite/auth_sec/r/tls.result index 0ee50327b2f..d3f1ac921da 100644 --- a/mysql-test/suite/auth_sec/r/tls.result +++ b/mysql-test/suite/auth_sec/r/tls.result @@ -6,7 +6,7 @@ Variable_name Value Ssl_version TLS_VERSION #T2: Default SSL cipher Variable_name Value -Ssl_cipher SSL_CIPHER +Ssl_cipher ECDHE-RSA-AES128-GCM-SHA256 #T3: Setting TLS version TLSv1.2 from the client Variable_name Value Ssl_version TLS_VERSION diff --git a/mysql-test/suite/auth_sec/t/mysql_ssl_connection.test b/mysql-test/suite/auth_sec/t/mysql_ssl_connection.test index 7ccd8172ba3..0cbd65a8f32 100644 --- a/mysql-test/suite/auth_sec/t/mysql_ssl_connection.test +++ b/mysql-test/suite/auth_sec/t/mysql_ssl_connection.test @@ -7,7 +7,6 @@ connection default; CREATE USER u_20693153@localhost IDENTIFIED BY 'abcd'; ---replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER ECDHE-RSA-AES128-SHA256 SSL_CIPHER --exec $MYSQL --protocol=TCP -uu_20693153 -pabcd --ssl-ca=$MYSQL_TEST_DIR/std_data/cacert.pem -e "SHOW STATUS LIKE 'Ssl_cipher';" DROP USER u_20693153@localhost; diff --git a/mysql-test/suite/auth_sec/t/openssl_cert_generation.test b/mysql-test/suite/auth_sec/t/openssl_cert_generation.test index f1d35f665c1..db5d133e6ce 100644 --- a/mysql-test/suite/auth_sec/t/openssl_cert_generation.test +++ b/mysql-test/suite/auth_sec/t/openssl_cert_generation.test @@ -163,7 +163,6 @@ let SEARCH_PATTERN= Auto generated SSL certificates are placed in data directory --file_exists $MYSQLTEST_VARDIR/mysqld.1/data/public_key.pem --echo # Ensure that server is ssl enabled ---replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER ECDHE-RSA-AES128-SHA256 SSL_CIPHER --exec $MYSQL -uroot --ssl-mode=REQUIRED -e "show status like 'Ssl_cipher'" #----------------------------------------------------------------------------- @@ -252,7 +251,6 @@ create user wl7699_sha256 identified with 'sha256_password' by 'abcd'; # Using SSL certificates --echo # Should be able to connect to server using generated SSL certificates. ---replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER ECDHE-RSA-AES128-SHA256 SSL_CIPHER --exec $MYSQL -uwl7699_sha256 -pabcd --ssl-mode=REQUIRED -e "show status like 'Ssl_cipher'" # Using RSA key pair --echo # Should be able to connect to server using RSA key pair. @@ -312,7 +310,6 @@ show variables like 'sha256%'; --echo # 6.3 : SSL connection --echo # Should be able to connect to server using generated SSL certificates. ---replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER ECDHE-RSA-AES128-SHA256 SSL_CIPHER --exec $MYSQL -uroot --ssl-mode=REQUIRED -e "show status like 'Ssl_cipher'" @@ -322,7 +319,6 @@ create user wl7699_sha256 identified with 'sha256_password' by 'abcd'; # Using SSL certificates --echo # Should be able to connect to server using generated SSL certificates. ---replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER ECDHE-RSA-AES128-SHA256 SSL_CIPHER --exec $MYSQL -uwl7699_sha256 -pabcd --ssl-mode=REQUIRED -e "show status like 'Ssl_cipher'" # Using RSA key pair --echo # Should be able to connect to server using RSA key pair. diff --git a/mysql-test/suite/auth_sec/t/ssl_auto_detect.test b/mysql-test/suite/auth_sec/t/ssl_auto_detect.test index ec5f37ceb71..b03fcb5727f 100644 --- a/mysql-test/suite/auth_sec/t/ssl_auto_detect.test +++ b/mysql-test/suite/auth_sec/t/ssl_auto_detect.test @@ -47,7 +47,6 @@ let SEARCH_PATTERN= CA certificate .