MDEV-6975 Implement TLS protocol

change SSL methods to be SSLv23 (according to openssl manpage: "A TLS/SSL connection established with these methods may understand the SSLv2, SSLv3, TLSv1, TLSv1.1 and TLSv1.2 protocols") from TLSv1 methods, that go back to the initial SSL implementation in MySQL in 2001. OpenSSL default ciphers are different if TLSv1.2 is enabled, so tests need to take this into account.
2014-11-18 17:57:06 +01:00 · 2014-11-18 17:57:06 +01:00 · cb8f837a3d
commit cb8f837a3d
parent 386e2e52f6
10 changed files with 107 additions and 3 deletions
--- a/mysql-test/mysql-test-run.pl
+++ b/mysql-test/mysql-test-run.pl
@ -4801,6 +4801,8 @@ sub extract_warning_lines ($$) {
     qr|feedback plugin: failed to retrieve the MAC address|,
     qr|Plugin 'FEEDBACK' init function returned error|,
     qr|Plugin 'FEEDBACK' registration as a INFORMATION SCHEMA failed|,
+     qr|Failed to setup SSL|,
+     qr|SSL error: Failed to set ciphers to use|,
    );

  my $matched_lines= [];
--- a/mysql-test/r/openssl-poodle_6975,sslv3.result
+++ b/mysql-test/r/openssl-poodle_6975,sslv3.result
@ -0,0 +1,25 @@
+grant select on test.* to ssl_sslv3@localhost require cipher "RC4-SHA";
+grant select on test.* to ssl_tls12@localhost require cipher "AES128-SHA256";
+TLS1.2 ciphers: user is ok with any cipher
+ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
+ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
+TLS1.2 ciphers: user requires SSLv3 cipher RC4-SHA
+ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
+ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
+TLS1.2 ciphers: user requires TLSv1.2 cipher AES128-SHA256
+ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
+ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
+SSLv3 ciphers: user is ok with any cipher
+Variable_name	Value
+Ssl_cipher	RC4-SHA
+Variable_name	Value
+Ssl_cipher	DHE-RSA-AES256-SHA
+SSLv3 ciphers: user requires SSLv3 cipher RC4-SHA
+Variable_name	Value
+Ssl_cipher	RC4-SHA
+ERROR 1045 (28000): Access denied for user 'ssl_sslv3'@'localhost' (using password: NO)
+SSLv3 ciphers: user requires TLSv1.2 cipher AES128-SHA256
+ERROR 1045 (28000): Access denied for user 'ssl_tls12'@'localhost' (using password: NO)
+ERROR 1045 (28000): Access denied for user 'ssl_tls12'@'localhost' (using password: NO)
+drop user ssl_sslv3@localhost;
+drop user ssl_tls12@localhost;
--- a/mysql-test/r/openssl-poodle_6975,tlsv12.result
+++ b/mysql-test/r/openssl-poodle_6975,tlsv12.result
@ -0,0 +1,25 @@
+grant select on test.* to ssl_sslv3@localhost require cipher "RC4-SHA";
+grant select on test.* to ssl_tls12@localhost require cipher "AES128-SHA256";
+TLS1.2 ciphers: user is ok with any cipher
+Variable_name	Value
+Ssl_cipher	AES128-SHA256
+Variable_name	Value
+Ssl_cipher	DHE-RSA-AES256-GCM-SHA384
+TLS1.2 ciphers: user requires SSLv3 cipher RC4-SHA
+ERROR 1045 (28000): Access denied for user 'ssl_sslv3'@'localhost' (using password: NO)
+ERROR 1045 (28000): Access denied for user 'ssl_sslv3'@'localhost' (using password: NO)
+TLS1.2 ciphers: user requires TLSv1.2 cipher AES128-SHA256
+Variable_name	Value
+Ssl_cipher	AES128-SHA256
+ERROR 1045 (28000): Access denied for user 'ssl_tls12'@'localhost' (using password: NO)
+SSLv3 ciphers: user is ok with any cipher
+ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
+ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
+SSLv3 ciphers: user requires SSLv3 cipher RC4-SHA
+ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
+ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
+SSLv3 ciphers: user requires TLSv1.2 cipher AES128-SHA256
+ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
+ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
+drop user ssl_sslv3@localhost;
+drop user ssl_tls12@localhost;
--- a/mysql-test/t/openssl-poodle_6975.combinations
+++ b/mysql-test/t/openssl-poodle_6975.combinations
@ -0,0 +1,6 @@
+[tlsv12]
+loose-ssl-cipher=TLSv1.2
+
+[sslv3]
+loose-ssl-cipher=SSLv3
+
--- a/mysql-test/t/openssl-poodle_6975.test
+++ b/mysql-test/t/openssl-poodle_6975.test
@ -0,0 +1,38 @@
+#
+# MDEV-6975 Implement TLS protocol
+#
+# test SSLv3 and TLSv1.2 ciphers when OpenSSL is restricted to SSLv3 or TLSv1.2
+#
+source include/have_ssl_communication.inc;
+
+# this is OpenSSL test.
+
+grant select on test.* to ssl_sslv3@localhost require cipher "RC4-SHA";
+grant select on test.* to ssl_tls12@localhost require cipher "AES128-SHA256";
+
+let $mysql=$MYSQL --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem -e "SHOW STATUS LIKE 'ssl_Cipher'" 2>&1;
+
+disable_abort_on_error;
+echo TLS1.2 ciphers: user is ok with any cipher;
+exec $mysql                  --ssl-cipher=AES128-SHA256;
+exec $mysql                  --ssl-cipher=TLSv1.2;
+echo TLS1.2 ciphers: user requires SSLv3 cipher RC4-SHA;
+exec $mysql --user ssl_sslv3 --ssl-cipher=AES128-SHA256;
+exec $mysql --user ssl_sslv3 --ssl-cipher=TLSv1.2;
+echo TLS1.2 ciphers: user requires TLSv1.2 cipher AES128-SHA256;
+exec $mysql --user ssl_tls12 --ssl-cipher=AES128-SHA256;
+exec $mysql --user ssl_tls12 --ssl-cipher=TLSv1.2;
+
+echo SSLv3 ciphers: user is ok with any cipher;
+exec $mysql                  --ssl-cipher=RC4-SHA;
+exec $mysql                  --ssl-cipher=SSLv3;
+echo SSLv3 ciphers: user requires SSLv3 cipher RC4-SHA;
+exec $mysql --user ssl_sslv3 --ssl-cipher=RC4-SHA;
+exec $mysql --user ssl_sslv3 --ssl-cipher=SSLv3;
+echo SSLv3 ciphers: user requires TLSv1.2 cipher AES128-SHA256;
+exec $mysql --user ssl_tls12 --ssl-cipher=RC4-SHA;
+exec $mysql --user ssl_tls12 --ssl-cipher=SSLv3;
+
+drop user ssl_sslv3@localhost;
+drop user ssl_tls12@localhost;
+
--- a/mysql-test/t/openssl_1.test
+++ b/mysql-test/t/openssl_1.test
@ -132,6 +132,7 @@ drop table t1;
 # verification of servers certificate by setting both ca certificate
 # and ca path to NULL
 #
+--replace_result DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA
 --exec $MYSQL --ssl --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem -e "SHOW STATUS LIKE 'ssl_Cipher'" 2>&1
 --echo End of 5.0 tests

