Add OpenSSL 1.1 compatibility Based on patches in upstream tracker (bellow), and patches from MariaDB for the same feature. Upstream tracker: https://bugs.mysql.com/bug.php?id=83814 diff -up mysql-8.0.3-rc/mysql-test/suite/auth_sec/t/mysql_ssl_connection.test.p71 mysql-8.0.3-rc/mysql-test/suite/auth_sec/t/mysql_ssl_connection.test --- mysql-8.0.3-rc/mysql-test/suite/auth_sec/t/mysql_ssl_connection.test.p71 2017-09-19 13:33:50.000000000 +0200 +++ mysql-8.0.3-rc/mysql-test/suite/auth_sec/t/mysql_ssl_connection.test 2017-12-09 20:33:12.018893236 +0100 @@ -7,7 +7,7 @@ connection default; CREATE USER u_20693153@localhost IDENTIFIED BY 'abcd'; ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER --exec $MYSQL --protocol=TCP -uu_20693153 -pabcd --ssl-ca=$MYSQL_TEST_DIR/std_data/cacert.pem -e "SHOW STATUS LIKE 'Ssl_cipher';" DROP USER u_20693153@localhost; diff -up mysql-8.0.3-rc/mysql-test/suite/auth_sec/t/openssl_cert_generation.test.p71 mysql-8.0.3-rc/mysql-test/suite/auth_sec/t/openssl_cert_generation.test --- mysql-8.0.3-rc/mysql-test/suite/auth_sec/t/openssl_cert_generation.test.p71 2017-09-19 13:33:50.000000000 +0200 +++ mysql-8.0.3-rc/mysql-test/suite/auth_sec/t/openssl_cert_generation.test 2017-12-09 20:33:12.019893243 +0100 @@ -182,7 +182,7 @@ let SEARCH_PATTERN= Auto generated SSL c --file_exists $MYSQLTEST_VARDIR/mysqld.1/data/public_key.pem --echo # Ensure that server is ssl enabled ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER --exec $MYSQL -uroot --ssl-mode=REQUIRED -e "show status like 'Ssl_cipher'" #----------------------------------------------------------------------------- @@ -284,7 +284,7 @@ grant usage on *.* to wl7699_sha256 iden # Using SSL certificates --echo # Should be able to connect to server using generated SSL certificates. ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER --exec $MYSQL -uwl7699_sha256 -pabcd --ssl-mode=REQUIRED -e "show status like 'Ssl_cipher'" # Using RSA key pair --echo # Should be able to connect to server using RSA key pair. @@ -350,7 +350,7 @@ show variables like 'sha256%'; --echo # 6.3 : SSL connection --echo # Should be able to connect to server using generated SSL certificates. ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER --exec $MYSQL -uroot --ssl-mode=REQUIRED -e "show status like 'Ssl_cipher'" @@ -361,7 +361,7 @@ grant usage on *.* to wl7699_sha256 iden # Using SSL certificates --echo # Should be able to connect to server using generated SSL certificates. ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER --exec $MYSQL -uwl7699_sha256 -pabcd --ssl-mode=REQUIRED -e "show status like 'Ssl_cipher'" # Using RSA key pair --echo # Should be able to connect to server using RSA key pair. diff -up mysql-8.0.3-rc/mysql-test/suite/auth_sec/t/ssl_auto_detect.test.p71 mysql-8.0.3-rc/mysql-test/suite/auth_sec/t/ssl_auto_detect.test --- mysql-8.0.3-rc/mysql-test/suite/auth_sec/t/ssl_auto_detect.test.p71 2017-09-19 13:33:50.000000000 +0200 +++ mysql-8.0.3-rc/mysql-test/suite/auth_sec/t/ssl_auto_detect.test 2017-12-09 20:33:12.019893243 +0100 @@ -53,7 +53,7 @@ let SEARCH_PATTERN= CA certificate .* is --echo # Try to establish SSL connection : This must succeed. connect (ssl_root_1,localhost,root,,,,,SSL); ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER SHOW STATUS LIKE 'Ssl_cipher'; SHOW VARIABLES LIKE 'have_ssl'; @@ -67,7 +67,7 @@ connection default; disconnect ssl_root_1; --echo # Connect using mysql client : This must succeed. ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER --exec $MYSQL -uroot --ssl-mode=REQUIRED -e "show status like 'Ssl_cipher';" @@ -139,7 +139,7 @@ let SEARCH_PATTERN= CA certificate .* is --source include/search_pattern.inc --echo # Try creating SSL connection ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER --exec $MYSQL -uroot --ssl-mode=REQUIRED -e "show status like 'Ssl_cipher';" diff -up mysql-8.0.3-rc/mysql-test/suite/auth_sec/t/tls.test.p71 mysql-8.0.3-rc/mysql-test/suite/auth_sec/t/tls.test --- mysql-8.0.3-rc/mysql-test/suite/auth_sec/t/tls.test.p71 2017-09-19 13:33:50.000000000 +0200 +++ mysql-8.0.3-rc/mysql-test/suite/auth_sec/t/tls.test 2017-12-09 20:33:12.019893243 +0100 @@ -36,7 +36,7 @@ let $cipher_default= DHE-RSA-AES256-SHA; let $tls_default= TLSv1.1; let $openssl= query_get_value("SHOW STATUS LIKE 'Rsa_public_key'", Variable_name, 1); if ($openssl == 'Rsa_public_key'){ - let $cipher_default= DHE-RSA-AES128-GCM-SHA256; + let $cipher_default= ECDHE-RSA-AES128-GCM-SHA256; let $tls_default= TLSv1.2; } --echo #T1: Default TLS connection diff -up mysql-8.0.3-rc/mysql-test/t/mysql_ssl_default.test.p71 mysql-8.0.3-rc/mysql-test/t/mysql_ssl_default.test --- mysql-8.0.3-rc/mysql-test/t/mysql_ssl_default.test.p71 2017-09-19 13:33:50.000000000 +0200 +++ mysql-8.0.3-rc/mysql-test/t/mysql_ssl_default.test 2017-12-09 20:33:12.019893243 +0100 @@ -11,15 +11,15 @@ --echo # verify that mysql default connect with ssl channel when using TCP/IP --echo # connection ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER --exec $MYSQL --host=127.0.0.1 -P $MASTER_MYPORT -e "SHOW STATUS like 'Ssl_cipher'" --echo # verify that mysql --ssl=0 connect with unencrypted channel ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER --exec $MYSQL --host=127.0.0.1 -P $MASTER_MYPORT -e "SHOW STATUS like 'Ssl_cipher'" --ssl-mode=DISABLED --echo # verify that mysql --ssl=1 connect with ssl channel ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER --exec $MYSQL --host=127.0.0.1 -P $MASTER_MYPORT -e "SHOW STATUS like 'Ssl_cipher'" --ssl-mode=REQUIRED CREATE USER u1@localhost IDENTIFIED BY 'secret' REQUIRE SSL; diff -up mysql-8.0.3-rc/mysql-test/t/openssl_1.test.p71 mysql-8.0.3-rc/mysql-test/t/openssl_1.test --- mysql-8.0.3-rc/mysql-test/t/openssl_1.test.p71 2017-09-19 13:33:50.000000000 +0200 +++ mysql-8.0.3-rc/mysql-test/t/openssl_1.test 2017-12-09 20:33:12.019893243 +0100 @@ -19,17 +19,17 @@ insert into t1 values (5); let $cipher_val= "DHE-RSA-AES256-SHA"; let $shavars= query_get_value("SHOW STATUS LIKE 'Rsa_public_key'", Variable_name, 1); if ($shavars == 'Rsa_public_key'){ - let $cipher_val= "DHE-RSA-AES128-GCM-SHA256"; + let $cipher_val= "ECDHE-RSA-AES128-GCM-SHA256"; } grant select on test.* to ssl_user1@localhost require SSL; ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER -- eval grant select on test.* to ssl_user2@localhost require cipher $cipher_val ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER -- eval grant select on test.* to ssl_user3@localhost require cipher $cipher_val AND SUBJECT "/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=Client" ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER -- eval grant select on test.* to ssl_user4@localhost require cipher $cipher_val AND SUBJECT "/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=Client" ISSUER "/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=CA" ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER -- eval grant select on test.