* is self signed.; --echo # Try to establish SSL connection : This must succeed. connect (ssl_root_1,localhost,root,,,,,SSL); ---replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER ECDHE-RSA-AES128-SHA256 SSL_CIPHER SHOW STATUS LIKE 'Ssl_cipher'; SHOW VARIABLES LIKE 'have_ssl'; @@ -61,7 +60,6 @@ connection default; disconnect ssl_root_1; --echo # Connect using mysql client : This must succeed. ---replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER ECDHE-RSA-AES128-SHA256 SSL_CIPHER --exec $MYSQL -uroot --ssl-mode=REQUIRED -e "show status like 'Ssl_cipher';" @@ -127,7 +125,6 @@ let SEARCH_PATTERN= CA certificate .* is self signed.; --source include/search_pattern.inc --echo # Try creating SSL connection ---replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER --exec $MYSQL -uroot --ssl-mode=REQUIRED -e "show status like 'Ssl_cipher';" diff --git a/mysql-test/suite/auth_sec/t/tls.test b/mysql-test/suite/auth_sec/t/tls.test index ddb430eb030..4230a1af50c 100644 --- a/mysql-test/suite/auth_sec/t/tls.test +++ b/mysql-test/suite/auth_sec/t/tls.test @@ -31,7 +31,6 @@ let $tls_default= TLSv1.2; --exec $MYSQL --host=127.0.0.1 -P $MASTER_MYPORT -e "SHOW STATUS like 'Ssl_version'" --echo #T2: Default SSL cipher ---replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER ECDHE-RSA-AES128-SHA256 SSL_CIPHER --exec $MYSQL --host=127.0.0.1 -P $MASTER_MYPORT -e "SHOW STATUS like 'Ssl_cipher'" --echo #T3: Setting TLS version TLSv1.2 from the client diff --git a/mysql-test/t/mysql_ssl_default.test b/mysql-test/t/mysql_ssl_default.test index e6686c0b0eb..e9ce4fda631 100644 --- a/mysql-test/t/mysql_ssl_default.test +++ b/mysql-test/t/mysql_ssl_default.test @@ -11,15 +11,12 @@ --echo # verify that mysql default connect with ssl channel when using TCP/IP --echo # connection ---replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER ECDHE-RSA-AES128-SHA256 SSL_CIPHER --exec $MYSQL --host=127.0.0.1 -P $MASTER_MYPORT -e "SHOW STATUS like 'Ssl_cipher'" --echo # verify that mysql --ssl=0 connect with unencrypted channel ---replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER ECDHE-RSA-AES128-SHA256 SSL_CIPHER --exec $MYSQL --host=127.0.0.1 -P $MASTER_MYPORT -e "SHOW STATUS like 'Ssl_cipher'" --ssl-mode=DISABLED --echo # verify that mysql --ssl=1 connect with ssl channel ---replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER ECDHE-RSA-AES128-SHA256 SSL_CIPHER --exec $MYSQL --host=127.0.0.1 -P $MASTER_MYPORT -e "SHOW STATUS like 'Ssl_cipher'" --ssl-mode=REQUIRED CREATE USER u1@localhost IDENTIFIED BY 'secret' REQUIRE SSL; diff --git a/mysql-test/t/openssl_1.test b/mysql-test/t/openssl_1.test index 247a11b895e..97859f07d69 100644 --- a/mysql-test/t/openssl_1.test +++ b/mysql-test/t/openssl_1.test @@ -28,13 +28,9 @@ create user ssl_user1@localhost, ssl_user2@localhost, grant select on test.