[Commits] Rev 4355: MDEV-6975 Implement TLS protocol in lp:~maria-captains/maria/5.5

Sergei Golubchik serg at mariadb.org
Mon Nov 17 10:43:19 EET 2014


At lp:~maria-captains/maria/5.5

------------------------------------------------------------
revno: 4355
revision-id: sergii at pisem.net-20141111192655-zmnetqcas5zz69g2
parent: sergii at pisem.net-20141111191834-t0ix8homhwsgml0h
fixes bug: https://mariadb.atlassian.net/browse/MDEV-6975
committer: Sergei Golubchik <sergii at pisem.net>
branch nick: 5.5
timestamp: Tue 2014-11-11 20:26:55 +0100
message:
  MDEV-6975 Implement TLS protocol
  
  change SSL methods to be SSLv23 (according to openssl manpage:
  "A TLS/SSL connection established with these methods may understand
  the SSLv2, SSLv3, TLSv1, TLSv1.1 and TLSv1.2 protocols") from
  TLSv1 methods, that go back to the initial SSL implementation
  in MySQL in 2001.
  
  OpenSSL default ciphers are different if TLSv1.2 is enabled,
  so tests need to take this into account.
=== modified file 'mysql-test/mysql-test-run.pl'
--- a/mysql-test/mysql-test-run.pl	2014-10-28 11:45:39 +0000
+++ b/mysql-test/mysql-test-run.pl	2014-11-11 19:26:55 +0000
@@ -4801,6 +4801,8 @@ sub extract_warning_lines ($$) {
      qr|feedback plugin: failed to retrieve the MAC address|,
      qr|Plugin 'FEEDBACK' init function returned error|,
      qr|Plugin 'FEEDBACK' registration as a INFORMATION SCHEMA failed|,
+     qr|Failed to setup SSL|,
+     qr|SSL error: Failed to set ciphers to use|,
     );
 
   my $matched_lines= [];

=== added file 'mysql-test/r/openssl-poodle_6975,sslv3.result'
--- a/mysql-test/r/openssl-poodle_6975,sslv3.result	1970-01-01 00:00:00 +0000
+++ b/mysql-test/r/openssl-poodle_6975,sslv3.result	2014-11-11 19:26:55 +0000
@@ -0,0 +1,25 @@
+grant select on test.* to ssl_sslv3 at localhost require cipher "RC4-SHA";
+grant select on test.* to ssl_tls12 at localhost require cipher "AES128-SHA256";
+TLS1.2 ciphers: user is ok with any cipher
+ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
+ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
+TLS1.2 ciphers: user requires SSLv3 cipher RC4-SHA
+ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
+ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
+TLS1.2 ciphers: user requires TLSv1.2 cipher AES128-SHA256
+ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
+ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
+SSLv3 ciphers: user is ok with any cipher
+Variable_name	Value
+Ssl_cipher	RC4-SHA
+Variable_name	Value
+Ssl_cipher	DHE-RSA-AES256-SHA
+SSLv3 ciphers: user requires SSLv3 cipher RC4-SHA
+Variable_name	Value
+Ssl_cipher	RC4-SHA
+ERROR 1045 (28000): Access denied for user 'ssl_sslv3'@'localhost' (using password: NO)
+SSLv3 ciphers: user requires TLSv1.2 cipher AES128-SHA256
+ERROR 1045 (28000): Access denied for user 'ssl_tls12'@'localhost' (using password: NO)
+ERROR 1045 (28000): Access denied for user 'ssl_tls12'@'localhost' (using password: NO)
+drop user ssl_sslv3 at localhost;
+drop user ssl_tls12 at localhost;

