commit 88cc19c9f13dfd720c79acaabe2005619e114fb5 Author: Laurynas Biveinis Date: Tue Sep 20 13:11:33 2016 +0300 Fix bug 82935 / 1622034 (Cipher ECDHE-RSA-AES128-GCM-SHA256 listed in man/Ssl_cipher_list, not supported) Invoke OpenSSL eliptic curve setup functions so that EC-DHE ciphers are supported. Do this conditionally if the SSL library supports EC. Re-record testcases which now negotiate EC ciphers by default. diff --git a/mysql-test/r/ssl_crl.result b/mysql-test/r/ssl_crl.result index 5a34bb78546..fff6b0a5d66 100644 --- a/mysql-test/r/ssl_crl.result +++ b/mysql-test/r/ssl_crl.result @@ -28,8 +28,8 @@ ssl_key MYSQL_TEST_DIR/std_data/crl-server-key.pem # try to connect with '--ssl-crl' option using tilde home directoy # path substitution : should connect Variable_name Value -Ssl_cipher DHE-RSA-AES128-GCM-SHA256 +Ssl_cipher ECDHE-RSA-AES128-GCM-SHA256 # try to connect with '--ssl-crlpath' option using tilde home directoy # path substitution : should connect Variable_name Value -Ssl_cipher DHE-RSA-AES128-GCM-SHA256 +Ssl_cipher ECDHE-RSA-AES128-GCM-SHA256 diff --git a/mysql-test/r/ssl_ecdh.result b/mysql-test/r/ssl_ecdh.result new file mode 100644 index 00000000000..1d1e8c4e58a --- /dev/null +++ b/mysql-test/r/ssl_ecdh.result @@ -0,0 +1,18 @@ +# +# Bug 82935: Cipher ECDHE-RSA-AES128-GCM-SHA256 listed in man/Ssl_cipher_list, not supported +# +SET @orig_sql_mode= @@sql_mode; +SET sql_mode= (SELECT REPLACE(@@sql_mode,'NO_AUTO_CREATE_USER','')); +Warnings: +Warning 3090 Changing sql mode 'NO_AUTO_CREATE_USER' is deprecated. It will be removed in a future release. +GRANT SELECT ON test.* TO ecdh@localhost REQUIRE CIPHER "ECDHE-RSA-AES128-GCM-SHA256"; +Warnings: +Warning 1287 Using GRANT for creating new user is deprecated and will be removed in future release. Create new user with CREATE USER statement. +FLUSH PRIVILEGES; +SHOW STATUS LIKE 'Ssl_cipher'; +Variable_name Value +Ssl_cipher ECDHE-RSA-AES128-GCM-SHA256 +DROP USER ecdh@localhost; +SET sql_mode= @orig_sql_mode; +Warnings: +Warning 3090 Changing sql mode 'NO_AUTO_CREATE_USER' is deprecated. It will be removed in a future release. diff --git a/mysql-test/suite/auth_sec/t/mysql_ssl_connection.test b/mysql-test/suite/auth_sec/t/mysql_ssl_connection.test index e3b4bb817f8..d52e2e5b94f 100644 --- a/mysql-test/suite/auth_sec/t/mysql_ssl_connection.test +++ b/mysql-test/suite/auth_sec/t/mysql_ssl_connection.test @@ -7,7 +7,7 @@ connection default; CREATE USER u_20693153@localhost IDENTIFIED BY 'abcd'; ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER --exec $MYSQL --protocol=TCP -uu_20693153 -pabcd --ssl-ca=$MYSQL_TEST_DIR/std_data/cacert.pem -e "SHOW STATUS LIKE 'Ssl_cipher';" DROP USER u_20693153@localhost; diff --git a/mysql-test/suite/auth_sec/t/openssl_cert_generation.test b/mysql-test/suite/auth_sec/t/openssl_cert_generation.test index 793872a6904..e4af8e63072 100644 --- a/mysql-test/suite/auth_sec/t/openssl_cert_generation.test +++ b/mysql-test/suite/auth_sec/t/openssl_cert_generation.test @@ -183,7 +183,7 @@ let SEARCH_PATTERN= Auto generated SSL certificates are placed in data directory --file_exists $MYSQLTEST_VARDIR/mysqld.1/data/public_key.pem --echo # Ensure that server is ssl enabled ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER --exec $MYSQL -uroot --ssl-mode=REQUIRED -e "show status like 'Ssl_cipher'" #----------------------------------------------------------------------------- @@ -285,7 +285,7 @@ grant usage on *.* to wl7699_sha256 identified by 'abcd'; # Using SSL certificates --echo # Should be able to connect to server using generated SSL certificates. ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER --exec $MYSQL -uwl7699_sha256 -pabcd --ssl-mode=REQUIRED -e "show status like 'Ssl_cipher'" # Using RSA key pair --echo # Should be able to connect to server using RSA key pair. @@ -351,7 +351,7 @@ show variables like 'sha256%'; --echo # 6.3 : SSL connection --echo # Should be able to connect to server using generated SSL certificates. ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER --exec $MYSQL -uroot --ssl-mode=REQUIRED -e "show status like 'Ssl_cipher'" @@ -362,7 +362,7 @@ grant usage on *.* to wl7699_sha256 identified by 'abcd'; # Using SSL certificates --echo # Should be able to connect to server using generated SSL certificates. ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER --exec $MYSQL -uwl7699_sha256 -pabcd --ssl-mode=REQUIRED -e "show status like 'Ssl_cipher'" # Using RSA key pair --echo # Should be able to connect to server using RSA key pair. diff --git a/mysql-test/suite/auth_sec/t/ssl_auto_detect.test b/mysql-test/suite/auth_sec/t/ssl_auto_detect.test index 706f8b05ec1..7b1ea883a96 100644 --- a/mysql-test/suite/auth_sec/t/ssl_auto_detect.test +++ b/mysql-test/suite/auth_sec/t/ssl_auto_detect.test @@ -54,7 +54,7 @@ let SEARCH_PATTERN= CA certificate .* is self signed.; --echo # Try to establish SSL connection : This must succeed. connect (ssl_root_1,localhost,root,,,,,SSL); ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER SHOW STATUS LIKE 'Ssl_cipher'; SHOW VARIABLES LIKE 'have_ssl'; @@ -68,7 +68,7 @@ connection default; disconnect ssl_root_1; --echo # Connect using mysql client : This must succeed. ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER --exec $MYSQL -uroot --ssl-mode=REQUIRED -e "show status like 'Ssl_cipher';" @@ -140,7 +140,7 @@ let SEARCH_PATTERN= CA certificate .* is self signed.; --source include/search_pattern_in_file.inc --echo # Try creating SSL connection ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER --exec $MYSQL -uroot --ssl-mode=REQUIRED -e "show status like 'Ssl_cipher';" diff --git a/mysql-test/suite/auth_sec/t/tls.test b/mysql-test/suite/auth_sec/t/tls.test index ab68bb39d1c..c1ffd5465c3 100644 --- a/mysql-test/suite/auth_sec/t/tls.test +++ b/mysql-test/suite/auth_sec/t/tls.test @@ -38,7 +38,7 @@ let $cipher_default= DHE-RSA-AES256-SHA; let $tls_default= TLSv1.1; let $openssl= query_get_value("SHOW STATUS LIKE 'Rsa_public_key'", Variable_name, 1); if ($openssl == 'Rsa_public_key'){ - let $cipher_default= DHE-RSA-AES128-GCM-SHA256; + let $cipher_default= ECDHE-RSA-AES128-GCM-SHA256; let $tls_default= TLSv1.2; } --echo #T1: Default TLS connection diff --git a/mysql-test/t/mysql_ssl_default.test b/mysql-test/t/mysql_ssl_default.test index 2fe345b6c0a..bc094f96610 100644 --- a/mysql-test/t/mysql_ssl_default.test +++ b/mysql-test/t/mysql_ssl_default.test @@ -14,15 +14,15 @@ --echo # verify that mysql default connect with ssl channel when using TCP/IP --echo # connection ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER --exec $MYSQL --host=127.0.0.1 -P $MASTER_MYPORT -e "SHOW STATUS like 'Ssl_cipher'" --echo # verify that mysql --ssl=0 connect with unencrypted channel ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER --exec $MYSQL --host=127.0.0.1 -P $MASTER_MYPORT -e "SHOW STATUS like 'Ssl_cipher'" --ssl-mode=DISABLED --echo # verify that mysql --ssl=1 connect with ssl channel ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER --exec $MYSQL --host=127.0.0.1 -P $MASTER_MYPORT -e "SHOW STATUS like 'Ssl_cipher'" --ssl-mode=REQUIRED CREATE USER u1@localhost IDENTIFIED BY 'secret' REQUIRE SSL; diff --git a/mysql-test/t/openssl_1.test b/mysql-test/t/openssl_1.test index 3d1cc31af29..877430d3d94 100644 --- a/mysql-test/t/openssl_1.test +++ b/mysql-test/t/openssl_1.test @@ -19,17 +19,17 @@ insert into t1 values (5); let $cipher_val= "DHE-RSA-AES256-SHA"; let $shavars= query_get_value("SHOW STATUS LIKE 'Rsa_public_key'", Variable_name, 1); if ($shavars == 'Rsa_public_key'){ - let $cipher_val= "DHE-RSA-AES128-GCM-SHA256"; + let $cipher_val= "ECDHE-RSA-AES128-GCM-SHA256"; } grant select on test.* to ssl_user1@localhost require SSL; ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER -- eval grant select on test.* to ssl_user2@localhost require cipher $cipher_val ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER -- eval grant select on test.* to ssl_user3@localhost require cipher $cipher_val AND SUBJECT "/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=Client" ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER -- eval grant select on test.