@ -258,6 +259,7 @@ select 'is still running; no cipher request crashed the server' as result from d
 GRANT SELECT ON test.* TO bug42158@localhost REQUIRE X509;
 FLUSH PRIVILEGES;
 connect(con1,localhost,bug42158,,,,,SSL);
+--replace_result DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA
 SHOW STATUS LIKE 'Ssl_cipher';
 disconnect con1;
 connection default;
--- a/mysql-test/t/ssl.test
+++ b/mysql-test/t/ssl.test
@ -11,12 +11,14 @@
 connect (ssl_con,localhost,root,,,,,SSL);

 # Check ssl turned on
+--replace_result DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA
 SHOW STATUS LIKE 'Ssl_cipher';

 # Source select test case
 -- source include/common-tests.inc

 # Check ssl turned on
+--replace_result DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA
 SHOW STATUS LIKE 'Ssl_cipher';

 connection default;
--- a/mysql-test/t/ssl_8k_key-master.opt
+++ b/mysql-test/t/ssl_8k_key-master.opt
@ -1 +1,3 @@
--loose-ssl-key=$MYSQL_TEST_DIR/std_data/server8k-key.pem --loose-ssl-cert=$MYSQL_TEST_DIR/std_data/server8k-cert.pem
+--loose-ssl-key=$MYSQL_TEST_DIR/std_data/server8k-key.pem
+--loose-ssl-cert=$MYSQL_TEST_DIR/std_data/server8k-cert.pem
+--loose-ssl-cipher=DHE-RSA-AES256-SHA
--- a/mysql-test/t/ssl_compress.test
+++ b/mysql-test/t/ssl_compress.test
@ -11,6 +11,7 @@
 connect (ssl_compress_con,localhost,root,,,,,SSL COMPRESS);

 # Check ssl turned on
+--replace_result DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA
 SHOW STATUS LIKE 'Ssl_cipher';

 # Check compression turned on
@ -20,6 +21,7 @@ SHOW STATUS LIKE 'Compression';
 -- source include/common-tests.inc

 # Check ssl turned on
+--replace_result DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA
 SHOW STATUS LIKE 'Ssl_cipher';

 # Check compression turned on
--- a/vio/viosslfactories.c
+++ b/vio/viosslfactories.c
@ -190,8 +190,8 @@ new_VioSSLFd(const char *key_file, const char *cert_file,
    DBUG_RETURN(0);

  if (!(ssl_fd->ssl_context= SSL_CTX_new(is_client_method ? 
-                                         TLSv1_client_method() :
-                                         TLSv1_server_method())))
+                                         SSLv23_client_method() :
+                                         SSLv23_server_method())))
  {
    *error= SSL_INITERR_MEMFAIL;
    DBUG_PRINT("error", ("%s", sslGetErrString(*error)));