* to ssl_user5@localhost require cipher $cipher_val AND SUBJECT "xxx" flush privileges; @@ -43,7 +43,7 @@ connect (con5,localhost,ssl_user5,,,,,SS connection con1; # Check ssl turned on ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER SHOW STATUS LIKE 'Ssl_cipher'; select * from t1; --error ER_TABLEACCESS_DENIED_ERROR @@ -51,7 +51,7 @@ delete from t1; connection con2; # Check ssl turned on ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER SHOW STATUS LIKE 'Ssl_cipher'; select * from t1; --error ER_TABLEACCESS_DENIED_ERROR @@ -59,7 +59,7 @@ delete from t1; connection con3; # Check ssl turned on ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER SHOW STATUS LIKE 'Ssl_cipher'; select * from t1; --error ER_TABLEACCESS_DENIED_ERROR @@ -67,7 +67,7 @@ delete from t1; connection con4; # Check ssl turned on ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER SHOW STATUS LIKE 'Ssl_cipher'; select * from t1; --error ER_TABLEACCESS_DENIED_ERROR @@ -145,7 +145,7 @@ drop table t1; # verification of servers certificate by setting both ca certificate # and ca path to NULL # ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER --exec $MYSQL --ssl-mode=REQUIRED --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem -e "SHOW STATUS LIKE 'ssl_Cipher'" 2>&1 --echo End of 5.0 tests @@ -276,7 +276,7 @@ select 'is still running; no cipher requ GRANT SELECT ON test.* TO bug42158@localhost REQUIRE X509; FLUSH PRIVILEGES; connect(con1,localhost,bug42158,,,,,SSL); ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER SHOW STATUS LIKE 'Ssl_cipher'; disconnect con1; connection default; diff -up mysql-8.0.3-rc/mysql-test/t/plugin_auth_sha256_tls.test.p71 mysql-8.0.3-rc/mysql-test/t/plugin_auth_sha256_tls.test --- mysql-8.0.3-rc/mysql-test/t/plugin_auth_sha256_tls.test.p71 2017-09-19 13:33:50.000000000 +0200 +++ mysql-8.0.3-rc/mysql-test/t/plugin_auth_sha256_tls.test 2017-12-09 20:33:12.019893243 +0100 @@ -1,7 +1,7 @@ --source include/have_ssl.inc connect (ssl_con,localhost,root,,,,,SSL); ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER SHOW STATUS LIKE 'Ssl_cipher'; CREATE USER 'kristofer' IDENTIFIED WITH 'sha256_password'; diff -up mysql-8.0.3-rc/mysql-test/t/ssl_8k_key.test.p71 mysql-8.0.3-rc/mysql-test/t/ssl_8k_key.test --- mysql-8.0.3-rc/mysql-test/t/ssl_8k_key.test.p71 2017-09-19 13:33:50.000000000 +0200 +++ mysql-8.0.3-rc/mysql-test/t/ssl_8k_key.test 2017-12-09 20:33:12.019893243 +0100 @@ -4,7 +4,7 @@ # # Bug#29784 YaSSL assertion failure when reading 8k key. # ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER --exec $MYSQL --ssl-mode=REQUIRED --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem -e "SHOW STATUS LIKE 'ssl_Cipher'" 2>&1 ## This test file is for testing encrypted communication only, not other diff -up mysql-8.0.3-rc/mysql-test/t/ssl_ca.test.p71 mysql-8.0.3-rc/mysql-test/t/ssl_ca.test --- mysql-8.0.3-rc/mysql-test/t/ssl_ca.test.p71 2017-09-19 13:33:50.000000000 +0200 +++ mysql-8.0.3-rc/mysql-test/t/ssl_ca.test 2017-12-09 20:33:12.020893250 +0100 @@ -9,7 +9,7 @@ --exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/wrong-crl-ca-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-cert.pem test -e "SHOW STATUS LIKE 'Ssl_cipher'" 2>&1 --echo # try to connect with correct '--ssl-ca' path : should connect ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER --exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-cert.pem test -e "SHOW STATUS LIKE 'Ssl_cipher'" --echo # @@ -21,15 +21,15 @@ --echo # try to connect with '--ssl-ca' option using tilde home directoy --echo # path substitution : should connect ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER --exec $MYSQL --ssl-ca=$mysql_test_dir_path/std_data/crl-ca-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-cert.pem test -e "SHOW STATUS LIKE 'Ssl_cipher'" --echo # try to connect with '--ssl-key' option using tilde home directoy --echo # path substitution : should connect ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER --exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem --ssl-key=$mysql_test_dir_path/std_data/crl-client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-cert.pem test -e "SHOW STATUS LIKE 'Ssl_cipher'" --echo # try to connect with '--ssl-cert' option using tilde home directoy --echo # path substitution : should connect ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER --exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-key.pem --ssl-cert=$mysql_test_dir_path/std_data/crl-client-cert.pem test -e "SHOW STATUS LIKE 'Ssl_cipher'" diff -up mysql-8.0.3-rc/mysql-test/t/ssl_compress.test.p71 mysql-8.0.3-rc/mysql-test/t/ssl_compress.test --- mysql-8.0.3-rc/mysql-test/t/ssl_compress.test.p71 2017-09-19 13:33:50.000000000 +0200 +++ mysql-8.0.3-rc/mysql-test/t/ssl_compress.test 2017-12-09 20:33:12.020893250 +0100 @@ -11,7 +11,7 @@ connect (ssl_compress_con,localhost,root,,,,,SSL COMPRESS); # Check ssl turned on ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER SHOW STATUS LIKE 'Ssl_cipher'; # Check compression turned on @@ -21,7 +21,7 @@ SHOW STATUS LIKE 'Compression'; -- source include/common-tests.inc # Check ssl turned on ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER SHOW STATUS LIKE 'Ssl_cipher'; # Check compression turned on diff -up mysql-8.0.3-rc/mysql-test/t/ssl_crl.test.p71 mysql-8.0.3-rc/mysql-test/t/ssl_crl.test --- mysql-8.0.3-rc/mysql-test/t/ssl_crl.test.p71 2017-09-19 13:33:50.000000000 +0200 +++ mysql-8.0.3-rc/mysql-test/t/ssl_crl.test 2017-12-09 20:33:12.020893250 +0100 @@ -30,9 +30,11 @@ if (!$crllen) --echo # try to connect with '--ssl-crl' option using tilde home directoy --echo # path substitution : should connect --replace_result $MYSQL_TEST_DIR MYSQL_TEST_DIR +--replace_result ECDHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256 --exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-cert.pem test --ssl-crl=$mysql_test_dir_path/std_data/crl-client-revoked.crl -e "SHOW STATUS LIKE 'Ssl_cipher'" --echo # try to connect with '--ssl-crlpath' option using tilde home directoy --echo # path substitution : should connect --replace_result $MYSQL_TEST_DIR MYSQL_TEST_DIR +--replace_result ECDHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256 --exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-cert.pem --ssl-crlpath=$mysql_test_dir_path/std_data/crldir test -e "SHOW STATUS LIKE 'Ssl_cipher'" diff -up mysql-8.0.3-rc/mysql-test/t/ssl.test.p71 mysql-8.0.3-rc/mysql-test/t/ssl.test --- mysql-8.0.3-rc/mysql-test/t/ssl.test.p71 2017-09-19 13:33:50.000000000 +0200 +++ mysql-8.0.3-rc/mysql-test/t/ssl.test 2017-12-09 20:33:12.020893250 +0100 @@ -11,7 +11,7 @@ connect (ssl_con,localhost,root,,,,,SSL); # Check ssl turned on ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER SHOW STATUS LIKE 'Ssl_cipher'; # Check ssl expiration @@ -22,7 +22,7 @@ SHOW STATUS LIKE 'Ssl_server_not_after'; -- source include/common-tests.inc # Check ssl turned on ---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER +--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER SHOW STATUS LIKE 'Ssl_cipher'; connection default; diff -up mysql-8.0.3-rc/mysys_ssl/my_aes_openssl.cc.p71 