* to ssl_user1@localhost, ssl_user2@localhost, ssl_user3@localhost, ssl_user4@localhost, ssl_user5@localhost; ---replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER ECDHE-RSA-AES128-SHA256 SSL_CIPHER -- eval alter user ssl_user2@localhost require cipher $cipher_val ---replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER ECDHE-RSA-AES128-SHA256 SSL_CIPHER -- eval alter user ssl_user3@localhost require cipher $cipher_val AND SUBJECT "/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=Client" ---replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER ECDHE-RSA-AES128-SHA256 SSL_CIPHER -- eval alter user ssl_user4@localhost require cipher $cipher_val AND SUBJECT "/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=Client" ISSUER "/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=CA" ---replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER ECDHE-RSA-AES128-SHA256 SSL_CIPHER -- eval alter user ssl_user5@localhost require cipher $cipher_val AND SUBJECT "xxx" flush privileges; @@ -48,7 +44,6 @@ connect (con5,localhost,ssl_user5,,,,,SSL); connection con1; # Check ssl turned on ---replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER ECDHE-RSA-AES128-SHA256 SSL_CIPHER SHOW STATUS LIKE 'Ssl_cipher'; select * from t1; --error ER_TABLEACCESS_DENIED_ERROR @@ -56,7 +51,6 @@ delete from t1; connection con2; # Check ssl turned on ---replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER ECDHE-RSA-AES128-SHA256 SSL_CIPHER SHOW STATUS LIKE 'Ssl_cipher'; select * from t1; --error ER_TABLEACCESS_DENIED_ERROR @@ -64,7 +58,6 @@ delete from t1; connection con3; # Check ssl turned on ---replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER ECDHE-RSA-AES128-SHA256 SSL_CIPHER SHOW STATUS LIKE 'Ssl_cipher'; select * from t1; --error ER_TABLEACCESS_DENIED_ERROR @@ -72,7 +65,6 @@ delete from t1; connection con4; # Check ssl turned on ---replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER ECDHE-RSA-AES128-SHA256 SSL_CIPHER SHOW STATUS LIKE 'Ssl_cipher'; select * from t1; --error ER_TABLEACCESS_DENIED_ERROR @@ -150,7 +142,6 @@ drop table t1; # verification of servers certificate by setting both ca certificate # and ca path to NULL # ---replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER ECDHE-RSA-AES128-SHA256 SSL_CIPHER --exec $MYSQL --ssl-mode=REQUIRED --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem -e "SHOW STATUS LIKE 'ssl_Cipher'" 2>&1 --echo End of 5.0 tests @@ -282,7 +273,6 @@ CREATE USER bug42158@localhost REQUIRE X509; GRANT SELECT ON test.* TO bug42158@localhost; FLUSH PRIVILEGES; connect(con1,localhost,bug42158,,,,,SSL); ---replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER ECDHE-RSA-AES128-SHA256 SSL_CIPHER SHOW STATUS LIKE 'Ssl_cipher'; disconnect con1; connection default; diff --git a/mysql-test/t/plugin_auth_sha256_tls.test b/mysql-test/t/plugin_auth_sha256_tls.test index 099b06d618c..60c5906b43c 100644 --- a/mysql-test/t/plugin_auth_sha256_tls.test +++ b/mysql-test/t/plugin_auth_sha256_tls.test @@ -1,7 +1,6 @@ --source include/have_ssl.inc connect (ssl_con,localhost,root,,,,,SSL); ---replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER ECDHE-RSA-AES128-SHA256 SSL_CIPHER SHOW STATUS LIKE 'Ssl_cipher'; CREATE USER 'kristofer' IDENTIFIED WITH 'sha256_password'; diff --git a/mysql-test/t/ssl.test b/mysql-test/t/ssl.test index eaab810895e..422d697b740 100644 --- a/mysql-test/t/ssl.test +++ b/mysql-test/t/ssl.test @@ -11,7 +11,6 @@ connect (ssl_con,localhost,root,,,,,SSL); # Check ssl turned on ---replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER SHOW STATUS LIKE 'Ssl_cipher'; # Check ssl expiration @@ -22,7 +21,6 @@ SHOW STATUS LIKE 'Ssl_server_not_after'; -- source include/common-tests.inc # Check ssl turned on ---replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER