1berry/MariaDB-server
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

MDEV-6975 Implement TLS protocol

Browse Source 
change SSL methods to be SSLv23 (according to openssl manpage:
"A TLS/SSL connection established with these methods may understand
the SSLv2, SSLv3, TLSv1, TLSv1.1 and TLSv1.2 protocols") from
TLSv1 methods, that go back to the initial SSL implementation
in MySQL in 2001.

OpenSSL default ciphers are different if TLSv1.2 is enabled,
so tests need to take this into account.
This commit is contained in:
Sergei Golubchik 2014-11-18 17:57:06 +01:00
parent 386e2e52f6
commit cb8f837a3d
10 changed files with 107 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
mysql-test/mysql-test-run.pl
View File

@ -4801,6 +4801,8 @@ sub extract_warning_lines ($$) {
qr|feedback plugin: failed to retrieve the MAC address|, qr|feedback plugin: failed to retrieve the MAC address|,
qr|Plugin 'FEEDBACK' init function returned error|, qr|Plugin 'FEEDBACK' init function returned error|,
qr|Plugin 'FEEDBACK' registration as a INFORMATION SCHEMA failed|, qr|Plugin 'FEEDBACK' registration as a INFORMATION SCHEMA failed|,
qr|Failed to setup SSL|,
qr|SSL error: Failed to set ciphers to use|,
); );
my $matched_lines= []; my $matched_lines= [];

25
mysql-test/r/openssl-poodle_6975,sslv3.result Normal file
View File

@ -0,0 +1,25 @@
grant select on test.* to ssl_sslv3@localhost require cipher "RC4-SHA";
grant select on test.* to ssl_tls12@localhost require cipher "AES128-SHA256";
TLS1.2 ciphers: user is ok with any cipher
ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
TLS1.2 ciphers: user requires SSLv3 cipher RC4-SHA
ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
TLS1.2 ciphers: user requires TLSv1.2 cipher AES128-SHA256
ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
SSLv3 ciphers: user is ok with any cipher
Variable_name Value
Ssl_cipher RC4-SHA
Variable_name Value
Ssl_cipher DHE-RSA-AES256-SHA
SSLv3 ciphers: user requires SSLv3 cipher RC4-SHA
Variable_name Value
Ssl_cipher RC4-SHA
ERROR 1045 (28000): Access denied for user 'ssl_sslv3'@'localhost' (using password: NO)
SSLv3 ciphers: user requires TLSv1.2 cipher AES128-SHA256
ERROR 1045 (28000): Access denied for user 'ssl_tls12'@'localhost' (using password: NO)
ERROR 1045 (28000): Access denied for user 'ssl_tls12'@'localhost' (using password: NO)
drop user ssl_sslv3@localhost;
drop user ssl_tls12@localhost;

25
mysql-test/r/openssl-poodle_6975,tlsv12.result Normal file
View File

@ -0,0 +1,25 @@
grant select on test.* to ssl_sslv3@localhost require cipher "RC4-SHA";
grant select on test.* to ssl_tls12@localhost require cipher "AES128-SHA256";
TLS1.2 ciphers: user is ok with any cipher
Variable_name Value
Ssl_cipher AES128-SHA256
Variable_name Value
Ssl_cipher DHE-RSA-AES256-GCM-SHA384
TLS1.2 ciphers: user requires SSLv3 cipher RC4-SHA
ERROR 1045 (28000): Access denied for user 'ssl_sslv3'@'localhost' (using password: NO)
ERROR 1045 (28000): Access denied for user 'ssl_sslv3'@'localhost' (using password: NO)
TLS1.2 ciphers: user requires TLSv1.2 cipher AES128-SHA256
Variable_name Value
Ssl_cipher AES128-SHA256
ERROR 1045 (28000): Access denied for user 'ssl_tls12'@'localhost' (using password: NO)
SSLv3 ciphers: user is ok with any cipher
ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
SSLv3 ciphers: user requires SSLv3 cipher RC4-SHA
ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
SSLv3 ciphers: user requires TLSv1.2 cipher AES128-SHA256
ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
drop user ssl_sslv3@localhost;
drop user ssl_tls12@localhost;