mysql-8.0.3-rc/mysys_ssl/my_aes_openssl.cc --- mysql-8.0.3-rc/mysys_ssl/my_aes_openssl.cc.p71 2017-09-19 13:33:50.000000000 +0200 +++ mysql-8.0.3-rc/mysys_ssl/my_aes_openssl.cc 2017-12-09 20:33:12.020893250 +0100 @@ -126,7 +126,7 @@ int my_aes_encrypt(const unsigned char * enum my_aes_opmode mode, const unsigned char *iv, bool padding) { - EVP_CIPHER_CTX ctx; + EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new(); const EVP_CIPHER *cipher= aes_evp_type(mode); int u_len, f_len; /* The real key to be used for encryption */ @@ -136,23 +136,23 @@ int my_aes_encrypt(const unsigned char * if (!cipher || (EVP_CIPHER_iv_length(cipher) > 0 && !iv)) return MY_AES_BAD_DATA; - if (!EVP_EncryptInit(&ctx, cipher, rkey, iv)) + if (!EVP_EncryptInit(ctx, cipher, rkey, iv)) goto aes_error; /* Error */ - if (!EVP_CIPHER_CTX_set_padding(&ctx, padding)) + if (!EVP_CIPHER_CTX_set_padding(ctx, padding)) goto aes_error; /* Error */ - if (!EVP_EncryptUpdate(&ctx, dest, &u_len, source, source_length)) + if (!EVP_EncryptUpdate(ctx, dest, &u_len, source, source_length)) goto aes_error; /* Error */ - if (!EVP_EncryptFinal(&ctx, dest + u_len, &f_len)) + if (!EVP_EncryptFinal(ctx, dest + u_len, &f_len)) goto aes_error; /* Error */ - EVP_CIPHER_CTX_cleanup(&ctx); + EVP_CIPHER_CTX_free(ctx); return u_len + f_len; aes_error: /* need to explicitly clean up the error if we want to ignore it */ ERR_clear_error(); - EVP_CIPHER_CTX_cleanup(&ctx); + EVP_CIPHER_CTX_free(ctx); return MY_AES_BAD_DATA; } @@ -164,7 +164,7 @@ int my_aes_decrypt(const unsigned char * bool padding) { - EVP_CIPHER_CTX ctx; + EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new(); const EVP_CIPHER *cipher= aes_evp_type(mode); int u_len, f_len; @@ -175,24 +175,22 @@ int my_aes_decrypt(const unsigned char * if (!cipher || (EVP_CIPHER_iv_length(cipher) > 0 && !iv)) return MY_AES_BAD_DATA; - EVP_CIPHER_CTX_init(&ctx); - - if (!EVP_DecryptInit(&ctx, aes_evp_type(mode), rkey, iv)) + if (!EVP_DecryptInit(ctx, aes_evp_type(mode), rkey, iv)) goto aes_error; /* Error */ - if (!EVP_CIPHER_CTX_set_padding(&ctx, padding)) + if (!EVP_CIPHER_CTX_set_padding(ctx, padding)) goto aes_error; /* Error */ - if (!EVP_DecryptUpdate(&ctx, dest, &u_len, source, source_length)) + if (!EVP_DecryptUpdate(ctx, dest, &u_len, source, source_length)) goto aes_error; /* Error */ - if (!EVP_DecryptFinal_ex(&ctx, dest + u_len, &f_len)) + if (!EVP_DecryptFinal_ex(ctx, dest + u_len, &f_len)) goto aes_error; /* Error */ - EVP_CIPHER_CTX_cleanup(&ctx); + EVP_CIPHER_CTX_free(ctx); return u_len + f_len; aes_error: /* need to explicitly clean up the error if we want to ignore it */ ERR_clear_error(); - EVP_CIPHER_CTX_cleanup(&ctx); + EVP_CIPHER_CTX_free(ctx); return MY_AES_BAD_DATA; } diff -up mysql-8.0.3-rc/rapid/plugin/group_replication/libmysqlgcs/src/bindings/xcom/xcom/xcom_ssl_transport.c.p71 mysql-8.0.3-rc/rapid/plugin/group_replication/libmysqlgcs/src/bindings/xcom/xcom/xcom_ssl_transport.c --- mysql-8.0.3-rc/rapid/plugin/group_replication/libmysqlgcs/src/bindings/xcom/xcom/xcom_ssl_transport.c.p71 2017-09-19 13:33:50.000000000 +0200 +++ mysql-8.0.3-rc/rapid/plugin/group_replication/libmysqlgcs/src/bindings/xcom/xcom/xcom_ssl_transport.c 2017-12-09 20:33:12.020893250 +0100 @@ -136,13 +136,19 @@ static unsigned char dh2048_g[] = { }; static DH *get_dh2048(void) { - DH *dh; - if ((dh = DH_new())) { - dh->p = BN_bin2bn(dh2048_p, sizeof(dh2048_p), NULL); - dh->g = BN_bin2bn(dh2048_g, sizeof(dh2048_g), NULL); - if (!dh->p || !dh->g) { + DH *dh = DH_new(); + BIGNUM *dhp_bn, *dhg_bn; + if (dh != NULL) + { + dhp_bn = BN_bin2bn(dh2048_p, sizeof (dh2048_p), NULL); + dhg_bn = BN_bin2bn(dh2048_g, sizeof (dh2048_g), NULL); + if (dhp_bn == NULL || dhg_bn == NULL + || !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) + { DH_free(dh); - dh = 0; + BN_free(dhp_bn); + BN_free(dhg_bn); + dh=0; } } return (dh); diff -up mysql-8.0.3-rc/sql/auth/sha2_password_common.cc.p71 mysql-8.0.3-rc/sql/auth/sha2_password_common.cc --- mysql-8.0.3-rc/sql/auth/sha2_password_common.cc.p71 2017-12-09 20:38:51.027296624 +0100 +++ mysql-8.0.3-rc/sql/auth/sha2_password_common.cc 2017-12-09 20:39:09.490427669 +0100 @@ -102,7 +102,7 @@ namespace sha2_password } #ifndef HAVE_YASSL m_ok= EVP_DigestFinal_ex(md_context, m_digest, NULL); - EVP_MD_CTX_cleanup(md_context); + EVP_MD_CTX_free(md_context); #else md_context->Final((TaoCrypt::byte *)m_digest); #endif // !HAVE_YASSL @@ -134,7 +134,7 @@ namespace sha2_password DBUG_ENTER("SHA256_digest::init"); m_ok= false; #ifndef HAVE_YASSL - md_context= EVP_MD_CTX_create(); + md_context= EVP_MD_CTX_new(); if (!md_context) { DBUG_PRINT("info", ("Failed to create digest context")); @@ -145,7 +145,7 @@ namespace sha2_password if (!m_ok) { - EVP_MD_CTX_destroy(md_context); + EVP_MD_CTX_free(md_context); md_context= NULL; DBUG_PRINT("info", ("Failed to initialize digest context")); } @@ -173,7 +173,7 @@ namespace sha2_password { if (md_context) #ifndef HAVE_YASSL - EVP_MD_CTX_destroy(md_context); + EVP_MD_CTX_free(md_context); #else delete md_context; #endif // !HAVE_YASSL diff -up mysql-8.0.3-rc/sql-common/client.cc.p71 mysql-8.0.3-rc/sql-common/client.cc --- mysql-8.0.3-rc/sql-common/client.cc.p71 2017-09-19 13:33:50.000000000 +0200 +++ mysql-8.0.3-rc/sql-common/client.cc 2017-12-09 20:33:12.021893257 +0100 @@ -2870,7 +2870,7 @@ static int ssl_verify_server_cert(Vio *v goto error; } - cn= (char *) ASN1_STRING_data(cn_asn1); + cn= (char *) ASN1_STRING_get0_data(cn_asn1); // There should not be any NULL embedded in the CN if ((size_t)ASN1_STRING_length(cn_asn1) != strlen(cn)) diff -up mysql-8.0.3-rc/sql/mysqld.cc.p71 mysql-8.0.3-rc/sql/mysqld.cc --- mysql-8.0.3-rc/sql/mysqld.cc.p71 2017-09-19 13:33:50.000000000 +0200 +++ mysql-8.0.3-rc/sql/mysqld.cc 2017-12-09 20:33:12.023893271 +0100 @@ -3993,7 +3993,7 @@ static void init_ssl() { #ifdef HAVE_OPENSSL #ifndef HAVE_YASSL - CRYPTO_malloc_init(); + OPENSSL_malloc_init(); #endif ssl_start(); #endif diff -up mysql-8.0.3-rc/vio/viosslfactories.cc.p71 mysql-8.0.3-rc/vio/viosslfactories.cc --- mysql-8.0.3-rc/vio/viosslfactories.cc.p71 2017-12-09 20:33:12.014893207 +0100 +++ mysql-8.0.3-rc/vio/viosslfactories.cc 2017-12-09 20:33:12.023893271 +0100 @@ -122,14 +122,19 @@ static unsigned char dh2048_g[]={ static DH *get_dh2048(void) { - DH *dh; - if ((dh=DH_new())) + DH *dh = DH_new(); + BIGNUM *dhp_bn, *dhg_bn; + + if (dh != NULL) { - dh->p=BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL); - dh->g=BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL); - if (! dh->p || ! dh->g) + dhp_bn = BN_bin2bn(dh2048_p, sizeof (dh2048_p), NULL); + dhg_bn = BN_bin2bn(dh2048_g, sizeof (dh2048_g), NULL); + if (dhp_bn == NULL || dhg_bn == NULL + || !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) { DH_free(dh); + BN_free(dhp_bn); + BN_free(dhg_bn); dh=0; } } @@ -423,9 +428,7 @@ void ssl_start() { ssl_initialized= TRUE; - SSL_library_init(); - OpenSSL_add_all_algorithms(); - SSL_load_error_strings(); + OPENSSL_init_ssl(0, NULL); #ifndef HAVE_YASSL init_ssl_locks();