SHOW STATUS LIKE 'Ssl_cipher'; connection default; diff --git a/mysql-test/t/ssl_8k_key.test b/mysql-test/t/ssl_8k_key.test index b0659223aaa..eeebe9094b7 100644 --- a/mysql-test/t/ssl_8k_key.test +++ b/mysql-test/t/ssl_8k_key.test @@ -4,7 +4,6 @@ # # Bug#29784 YaSSL assertion failure when reading 8k key. # ---replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER ECDHE-RSA-AES128-SHA256 SSL_CIPHER --exec $MYSQL --ssl-mode=REQUIRED --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem -e "SHOW STATUS LIKE 'ssl_Cipher'" 2>&1 ## This test file is for testing encrypted communication only, not other diff --git a/mysql-test/t/ssl_ca.test b/mysql-test/t/ssl_ca.test index 184bd7bbf5f..2611755c574 100644 --- a/mysql-test/t/ssl_ca.test +++ b/mysql-test/t/ssl_ca.test @@ -9,7 +9,6 @@ --exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/wrong-crl-ca-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-cert.pem test -e "SHOW STATUS LIKE 'Ssl_cipher'" 2>&1 --echo # try to connect with correct '--ssl-ca' path : should connect ---replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER ECDHE-RSA-AES128-SHA256 SSL_CIPHER --exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-cert.pem test -e "SHOW STATUS LIKE 'Ssl_cipher'" --echo # @@ -21,15 +20,12 @@ --echo # try to connect with '--ssl-ca' option using tilde home directoy --echo # path substitution : should connect ---replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER ECDHE-RSA-AES128-SHA256 SSL_CIPHER --exec $MYSQL --ssl-ca=$mysql_test_dir_path/std_data/crl-ca-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-cert.pem test -e "SHOW STATUS LIKE 'Ssl_cipher'" --echo # try to connect with '--ssl-key' option using tilde home directoy --echo # path substitution : should connect ---replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER ECDHE-RSA-AES128-SHA256 SSL_CIPHER --exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem --ssl-key=$mysql_test_dir_path/std_data/crl-client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-cert.pem test -e "SHOW STATUS LIKE 'Ssl_cipher'" --echo # try to connect with '--ssl-cert' option using tilde home directoy --echo # path substitution : should connect ---replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER ECDHE-RSA-AES128-SHA256 SSL_CIPHER --exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-key.pem --ssl-cert=$mysql_test_dir_path/std_data/crl-client-cert.pem test -e "SHOW STATUS LIKE 'Ssl_cipher'" diff --git a/mysql-test/t/ssl_compress.test b/mysql-test/t/ssl_compress.test index 5e3c8e728ac..d643492649c 100644 --- a/mysql-test/t/ssl_compress.test +++ b/mysql-test/t/ssl_compress.test @@ -11,7 +11,6 @@ connect (ssl_compress_con,localhost,root,,,,,SSL COMPRESS); # Check ssl turned on ---replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER ECDHE-RSA-AES128-SHA256 SSL_CIPHER SHOW STATUS LIKE 'Ssl_cipher'; # Check compression turned on @@ -21,7 +20,6 @@ SHOW STATUS LIKE 'Compression'; -- source include/common-tests.inc # Check ssl turned on ---replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER ECDHE-RSA-AES128-SHA256 SSL_CIPHER SHOW STATUS LIKE 'Ssl_cipher'; # Check compression turned on diff --git a/mysql-test/t/ssl_crl.test b/mysql-test/t/ssl_crl.test index 773a6879702..5097b78a2a5 100644 --- a/mysql-test/t/ssl_crl.test +++ b/mysql-test/t/ssl_crl.test @@ -1,18 +1,12 @@ -- source include/have_ssl.inc -- source include/have_openssl.inc -let $crllen=`select length(trim(coalesce(@@ssl_crl, ''))) + length(trim(coalesce(@@ssl_crlpath, '')))`; -if (!