=== added file 'mysql-test/r/openssl-poodle_6975,tlsv12.result'
--- a/mysql-test/r/openssl-poodle_6975,tlsv12.result	1970-01-01 00:00:00 +0000
+++ b/mysql-test/r/openssl-poodle_6975,tlsv12.result	2014-11-11 19:26:55 +0000
@@ -0,0 +1,25 @@
+grant select on test.* to ssl_sslv3 at localhost require cipher "RC4-SHA";
+grant select on test.* to ssl_tls12 at localhost require cipher "AES128-SHA256";
+TLS1.2 ciphers: user is ok with any cipher
+Variable_name	Value
+Ssl_cipher	AES128-SHA256
+Variable_name	Value
+Ssl_cipher	DHE-RSA-AES256-GCM-SHA384
+TLS1.2 ciphers: user requires SSLv3 cipher RC4-SHA
+ERROR 1045 (28000): Access denied for user 'ssl_sslv3'@'localhost' (using password: NO)
+ERROR 1045 (28000): Access denied for user 'ssl_sslv3'@'localhost' (using password: NO)
+TLS1.2 ciphers: user requires TLSv1.2 cipher AES128-SHA256
+Variable_name	Value
+Ssl_cipher	AES128-SHA256
+ERROR 1045 (28000): Access denied for user 'ssl_tls12'@'localhost' (using password: NO)
+SSLv3 ciphers: user is ok with any cipher
+ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
+ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
+SSLv3 ciphers: user requires SSLv3 cipher RC4-SHA
+ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
+ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
+SSLv3 ciphers: user requires TLSv1.2 cipher AES128-SHA256
+ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
+ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
+drop user ssl_sslv3 at localhost;
+drop user ssl_tls12 at localhost;

=== added file 'mysql-test/t/openssl-poodle_6975.combinations'
--- a/mysql-test/t/openssl-poodle_6975.combinations	1970-01-01 00:00:00 +0000
+++ b/mysql-test/t/openssl-poodle_6975.combinations	2014-11-11 19:26:55 +0000
@@ -0,0 +1,6 @@
+[tlsv12]
+loose-ssl-cipher=TLSv1.2
+
+[sslv3]
+loose-ssl-cipher=SSLv3
+

=== added file 'mysql-test/t/openssl-poodle_6975.test'
--- a/mysql-test/t/openssl-poodle_6975.test	1970-01-01 00:00:00 +0000
+++ b/mysql-test/t/openssl-poodle_6975.test	2014-11-11 19:26:55 +0000
@@ -0,0 +1,38 @@
+#
+# MDEV-6975 Implement TLS protocol
+#
+# test SSLv3 and TLSv1.2 ciphers when OpenSSL is restricted to SSLv3 or TLSv1.2
+#
+source include/have_ssl_communication.inc;
+
+# this is OpenSSL test.
+
+grant select on test.* to ssl_sslv3 at localhost require cipher "RC4-SHA";
+grant select on test.* to ssl_tls12 at localhost require cipher "AES128-SHA256";
+
+let $mysql=$MYSQL --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem -e "SHOW STATUS LIKE 'ssl_Cipher'" 2>&1;
+
+disable_abort_on_error;
+echo TLS1.2 ciphers: user is ok with any cipher;
+exec $mysql                  --ssl-cipher=AES128-SHA256;
+exec $mysql                  --ssl-cipher=TLSv1.2;
+echo TLS1.2 ciphers: user requires SSLv3 cipher RC4-SHA;
+exec $mysql --user ssl_sslv3 --ssl-cipher=AES128-SHA256;
+exec $mysql --user ssl_sslv3 --ssl-cipher=TLSv1.2;
+echo TLS1.2 ciphers: user requires TLSv1.2 cipher AES128-SHA256;
+exec $mysql --user ssl_tls12 --ssl-cipher=AES128-SHA256;
+exec $mysql --user ssl_tls12 --ssl-cipher=TLSv1.2;
+
+echo SSLv3 ciphers: user is ok with any cipher;
+exec $mysql                  --ssl-cipher=RC4-SHA;
+exec $mysql                  --ssl-cipher=SSLv3;
+echo SSLv3 ciphers: user requires SSLv3 cipher RC4-SHA;
+exec $mysql --user ssl_sslv3 --ssl-cipher=RC4-SHA;
+exec $mysql --user ssl_sslv3 --ssl-cipher=SSLv3;
+echo SSLv3 ciphers: user requires TLSv1.2 cipher AES128-SHA256;
+exec $mysql --user ssl_tls12 --ssl-cipher=RC4-SHA;
+exec $mysql --user ssl_tls12 --ssl-cipher=SSLv3;
+
+drop user ssl_sslv3 at localhost;
+drop user ssl_tls12 at localhost;
+

