Skip to content
Snippets Groups Projects
Commit 9c60535f authored by Sergei Golubchik's avatar Sergei Golubchik
Browse files

SSL test fixes

* fix CRL tests to work
* regenerate certificates to be at least 2048 bit
  (fixes buster and rhel8 in buildbot)
* update generate-ssl-cert.sh to generate crl files
* make all SSL tests to use certificates generated
  in generate-ssl-cert.sh, remove unused certificates
parent eff7f9be
Branches
Tags mariadb-10.4.2
No related merge requests found
Showing
with 63 additions and 221 deletions
-- source include/have_ssl_communication.inc if (`SELECT count(*) = 0 FROM information_schema.GLOBAL_VARIABLES WHERE
let $crllen=`select length(trim(coalesce(@@ssl_crl, ''))) + length(trim(coalesce(@@ssl_crlpath, '')))`; VARIABLE_NAME = 'have_openssl' AND VARIABLE_VALUE = 'YES'`){
if (!$crllen)
{
skip Needs OpenSSL; skip Needs OpenSSL;
} }
...@@ -10,35 +10,49 @@ rm -rf demoCA ...@@ -10,35 +10,49 @@ rm -rf demoCA
mkdir demoCA demoCA/newcerts mkdir demoCA demoCA/newcerts
touch demoCA/index.txt touch demoCA/index.txt
echo 01 > demoCA/serial echo 01 > demoCA/serial
echo 01 > demoCA/crlnumber
# CA certificate, self-signed # CA certificate, self-signed
openssl req -x509 -newkey rsa:2048 -keyout cakey.pem -out cacert.pem -days 7300 -nodes -subj '/CN=cacert/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB' -text openssl req -x509 -newkey rsa:2048 -keyout cakey.pem -out cacert.pem -days 7300 -nodes -subj '/CN=cacert/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB' -text
# server certificate signing request and private key. Note the very long subject (for MDEV-7859) # server certificate signing request and private key. Note the very long subject (for MDEV-7859)
openssl req -newkey rsa:1024 -keyout server-key.pem -out demoCA/server-req.pem -days 7300 -nodes -subj '/CN=localhost/C=FI/ST=state or province within country, in other certificates in this file it is the same as L/L=location, usually an address but often ambiguously used/OU=organizational unit name, a division name within an organization/O=organization name, typically a company name' openssl req -newkey rsa:2048 -keyout server-key.pem -out demoCA/server-req.pem -days 7300 -nodes -subj '/CN=localhost/C=FI/ST=state or province within country, in other certificates in this file it is the same as L/L=location, usually an address but often ambiguously used/OU=organizational unit name, a division name within an organization/O=organization name, typically a company name'
# convert the key to yassl compatible format # convert the key to yassl compatible format
openssl rsa -in server-key.pem -out server-key.pem openssl rsa -in server-key.pem -out server-key.pem
# sign the server certificate with CA certificate # sign the server certificate with CA certificate
openssl ca -keyfile cakey.pem -days 7300 -batch -cert cacert.pem -policy policy_anything -out server-cert.pem -infiles demoCA/server-req.pem openssl ca -keyfile cakey.pem -days 7300 -batch -cert cacert.pem -policy policy_anything -out server-cert.pem -in demoCA/server-req.pem
# Certificate with different validity period (MDEV-7598) # server certificate with different validity period (MDEV-7598)
openssl req -newkey rsa:1024 -keyout server-new-key.pem -out demoCA/server-new-req.pem -days 7301 -nodes -subj '/CN=server-new/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB' openssl req -newkey rsa:2048 -keyout server-new-key.pem -out demoCA/server-new-req.pem -days 7301 -nodes -subj '/CN=server-new/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB'
openssl rsa -in server-new-key.pem -out server-new-key.pem openssl rsa -in server-new-key.pem -out server-new-key.pem
openssl ca -keyfile cakey.pem -days 7301 -batch -cert cacert.pem -policy policy_anything -out server-new-cert.pem -infiles demoCA/server-new-req.pem openssl ca -keyfile cakey.pem -days 7301 -batch -cert cacert.pem -policy policy_anything -out server-new-cert.pem -in demoCA/server-new-req.pem