$crllen) -{ - skip Needs OpenSSL; -} - --echo # test --crl for the client : should connect ---replace_result $MYSQL_TEST_DIR MYSQL_TEST_DIR ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result $MYSQL_TEST_DIR MYSQL_TEST_DIR --exec $MYSQL --ssl-mode=VERIFY_CA --ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-cert.pem test --ssl-crl=$MYSQL_TEST_DIR/std_data/crl-client-revoked.crl -e "SHOW VARIABLES like '%ssl%';" --echo # test --crlpath for the client : should connect ---replace_result $MYSQL_TEST_DIR MYSQL_TEST_DIR ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result $MYSQL_TEST_DIR MYSQL_TEST_DIR --exec $MYSQL --ssl-mode=VERIFY_CA --ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-cert.pem --ssl-crlpath=$MYSQL_TEST_DIR/std_data/crldir test -e "SHOW VARIABLES like '%ssl%';" --echo # try logging in with a certificate in the server's --ssl-crl : should fail @@ -29,10 +23,10 @@ if (!$crllen) --echo # try to connect with '--ssl-crl' option using tilde home directoy --echo # path substitution : should connect ---replace_result $MYSQL_TEST_DIR MYSQL_TEST_DIR ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result $MYSQL_TEST_DIR MYSQL_TEST_DIR --exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-cert.pem test --ssl-crl=$mysql_test_dir_path/std_data/crl-client-revoked.crl -e "SHOW STATUS LIKE 'Ssl_cipher'" --echo # try to connect with '--ssl-crlpath' option using tilde home directoy --echo # path substitution : should connect ---replace_result $MYSQL_TEST_DIR MYSQL_TEST_DIR ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result $MYSQL_TEST_DIR MYSQL_TEST_DIR --exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-cert.pem --ssl-crlpath=$mysql_test_dir_path/std_data/crldir test -e "SHOW STATUS LIKE 'Ssl_cipher'" diff --git a/vio/viosslfactories.cc b/vio/viosslfactories.cc index 5e881e30b84..52be1ae701f 100644 --- a/vio/viosslfactories.cc +++ b/vio/viosslfactories.cc @@ -685,6 +685,42 @@ static struct st_VioSSLFd *new_VioSSLFd( wolfSSL_SetIOSend(ssl_fd->ssl_context, wolfssl_send); #endif +#if !defined(HAVE_WOLFSSL) +#if OPENSSL_VERSION_NUMBER < 0x10002000L + const auto ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); + if (!ecdh) { + *error = SSL_INITERR_DHFAIL; + DBUG_PRINT("error", ("%s", sslGetErrString(*error))); + report_errors(); + SSL_CTX_free(ssl_fd->ssl_context); + my_free(ssl_fd); + DBUG_RETURN(nullptr); + } + + if (SSL_CTX_set_tmp_ecdh(ssl_fd->ssl_context, ecdh) != 1) { + *error = SSL_INITERR_DHFAIL; + DBUG_PRINT("error", ("%s", sslGetErrString(*error))); + report_errors(); + EC_KEY_free(ecdh); + SSL_CTX_free(ssl_fd->ssl_context); + my_free(ssl_fd); + DBUG_RETURN(nullptr); + } + EC_KEY_free(ecdh); + +#else /* OPENSSL_VERSION_NUMBER < 0x10002000L */ + + if (SSL_CTX_set_ecdh_auto(ssl_fd->ssl_context, 1) != 1) { + *error = SSL_INITERR_DHFAIL; + DBUG_PRINT("error", ("%s", sslGetErrString(*error))); + report_errors(); + SSL_CTX_free(ssl_fd->ssl_context); + my_free(ssl_fd); + DBUG_RETURN(nullptr); + } +#endif /* OPENSSL_VERSION_NUMBER < 0x10002000L */ +#endif /* !defined(HAVE_WOLFSSL) */ + DBUG_PRINT("exit", ("OK 1")); DBUG_RETURN(ssl_fd);