=== modified file 'mysql-test/t/openssl_1.test'
--- a/mysql-test/t/openssl_1.test	2014-11-11 19:18:34 +0000
+++ b/mysql-test/t/openssl_1.test	2014-11-11 19:26:55 +0000
@@ -132,6 +132,7 @@ drop table t1;
 # verification of servers certificate by setting both ca certificate
 # and ca path to NULL
 #
+--replace_result DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA
 --exec $MYSQL --ssl --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem -e "SHOW STATUS LIKE 'ssl_Cipher'" 2>&1
 --echo End of 5.0 tests
 
@@ -258,6 +259,7 @@ select 'is still running; no cipher requ
 GRANT SELECT ON test.* TO bug42158 at localhost REQUIRE X509;
 FLUSH PRIVILEGES;
 connect(con1,localhost,bug42158,,,,,SSL);
+--replace_result DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA
 SHOW STATUS LIKE 'Ssl_cipher';
 disconnect con1;
 connection default;

=== modified file 'mysql-test/t/ssl.test'
--- a/mysql-test/t/ssl.test	2010-11-25 17:17:28 +0000
+++ b/mysql-test/t/ssl.test	2014-11-11 19:26:55 +0000
@@ -11,12 +11,14 @@
 connect (ssl_con,localhost,root,,,,,SSL);
 
 # Check ssl turned on
+--replace_result DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA
 SHOW STATUS LIKE 'Ssl_cipher';
 
 # Source select test case
 -- source include/common-tests.inc
 
 # Check ssl turned on
+--replace_result DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA
 SHOW STATUS LIKE 'Ssl_cipher';
 
 connection default;

=== modified file 'mysql-test/t/ssl_8k_key-master.opt'
--- a/mysql-test/t/ssl_8k_key-master.opt	2010-07-28 15:59:19 +0000
+++ b/mysql-test/t/ssl_8k_key-master.opt	2014-11-11 19:26:55 +0000
@@ -1 +1,3 @@
---loose-ssl-key=$MYSQL_TEST_DIR/std_data/server8k-key.pem --loose-ssl-cert=$MYSQL_TEST_DIR/std_data/server8k-cert.pem
+--loose-ssl-key=$MYSQL_TEST_DIR/std_data/server8k-key.pem
+--loose-ssl-cert=$MYSQL_TEST_DIR/std_data/server8k-cert.pem
+--loose-ssl-cipher=DHE-RSA-AES256-SHA

=== modified file 'mysql-test/t/ssl_compress.test'
--- a/mysql-test/t/ssl_compress.test	2010-11-25 17:17:28 +0000
+++ b/mysql-test/t/ssl_compress.test	2014-11-11 19:26:55 +0000
@@ -11,6 +11,7 @@
 connect (ssl_compress_con,localhost,root,,,,,SSL COMPRESS);
 
 # Check ssl turned on
+--replace_result DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA
 SHOW STATUS LIKE 'Ssl_cipher';
 
 # Check compression turned on
@@ -20,6 +21,7 @@ SHOW STATUS LIKE 'Compression';
 -- source include/common-tests.inc
 
 # Check ssl turned on
+--replace_result DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA
 SHOW STATUS LIKE 'Ssl_cipher';
 
 # Check compression turned on

=== modified file 'vio/viosslfactories.c'
--- a/vio/viosslfactories.c	2014-03-17 12:04:28 +0000
+++ b/vio/viosslfactories.c	2014-11-11 19:26:55 +0000
@@ -190,8 +190,8 @@ new_VioSSLFd(const char *key_file, const
     DBUG_RETURN(0);
 
   if (!(ssl_fd->ssl_context= SSL_CTX_new(is_client_method ? 
-                                         TLSv1_client_method() :
-                                         TLSv1_server_method())))
+                                         SSLv23_client_method() :
+                                         SSLv23_server_method())))
   {
     *error= SSL_INITERR_MEMFAIL;
     DBUG_PRINT("error", ("%s", sslGetErrString(*error)));



More information about the commits mailing list