* to ssl_user4@localhost require cipher $cipher_val AND SUBJECT "/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=Client" ISSUER "/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=CA" ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER -- eval grant select on test.* to ssl_user5@localhost require cipher $cipher_val AND SUBJECT "xxx" flush privileges; @@ -43,7 +43,7 @@ connect (con5,localhost,ssl_user5,,,,,SSL); connection con1; # Check ssl turned on ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER SHOW STATUS LIKE 'Ssl_cipher'; select * from t1; --error ER_TABLEACCESS_DENIED_ERROR @@ -51,7 +51,7 @@ delete from t1; connection con2; # Check ssl turned on ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER SHOW STATUS LIKE 'Ssl_cipher'; select * from t1; --error ER_TABLEACCESS_DENIED_ERROR @@ -59,7 +59,7 @@ delete from t1; connection con3; # Check ssl turned on ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER SHOW STATUS LIKE 'Ssl_cipher'; select * from t1; --error ER_TABLEACCESS_DENIED_ERROR @@ -67,7 +67,7 @@ delete from t1; connection con4; # Check ssl turned on ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER SHOW STATUS LIKE 'Ssl_cipher'; select * from t1; --error ER_TABLEACCESS_DENIED_ERROR @@ -142,7 +142,7 @@ drop table t1; # verification of servers certificate by setting both ca certificate # and ca path to NULL # ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER --exec $MYSQL --ssl-mode=REQUIRED --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem -e "SHOW STATUS LIKE 'ssl_Cipher'" 2>&1 --echo End of 5.0 tests @@ -269,7 +269,7 @@ select 'is still running; no cipher request crashed the server' as result from d GRANT SELECT ON test.* TO bug42158@localhost REQUIRE X509; FLUSH PRIVILEGES; connect(con1,localhost,bug42158,,,,,SSL); ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER SHOW STATUS LIKE 'Ssl_cipher'; disconnect con1; connection default; diff --git a/mysql-test/t/plugin_auth_sha256_tls.test b/mysql-test/t/plugin_auth_sha256_tls.test index ab21b7c8362..e0d9985e085 100644 --- a/mysql-test/t/plugin_auth_sha256_tls.test +++ b/mysql-test/t/plugin_auth_sha256_tls.test @@ -2,7 +2,7 @@ --source include/have_ssl.inc connect (ssl_con,localhost,root,,,,,SSL); ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER SHOW STATUS LIKE 'Ssl_cipher'; CREATE USER 'kristofer' IDENTIFIED WITH 'sha256_password'; diff --git a/mysql-test/t/ssl.test b/mysql-test/t/ssl.test index 1c7680e5930..c9e09ad7ac6 100644 --- a/mysql-test/t/ssl.test +++ b/mysql-test/t/ssl.test @@ -21,7 +21,7 @@ use test; connect (ssl_con,localhost,root,,,,,SSL); # Check ssl turned on ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER SHOW STATUS LIKE 'Ssl_cipher'; # Check ssl expiration @@ -32,7 +32,7 @@ SHOW STATUS LIKE 'Ssl_server_not_after'; -- source include/common-tests.inc # Check ssl turned on ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER SHOW STATUS LIKE 'Ssl_cipher'; connection default; diff --git a/mysql-test/t/ssl_8k_key.test b/mysql-test/t/ssl_8k_key.test index 4cf899a31b4..a68849fa227 100644 --- a/mysql-test/t/ssl_8k_key.test +++ b/mysql-test/t/ssl_8k_key.test @@ -4,7 +4,7 @@ # # Bug#29784 YaSSL assertion failure when reading 8k key. # ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER --exec $MYSQL --ssl-mode=REQUIRED --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem -e "SHOW STATUS LIKE 'ssl_Cipher'" 2>&1 ## This test file is for testing encrypted communication only, not other diff --git a/mysql-test/t/ssl_ca.test b/mysql-test/t/ssl_ca.test index 87462d71aad..4f207de4527 100644 --- a/mysql-test/t/ssl_ca.test +++ b/mysql-test/t/ssl_ca.test @@ -10,7 +10,7 @@ --exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/wrong-crl-ca-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-cert.pem test -e "SHOW STATUS LIKE 'Ssl_cipher'" 2>&1 --echo # try to connect with correct '--ssl-ca' path : should connect ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER --exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-cert.pem test -e "SHOW STATUS LIKE 'Ssl_cipher'" --echo # @@ -22,15 +22,15 @@ --echo # try to connect with '--ssl-ca' option using tilde home directoy --echo # path substitution : should connect ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER --exec $MYSQL --ssl-ca=$mysql_test_dir_path/std_data/crl-ca-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-cert.pem test -e "SHOW STATUS LIKE 'Ssl_cipher'" --echo # try to connect with '--ssl-key' option using tilde home directoy --echo # path substitution : should connect ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER --exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem --ssl-key=$mysql_test_dir_path/std_data/crl-client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-cert.pem test -e "SHOW STATUS LIKE 'Ssl_cipher'" --echo # try to connect with '--ssl-cert' option using tilde home directoy --echo # path substitution : should connect ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER --exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-key.pem --ssl-cert=$mysql_test_dir_path/std_data/crl-client-cert.pem test -e "SHOW STATUS LIKE 'Ssl_cipher'" diff --git a/mysql-test/t/ssl_compress.test b/mysql-test/t/ssl_compress.test index 912f5391762..c730ed9f669 100644 --- a/mysql-test/t/ssl_compress.test +++ b/mysql-test/t/ssl_compress.test @@ -21,7 +21,7 @@ use test; connect (ssl_compress_con,localhost,root,,,,,SSL COMPRESS); # Check ssl turned on ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER SHOW STATUS LIKE 'Ssl_cipher'; # Check compression turned on @@ -31,7 +31,7 @@ SHOW STATUS LIKE 'Compression'; -- source include/common-tests.inc # Check ssl turned on ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER SHOW STATUS LIKE 'Ssl_cipher'; # Check compression turned on diff --git a/mysql-test/t/ssl_ecdh.test b/mysql-test/t/ssl_ecdh.test new file mode 100644 index 00000000000..4d9bc262727 --- /dev/null +++ b/mysql-test/t/ssl_ecdh.test @@ -0,0 +1,25 @@ +--source include/have_ssl.inc +--source include/have_openssl.inc + +--source include/count_sessions.inc + +--echo # +--echo # Bug 82935: Cipher ECDHE-RSA-AES128-GCM-SHA256 listed in man/Ssl_cipher_list, not supported +--echo # + +SET @orig_sql_mode= @@sql_mode; +SET sql_mode= (SELECT REPLACE(@@sql_mode,'NO_AUTO_CREATE_USER','')); + +GRANT SELECT ON test.* TO ecdh@localhost REQUIRE CIPHER "ECDHE-RSA-AES128-GCM-SHA256"; +FLUSH PRIVILEGES; + +connect (con1,localhost,ecdh,,,,,SSL); +SHOW STATUS LIKE 'Ssl_cipher'; +disconnect con1; +connection default; + +DROP USER ecdh@localhost; + +SET sql_mode= @orig_sql_mode; + +--source include/wait_until_count_sessions.inc diff --git a/vio/viosslfactories.cc b/vio/viosslfactories.cc index f639bd976f9..d6c1c2d58f7 100644 --- a/vio/viosslfactories.cc +++ b/vio/viosslfactories.cc @@ -654,6 +654,45 @@ new_VioSSLFd(const char *key_file, const char *cert_file, } DH_free(dh); +#ifndef HAVE_YASSL +#if OPENSSL_VERSION_NUMBER < 0x10002000L + const auto ecdh= EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); + if (!ecdh) + { + *error= SSL_INITERR_DHFAIL; + DBUG_PRINT("error", ("%s", sslGetErrString(*error))); + report_errors(); + SSL_CTX_free(ssl_fd->ssl_context); + my_free(ssl_fd); + DBUG_RETURN(nullptr); + } + + if (SSL_CTX_set_tmp_ecdh(ssl_fd->ssl_context, ecdh) != 1) + { + *error= SSL_INITERR_DHFAIL; + DBUG_PRINT("error", ("%s", sslGetErrString(*error))); + report_errors(); + EC_KEY_free(ecdh); + SSL_CTX_free(ssl_fd->ssl_context); + my_free(ssl_fd); + DBUG_RETURN(nullptr); + } + EC_KEY_free(ecdh); + +#else /* OPENSSL_VERSION_NUMBER < 0x10002000L */ + + if (SSL_CTX_set_ecdh_auto(ssl_fd->ssl_context, 1) != 1) + { + *error= SSL_INITERR_DHFAIL; + DBUG_PRINT("error", ("%s", sslGetErrString(*error))); + report_errors(); + SSL_CTX_free(ssl_fd->ssl_context); + my_free(ssl_fd); + DBUG_RETURN(nullptr); + } +#endif /* OPENSSL_VERSION_NUMBER < 0x10002000L */ +#endif /* !HAVE_YASSL */ + DBUG_PRINT("exit", ("OK 1")); DBUG_RETURN(ssl_fd);