# 8K cert
openssl req -newkey rsa:8192 -keyout server8k-key.pem -out demoCA/server8k-req.pem -days 7300 -nodes -subj '/CN=server8k/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB' openssl req -newkey rsa:8192 -keyout server8k-key.pem -out demoCA/server8k-req.pem -days 7300 -nodes -subj '/CN=server8k/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB'
openssl rsa -in server8k-key.pem -out server8k-key.pem openssl rsa -in server8k-key.pem -out server8k-key.pem
openssl ca -keyfile cakey.pem -days 7300 -batch -cert cacert.pem -policy policy_anything -out server8k-cert.pem -infiles demoCA/server8k-req.pem openssl ca -keyfile cakey.pem -days 7300 -batch -cert cacert.pem -policy policy_anything -out server8k-cert.pem -in demoCA/server8k-req.pem
openssl req -newkey rsa:1024 -keyout client-key.pem -out demoCA/client-req.pem -days 7300 -nodes -subj '/CN=client/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB'
openssl rsa -in client-key.pem -out client-key.pem
openssl ca -keyfile cakey.pem -days 7300 -batch -cert cacert.pem -policy policy_anything -out client-cert.pem -infiles demoCA/client-req.pem
# with SubjectAltName, only for OpenSSL 1.0.2+ # with SubjectAltName, only for OpenSSL 1.0.2+
cat > demoCA/sanext.conf <<EOF cat > demoCA/sanext.conf <<EOF
subjectAltName=DNS:localhost subjectAltName=DNS:localhost
EOF EOF
openssl req -newkey rsa:1024 -keyout serversan-key.pem -out demoCA/serversan-req.pem -days 7300 -nodes -subj '/CN=server/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB' openssl req -newkey rsa:2048 -keyout serversan-key.pem -out demoCA/serversan-req.pem -days 7300 -nodes -subj '/CN=server/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB'
openssl ca -keyfile cakey.pem -extfile demoCA/sanext.conf -days 7300 -batch -cert cacert.pem -policy policy_anything -out serversan-cert.pem -infiles demoCA/serversan-req.pem openssl ca -keyfile cakey.pem -extfile demoCA/sanext.conf -days 7300 -batch -cert cacert.pem -policy policy_anything -out serversan-cert.pem -in demoCA/serversan-req.pem
# client cert
openssl req -newkey rsa:2048 -keyout client-key.pem -out demoCA/client-req.pem -days 7300 -nodes -subj '/CN=client/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB'
openssl rsa -in client-key.pem -out client-key.pem
openssl ca -keyfile cakey.pem -days 7300 -batch -cert cacert.pem -policy policy_anything -out client-cert.pem -in demoCA/client-req.pem
# generate crls
openssl ca -revoke server-cert.pem -keyfile cakey.pem -batch -cert cacert.pem
openssl ca -gencrl -keyfile cakey.pem -crldays 7300 -batch -cert cacert.pem -out server-cert.crl
# we only want to have one certificate per CRL. Un-revoke server-cert.crl
cp demoCA/index.txt.old demoCA/index.txt
openssl ca -revoke client-cert.pem -keyfile cakey.pem -batch -cert cacert.pem
openssl ca -gencrl -keyfile cakey.pem -crldays 7300 -batch -cert cacert.pem -out client-cert.crl
rm -fv crldir/*
cp -v client-cert.crl crldir/`openssl x509 -in client-cert.pem -noout -issuer_hash`.r0
rm -rf demoCA rm -rf demoCA
...@@ -14,9 +14,6 @@ events_time_zone : Test is not predictable as it depends on precise timi ...@@ -14,9 +14,6 @@ events_time_zone : Test is not predictable as it depends on precise timi
read_many_rows_innodb : Bug#11748886 2010-11-15 mattiasj report already exists read_many_rows_innodb : Bug#11748886 2010-11-15 mattiasj report already exists
mysql_embedded : Bug#12561297 2011-05-14 Anitha Dependent on PB2 changes - eventum#41836 mysql_embedded : Bug#12561297 2011-05-14 Anitha Dependent on PB2 changes - eventum#41836
#show_explain : Psergey: random timeout in range-checked-for-each record query. #show_explain : Psergey: random timeout in range-checked-for-each record query.
ssl_crl_clients_valid : broken upstream
ssl_crl : broken upstream
ssl_crl_clrpath : broken upstream
innodb-wl5522-debug-zip : broken upstream innodb-wl5522-debug-zip : broken upstream
innodb_bug12902967 : broken upstream innodb_bug12902967 : broken upstream
file_contents : MDEV-6526 these files are not installed anymore file_contents : MDEV-6526 these files are not installed anymore
......