6
mysql-test/t/openssl-poodle_6975.combinations Normal file
View File

@ -0,0 +1,6 @@
[tlsv12]
loose-ssl-cipher=TLSv1.2
[sslv3]
loose-ssl-cipher=SSLv3

38
mysql-test/t/openssl-poodle_6975.test Normal file
View File

@ -0,0 +1,38 @@
#
# MDEV-6975 Implement TLS protocol
#
# test SSLv3 and TLSv1.2 ciphers when OpenSSL is restricted to SSLv3 or TLSv1.2
#
source include/have_ssl_communication.inc;
# this is OpenSSL test.
grant select on test.* to ssl_sslv3@localhost require cipher "RC4-SHA";
grant select on test.* to ssl_tls12@localhost require cipher "AES128-SHA256";
let $mysql=$MYSQL --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem -e "SHOW STATUS LIKE 'ssl_Cipher'" 2>&1;
disable_abort_on_error;
echo TLS1.2 ciphers: user is ok with any cipher;
exec $mysql --ssl-cipher=AES128-SHA256;
exec $mysql --ssl-cipher=TLSv1.2;
echo TLS1.2 ciphers: user requires SSLv3 cipher RC4-SHA;
exec $mysql --user ssl_sslv3 --ssl-cipher=AES128-SHA256;
exec $mysql --user ssl_sslv3 --ssl-cipher=TLSv1.2;
echo TLS1.2 ciphers: user requires TLSv1.2 cipher AES128-SHA256;
exec $mysql --user ssl_tls12 --ssl-cipher=AES128-SHA256;
exec $mysql --user ssl_tls12 --ssl-cipher=TLSv1.2;
echo SSLv3 ciphers: user is ok with any cipher;
exec $mysql --ssl-cipher=RC4-SHA;
exec $mysql --ssl-cipher=SSLv3;
echo SSLv3 ciphers: user requires SSLv3 cipher RC4-SHA;
exec $mysql --user ssl_sslv3 --ssl-cipher=RC4-SHA;
exec $mysql --user ssl_sslv3 --ssl-cipher=SSLv3;
echo SSLv3 ciphers: user requires TLSv1.2 cipher AES128-SHA256;
exec $mysql --user ssl_tls12 --ssl-cipher=RC4-SHA;
exec $mysql --user ssl_tls12 --ssl-cipher=SSLv3;
drop user ssl_sslv3@localhost;
drop user ssl_tls12@localhost;

2
mysql-test/t/openssl_1.test
View File

@ -132,6 +132,7 @@ drop table t1;
# verification of servers certificate by setting both ca certificate # verification of servers certificate by setting both ca certificate
# and ca path to NULL # and ca path to NULL
# #
--replace_result DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA
--exec $MYSQL --ssl --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem -e "SHOW STATUS LIKE 'ssl_Cipher'" 2>&1 --exec $MYSQL --ssl --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem -e "SHOW STATUS LIKE 'ssl_Cipher'" 2>&1
--echo End of 5.0 tests --echo End of 5.0 tests
@ -258,6 +259,7 @@ select 'is still running; no cipher request crashed the server' as result from d
GRANT SELECT ON test.* TO bug42158@localhost REQUIRE X509; GRANT SELECT ON test.* TO bug42158@localhost REQUIRE X509;
FLUSH PRIVILEGES; FLUSH PRIVILEGES;
connect(con1,localhost,bug42158,,,,,SSL); connect(con1,localhost,bug42158,,,,,SSL);
--replace_result DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA
SHOW STATUS LIKE 'Ssl_cipher'; SHOW STATUS LIKE 'Ssl_cipher';
disconnect con1; disconnect con1;
connection default; connection default;

2
mysql-test/t/ssl.test
View File

@ -11,12 +11,14 @@
connect (ssl_con,localhost,root,,,,,SSL); connect (ssl_con,localhost,root,,,,,SSL);
# Check ssl turned on # Check ssl turned on
--replace_result DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA
SHOW STATUS LIKE 'Ssl_cipher'; SHOW STATUS LIKE 'Ssl_cipher';
# Source select test case # Source select test case
-- source include/common-tests.inc -- source include/common-tests.inc
# Check ssl turned on # Check ssl turned on
--replace_result DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA
SHOW STATUS LIKE 'Ssl_cipher'; SHOW STATUS LIKE 'Ssl_cipher';
connection default; connection default;

4
mysql-test/t/ssl_8k_key-master.opt
View File

@ -1 +1,3 @@
--loose-ssl-key=$MYSQL_TEST_DIR/std_data/server8k-key.pem --loose-ssl-cert=$MYSQL_TEST_DIR/std_data/server8k-cert.pem --loose-ssl-key=$MYSQL_TEST_DIR/std_data/server8k-key.pem
--loose-ssl-cert=$MYSQL_TEST_DIR/std_data/server8k-cert.pem
--loose-ssl-cipher=DHE-RSA-AES256-SHA

2
mysql-test/t/ssl_compress.test
View File

@ -11,6 +11,7 @@
connect (ssl_compress_con,localhost,root,,,,,SSL COMPRESS); connect (ssl_compress_con,localhost,root,,,,,SSL COMPRESS);
# Check ssl turned on # Check ssl turned on
--replace_result DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA
SHOW STATUS LIKE 'Ssl_cipher'; SHOW STATUS LIKE 'Ssl_cipher';
# Check compression turned on # Check compression turned on
@ -20,6 +21,7 @@ SHOW STATUS LIKE 'Compression';
-- source include/common-tests.inc -- source include/common-tests.inc
# Check ssl turned on # Check ssl turned on
--replace_result DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA
SHOW STATUS LIKE 'Ssl_cipher'; SHOW STATUS LIKE 'Ssl_cipher';
# Check compression turned on # Check compression turned on

4
vio/viosslfactories.c
View File

@ -190,8 +190,8 @@ new_VioSSLFd(const char *key_file, const char *cert_file,
DBUG_RETURN(0); DBUG_RETURN(0);
if (!(ssl_fd->ssl_context= SSL_CTX_new(is_client_method ? if (!(ssl_fd->ssl_context= SSL_CTX_new(is_client_method ?
TLSv1_client_method() : SSLv23_client_method() :
TLSv1_server_method()))) SSLv23_server_method())))
{ {
*error= SSL_INITERR_MEMFAIL; *error= SSL_INITERR_MEMFAIL;
DBUG_PRINT("error", ("%s", sslGetErrString(*error))); DBUG_PRINT("error", ("%s", sslGetErrString(*error)));