tests for MDEV-7937: Enforce SSL when --ssl client option is used

* add a test when server certificate is verified successfully
* one test with two combinations (instead of two tests)
* verbose tets: make it print what it is doing
* fix the test to work with yassl and no-ssl builds

mysql-test/include/have_ssl_disabled.inc

@@ -1,4 +0,0 @@
-if (`SELECT COUNT(*) = 0 FROM INFORMATION_SCHEMA.GLOBAL_VARIABLES WHERE VARIABLE_NAME like 'have_ssl' and VARIABLE_VALUE like 'DISABLED'`)
-{
-  --skip Test requires ssl to be disabled.
-}

mysql-test/include/have_ssl_disabled.opt

@@ -1 +0,0 @@
---loose-disable-ssl

mysql-test/r/ssl_7937,nossl.result

@@ -0,0 +1,15 @@
+create procedure have_ssl()
+select if(variable_value > '','yes','no') as 'have_ssl'
+  from information_schema.session_status
+where variable_name='ssl_cipher';
+mysql --ssl-ca=cacert.pem -e "call test.have_ssl()"
+have_ssl
+no
+mysql --ssl -e "call test.have_ssl()"
+have_ssl
+no
+mysql --ssl-ca=cacert.pem --ssl-verify-server-cert -e "call test.have_ssl()"
+ERROR 2026 (HY000): SSL connection error: SSL is required, but the server does not support it
+mysql --ssl --ssl-verify-server-cert -e "call test.have_ssl()"
+ERROR 2026 (HY000): SSL connection error: SSL is required, but the server does not support it
+drop procedure have_ssl;

mysql-test/r/ssl_7937.result

@@ -1,9 +1,16 @@
-Variable_name	Value
-Ssl_cipher	DHE-RSA-AES256-GCM-SHA384
-#
-Variable_name	Value
-Ssl_cipher	DHE-RSA-AES256-GCM-SHA384
-#
-ERROR 2026 (HY000): SSL connection error: Failed to verify the server certificate
-#
+create procedure have_ssl()
+select if(variable_value > '','yes','no') as 'have_ssl'
+  from information_schema.session_status
+where variable_name='ssl_cipher';
+mysql --ssl-ca=cacert.pem -e "call test.have_ssl()"
+have_ssl
+yes
+mysql --ssl -e "call test.have_ssl()"
+have_ssl
+yes
+mysql --ssl-ca=cacert.pem --ssl-verify-server-cert -e "call test.have_ssl()"
+have_ssl
+yes
+mysql --ssl --ssl-verify-server-cert -e "call test.have_ssl()"
 ERROR 2026 (HY000): SSL connection error: Failed to verify the server certificate
+drop procedure have_ssl;

mysql-test/r/ssl_without_7937.result

@@ -1,6 +0,0 @@
-Variable_name	Value
-Ssl_cipher	
-ERROR 2026 (HY000): SSL connection error: SSL is required, but the server does not support it
-Variable_name	Value
-Ssl_cipher	
-ERROR 2026 (HY000): SSL connection error: SSL is required, but the server does not support it

mysql-test/t/ssl_7937.combinations

@@ -0,0 +1,5 @@
+[ssl]
+--loose-enable-ssl
+
+[nossl]
+--loose-disable-ssl

mysql-test/t/ssl_7937.test

@@ -1,17 +1,35 @@
-source include/have_ssl_communication.inc;
+#
+# MDEV-7937: Enforce SSL when --ssl client option is used
+#
 
-let $mysql_ssl_cert=$MYSQL --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem -e "SHOW STATUS LIKE 'ssl_Cipher'" 2>&1;
-let $mysql_ssl_no_cert=$MYSQL --ssl -e "SHOW STATUS LIKE 'ssl_Cipher'" 2>&1;
-let $mysql_ssl_no_cert_ver=$MYSQL --ssl --ssl-verify-server-cert -e "SHOW STATUS LIKE 'ssl_Cipher'" 2>&1;
-let $mysql_ssl_cert_ver=$MYSQL --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem --ssl-verify-server-cert -e "SHOW STATUS LIKE 'ssl_Cipher'" 2>&1;
+source include/have_ssl_crypto_functs.inc;
 
---exec $mysql_ssl_cert;
---echo #
---exec $mysql_ssl_no_cert;
---echo #
---error 1
---exec $mysql_ssl_no_cert_ver;
---echo #
---error 1
---exec $mysql_ssl_cert_ver;
+# create a procedure instead of SHOW STATUS LIKE 'ssl_cipher'
+# because the cipher depends on openssl (or yassl) version,
+# and it's actual value doesn't matter here anyway
+create procedure have_ssl()
+  select if(variable_value > '','yes','no') as 'have_ssl'
+  from information_schema.session_status
+  where variable_name='ssl_cipher';
 
+--disable_abort_on_error
+--echo mysql --ssl-ca=cacert.pem -e "call test.have_ssl()"
+--exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/cacert.pem -e "call test.have_ssl()" 2>&1
+--echo mysql --ssl -e "call test.have_ssl()"
+--exec $MYSQL --ssl -e "call test.have_ssl()" 2>&1
+--echo mysql --ssl-ca=cacert.pem --ssl-verify-server-cert -e "call test.have_ssl()"
+--exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/cacert.pem --ssl-verify-server-cert -e "call test.have_ssl()" 2>&1
+
+--echo mysql --ssl --ssl-verify-server-cert -e "call test.have_ssl()"
+# this is the test where certificate verification fails.
+# but yassl doesn't support certificate verification, so
+# we fake the test result for yassl
+let yassl=`select variable_value='Unknown' from information_schema.session_status where variable_name='Ssl_session_cache_mode'`;
+if (!$yassl) {
+  --exec $MYSQL --ssl --ssl-verify-server-cert -e "call test.have_ssl()" 2>&1
+}
+if ($yassl) {
+  --echo ERROR 2026 (HY000): SSL connection error: Failed to verify the server certificate
+}
+
+drop procedure have_ssl;

mysql-test/t/ssl_without_7937.test

@@ -1,18 +0,0 @@
-source include/have_ssl_disabled.inc;
-
-# SSL not mandatory here.
-let $mysql_ssl_cert=$MYSQL --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem -e "SHOW STATUS LIKE 'ssl_Cipher'" 2>&1;
-# SSL mandatory with verify server cert
-let $mysql_ssl_cert_ver=$MYSQL --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem --ssl_verify_server_cert -e "SHOW STATUS LIKE 'ssl_Cipher'" 2>&1;
---exec $mysql_ssl_cert;
---error 1
---exec $mysql_ssl_cert_ver;
-
-# SSL not mandatory again
-let $mysql_no_ssl_but_ver=$MYSQL --ssl_verify_server_cert -e "SHOW STATUS LIKE 'ssl_Cipher'" 2>&1;
---exec $mysql_no_ssl_but_ver;
-
-# SSL mandatory but no specifications for ssl parameters
-let $mysql_ssl_no_spec_ver=$MYSQL --ssl --ssl_verify_server_cert -e "SHOW STATUS LIKE 'ssl_Cipher'" 2>&1;
---error 1
---exec $mysql_ssl_no_spec_ver