# try logging in with a certificate in the server's --ssl-crl : should fail
...@@ -4,10 +4,10 @@ have_ssl ...@@ -4,10 +4,10 @@ have_ssl
1 1
SHOW STATUS LIKE 'Ssl_server_not_before'; SHOW STATUS LIKE 'Ssl_server_not_before';
Variable_name Value Variable_name Value
Ssl_server_not_before Apr 25 20:52:21 2017 GMT Ssl_server_not_before Jan 27 10:11:10 2019 GMT
SHOW STATUS LIKE 'Ssl_server_not_after'; SHOW STATUS LIKE 'Ssl_server_not_after';
Variable_name Value Variable_name Value
Ssl_server_not_after Apr 20 20:52:21 2037 GMT Ssl_server_not_after Jan 22 10:11:10 2039 GMT
drop table if exists t1,t2,t3,t4; drop table if exists t1,t2,t3,t4;
CREATE TABLE t1 ( CREATE TABLE t1 (
Period smallint(4) unsigned zerofill DEFAULT '0000' NOT NULL, Period smallint(4) unsigned zerofill DEFAULT '0000' NOT NULL,
......
#T1: Host name (/CN=localhost/) as OU name in the server certificate, server certificate verification should fail.
#T2: Host name (localhost) as common name in the server certificate, server certificate verification should pass.
Variable_name Value
Ssl_version TLS_VERSION
# restart server using restart
# Want to skip this test from Valgrind execution
--source include/no_valgrind_without_big.inc
# This test should work in embedded server after we fix mysqltest
-- source include/not_embedded.inc
-- source include/have_ssl_communication.inc
# Save the initial number of concurrent sessions
--source include/count_sessions.inc
let $ssl_verify_fail_path = --ssl --ssl-ca=$MYSQL_TEST_DIR/std_data/ca-cert-verify.pem --ssl-key=$MYSQL_TEST_DIR/std_data/server-key-verify-fail.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/server-cert-verify-fail.pem;
let $ssl_verify_pass_path = --ssl --ssl-ca=$MYSQL_TEST_DIR/std_data/ca-cert-verify.pem --ssl-key=$MYSQL_TEST_DIR/std_data/server-key-verify-pass.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/server-cert-verify-pass.pem;
--echo #T1: Host name (/CN=localhost/) as OU name in the server certificate, server certificate verification should fail.
--exec echo "wait" > $MYSQLTEST_VARDIR/tmp/mysqld.1.expect
--shutdown_server
--source include/wait_until_disconnected.inc
--exec echo "restart:" $ssl_verify_fail_path > $MYSQLTEST_VARDIR/tmp/mysqld.1.expect
--enable_reconnect
--source include/wait_until_connected_again.inc
--error 1
--exec $MYSQL --protocol=tcp --ssl-ca=$MYSQL_TEST_DIR/std_data/ca-cert-verify.pem --ssl-verify-server-cert -e "SHOW STATUS like 'Ssl_version'"
--echo #T2: Host name (localhost) as common name in the server certificate, server certificate verification should pass.
--exec echo "wait" > $MYSQLTEST_VARDIR/tmp/mysqld.1.expect
--shutdown_server
--source include/wait_until_disconnected.inc
--exec echo "restart:" $ssl_verify_pass_path > $MYSQLTEST_VARDIR/tmp/mysqld.1.expect
--enable_reconnect
--source include/wait_until_connected_again.inc
--replace_result TLSv1.3 TLS_VERSION TLSv1.2 TLS_VERSION TLSv1.1 TLS_VERSION TLSv1 TLS_VERSION
--exec $MYSQL --protocol=tcp --ssl-ca=$MYSQL_TEST_DIR/std_data/ca-cert-verify.pem --ssl-verify-server-cert -e "SHOW STATUS like 'Ssl_version'"
--echo # restart server using restart
--exec echo "wait" > $MYSQLTEST_VARDIR/tmp/mysqld.1.expect
--shutdown_server
--source include/wait_until_disconnected.inc
--exec echo "restart: " > $MYSQLTEST_VARDIR/tmp/mysqld.1.expect
--enable_reconnect
--source include/wait_until_connected_again.inc
--ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem
--ssl-key=$MYSQL_TEST_DIR/std_data/crl-server-key.pem
--ssl-cert=$MYSQL_TEST_DIR/std_data/crl-server-cert.pem
--ssl-crl=$MYSQL_TEST_DIR/std_data/crl-client-revoked.crl
[file]
ssl-crl=$MYSQL_TEST_DIR/std_data/client-cert.crl
[path]
ssl-crlpath=$MYSQL_TEST_DIR/std_data/crldir
# test --crl for the client : should connect # try logging in with a certificate not in the server's --ssl-crl : should succeed
Variable_name Value Variable_name Value
have_openssl YES Ssl_version TLS_VERSION
have_ssl YES
ssl_ca MYSQL_TEST_DIR/std_data/crl-ca-cert.pem
ssl_capath
ssl_cert MYSQL_TEST_DIR/std_data/crl-server-cert.pem
ssl_cipher
ssl_crl MYSQL_TEST_DIR/std_data/crl-client-revoked.crl
ssl_crlpath
ssl_key MYSQL_TEST_DIR/std_data/crl-server-key.pem
# test --crlpath for the client : should connect
Variable_name Value
have_openssl YES
have_ssl YES
ssl_ca MYSQL_TEST_DIR/std_data/crl-ca-cert.pem
ssl_capath
ssl_cert MYSQL_TEST_DIR/std_data/crl-server-cert.pem
ssl_cipher
ssl_crl MYSQL_TEST_DIR/std_data/crl-client-revoked.crl
ssl_crlpath
ssl_key MYSQL_TEST_DIR/std_data/crl-server-key.pem
# try logging in with a certificate in the server's --ssl-crl : should fail # try logging in with a certificate in the server's --ssl-crl : should fail
ERROR 2026 (HY000): SSL connection error: sslv3 alert certificate revoked
...@@ -2,15 +2,12 @@ ...@@ -2,15 +2,12 @@
-- source include/not_embedded.inc -- source include/not_embedded.inc
-- source include/have_openssl.inc -- source include/have_openssl.inc
--echo # test --crl for the client : should connect --echo # try logging in with a certificate not in the server's --ssl-crl : should succeed
--replace_result $MYSQL_TEST_DIR MYSQL_TEST_DIR --replace_result TLSv1.3 TLS_VERSION TLSv1.2 TLS_VERSION TLSv1.1 TLS_VERSION TLSv1 TLS_VERSION
--exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-valid-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-valid-cert.pem test --ssl-crl=$MYSQL_TEST_DIR/std_data/crl-client-revoked.crl -e "SHOW VARIABLES like '%ssl%';" --exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/cacert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/server-new-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/server-new-cert.pem test -e "SHOW STATUS LIKE 'Ssl_version'"
--echo # test --crlpath for the client : should connect
--replace_result $MYSQL_TEST_DIR MYSQL_TEST_DIR
--exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-valid-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-valid-cert.pem --ssl-crlpath=$MYSQL_TEST_DIR/std_data/crldir test -e "SHOW VARIABLES like '%ssl%';"
--echo # try logging in with a certificate in the server's --ssl-crl : should fail --echo # try logging in with a certificate in the server's --ssl-crl : should fail
--replace_result $MYSQL_TEST_DIR MYSQL_TEST_DIR # OpenSSL 1.1.1a correctly rejects the certificate, but the error message is wrong
--replace_result "ERROR 2013 (HY000): Lost connection to MySQL server at 'reading authorization packet', system error: 0" "ERROR 2026 (HY000): SSL connection error: sslv3 alert certificate revoked"
--error 1 --error 1
--exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-cert.pem test -e "SHOW VARIABLES like '%ssl%';" --exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/cacert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem test -e "SHOW STATUS LIKE 'Ssl_version'" 2>&1
--ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem
--ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-key.pem
--ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-cert.pem
--ssl-crl=$MYSQL_TEST_DIR/std_data/crl-client-revoked.crl
# Test clients with and without CRL lists
############ Test mysql ##############
# Test mysql connecting to a server with an empty crl
Variable_name Value
have_openssl YES
have_ssl YES
ssl_ca MYSQL_TEST_DIR/std_data/crl-ca-cert.pem
ssl_capath
ssl_cert MYSQL_TEST_DIR/std_data/crl-client-cert.pem
ssl_cipher
ssl_crl
ssl_crlpath
ssl_key MYSQL_TEST_DIR/std_data/crl-client-key.pem
# Test mysql connecting to a server with a certificate revoked by -crl
# Test mysql connecting to a server with a certificate revoked by -crlpath
############ Test mysqladmin ##############
# Test mysqladmin connecting to a server with an empty crl
mysqld is alive
# Test mysqladmin connecting to a server with a certificate revoked by -crl
mysqladmin: connect to server at 'localhost' failed
error: 'SSL connection error: Failed to set ciphers to use'
# Test mysqladmin connecting to a server with a certificate revoked by -crlpath
mysqladmin: connect to server at 'localhost' failed
error: 'SSL connection error: error:00000005:lib(0):func(0):DH lib'
# Test clients with and without CRL lists # Test clients with and without CRL lists
############ Test mysql ############## ############ Test mysql ##############
# Test mysql connecting to a server with a certificate revoked by -crl # Test mysql connecting to a server with a certificate revoked by -crl
ERROR 2026 (HY000): SSL connection error: certificate revoked
# Test mysql connecting to a server with a certificate revoked by -crlpath # Test mysql connecting to a server with a certificate revoked by -crlpath
ERROR 2026 (HY000): SSL connection error: certificate revoked
############ Test mysqladmin ############## ############ Test mysqladmin ##############
# Test mysqladmin connecting to a server with a certificate revoked by -crl # Test mysqladmin connecting to a server with a certificate revoked by -crl
mysqladmin: connect to server at 'localhost' failed
error: 'SSL connection error: certificate revoked'
# Test mysqladmin connecting to a server with a certificate revoked by -crlpath # Test mysqladmin connecting to a server with a certificate revoked by -crlpath
mysqladmin: connect to server at 'localhost' failed
error: 'SSL connection error: certificate revoked'
...@@ -4,38 +4,33 @@ ...@@ -4,38 +4,33 @@
--echo # Test clients with and without CRL lists --echo # Test clients with and without CRL lists
let $ssl_base = --ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/crl-server-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-server-cert.pem; let $ssl_base = --ssl-ca=$MYSQL_TEST_DIR/std_data/cacert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem --ssl-verify-server-cert;
let $ssl_crl = $ssl_base --ssl-crl=$MYSQL_TEST_DIR/std_data/crl-client-revoked.crl; let $ssl_crl = $ssl_base --ssl-crl=$MYSQL_TEST_DIR/std_data/server-cert.crl;
let $ssl_crlpath = $ssl_base --ssl-crlpath=$MYSQL_TEST_DIR/std_data/crldir; let $ssl_crlpath = $ssl_base --ssl-crlpath=$MYSQL_TMP_DIR;
# See `openssl x509 -in server-cert.pem -noout -issuer_hash`
copy_file $MYSQL_TEST_DIR/std_data/server-cert.crl $MYSQL_TMP_DIR/ed1f42db.r0;
--echo ############ Test mysql ############## --echo ############ Test mysql ##############
--echo # Test mysql connecting to a server with a certificate revoked by -crl --echo # Test mysql connecting to a server with a certificate revoked by -crl
--replace_result $MYSQL_TEST_DIR MYSQL_TEST_DIR
--error 1 --error 1
--exec $MYSQL $ssl_crl test -e "SHOW VARIABLES like '%ssl%';" --exec $MYSQL $ssl_crl test -e "SHOW STATUS LIKE 'Ssl_version'" 2>&1
--echo # Test mysql connecting to a server with a certificate revoked by -crlpath --echo # Test mysql connecting to a server with a certificate revoked by -crlpath
--replace_result $MYSQL_TEST_DIR MYSQL_TEST_DIR
--error 1 --error 1
--exec $MYSQL $ssl_crlpath test -e "SHOW VARIABLES like '%ssl%';" --exec $MYSQL $ssl_crlpath test -e "SHOW STATUS LIKE 'Ssl_version'" 2>&1
--echo ############ Test mysqladmin ############## --echo ############ Test mysqladmin ##############
let $admin_prefix = --no-defaults;
let $admin_suffix = --default-character-set=latin1 -S $MASTER_MYSOCK -P $MASTER_MYPORT -u root --password= ping; let $admin_suffix = --default-character-set=latin1 -S $MASTER_MYSOCK -P $MASTER_MYPORT -u root --password= ping;
--echo # Test mysqladmin connecting to a server with a certificate revoked by -crl --echo # Test mysqladmin connecting to a server with a certificate revoked by -crl
--disable_result_log --replace_regex /.*mysqladmin.*:/mysqladmin:/
--replace_regex /.*mysqladmin.*: connect/mysqladmin: connect/ --error 1
--error 2 --exec $MYSQLADMIN $ssl_crl $admin_suffix 2>&1
--exec $MYSQLADMIN $admin_prefix $ssl_crl $admin_suffix 2>&1
--enable_result_log
--disable_result_log
--echo # Test mysqladmin connecting to a server with a certificate revoked by -crlpath --echo # Test mysqladmin connecting to a server with a certificate revoked by -crlpath
--replace_regex /.*mysqladmin.*: connect/mysqladmin: connect/ --replace_regex /.*mysqladmin.*:/mysqladmin:/
--error 2 --error 1
--exec $MYSQLADMIN $admin_prefix $ssl_crlpath $admin_suffix 2>&1 --exec $MYSQLADMIN $ssl_crlpath $admin_suffix 2>&1
--enable_result_log
--ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem
--ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-valid-key.pem
--ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-valid-cert.pem
--ssl-crl=$MYSQL_TEST_DIR/std_data/crl-client-revoked.crl
# Test clients with and without CRL lists
############ Test mysql ##############
# Test mysql connecting to a server with an empty crl
Variable_name Value
have_openssl YES
have_ssl YES
ssl_ca MYSQL_TEST_DIR/std_data/crl-ca-cert.pem
ssl_capath
ssl_cert MYSQL_TEST_DIR/std_data/crl-client-valid-cert.pem
ssl_cipher
ssl_crl MYSQL_TEST_DIR/std_data/crl-client-revoked.crl
ssl_crlpath
ssl_key MYSQL_TEST_DIR/std_data/crl-client-valid-key.pem
############ Test mysqladmin ##############
# Test mysqladmin connecting to a server with an empty crl
mysqld is alive
# This test should work in embedded server after we fix mysqltest
-- source include/not_embedded.inc
-- source include/have_openssl.inc
--echo # Test clients with and without CRL lists
let $ssl_base = --ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/crl-server-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-server-cert.pem;
let $ssl_crl = $ssl_base --ssl-crl=$MYSQL_TEST_DIR/std_data/crl-client-revoked.crl;
let $ssl_crlpath = $ssl_base --ssl-crlpath=$MYSQL_TEST_DIR/std_data/crldir;
--echo ############ Test mysql ##############
--echo # Test mysql connecting to a server with an empty crl
--replace_result $MYSQL_TEST_DIR MYSQL_TEST_DIR
--exec $MYSQL $ssl_crl test -e "SHOW VARIABLES like '%ssl%';" 2>&1
--echo ############ Test mysqladmin ##############
let $admin_prefix = --no-defaults;
let $admin_suffix = --default-character-set=latin1 -S $MASTER_MYSOCK -P $MASTER_MYPORT -u root --password= ping;
--echo # Test mysqladmin connecting to a server with an empty crl
--exec $MYSQLADMIN $admin_prefix $ssl_crl $admin_suffix 2>&1
--ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem
--ssl-key=$MYSQL_TEST_DIR/std_data/crl-server-key.pem
--ssl-cert=$MYSQL_TEST_DIR/std_data/crl-server-cert.pem
--ssl-crlpath=$MYSQL_TEST_DIR/std_data/crldir
# test --crl for the client : should connect
Variable_name Value
have_openssl YES
have_ssl YES
ssl_ca MYSQL_TEST_DIR/std_data/crl-ca-cert.pem
ssl_capath
ssl_cert MYSQL_TEST_DIR/std_data/crl-server-cert.pem
ssl_cipher
ssl_crl
ssl_crlpath MYSQL_TEST_DIR/std_data/crldir
ssl_key MYSQL_TEST_DIR/std_data/crl-server-key.pem
# test --crlpath for the client : should connect
Variable_name Value
have_openssl YES
have_ssl YES
ssl_ca MYSQL_TEST_DIR/std_data/crl-ca-cert.pem
ssl_capath
ssl_cert MYSQL_TEST_DIR/std_data/crl-server-cert.pem
ssl_cipher
ssl_crl
ssl_crlpath MYSQL_TEST_DIR/std_data/crldir
ssl_key MYSQL_TEST_DIR/std_data/crl-server-key.pem
# try logging in with a certificate in the server's --ssl-crlpath : should fail
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment