1# === Purpose === 2# This test verifies that while verifying the server certificates 3# when ssl-mode=VERIFY_IDENTITY, the DNS/IPs provided in the Subject 4# Alternative Names (which can be provided as an extension in X509) 5# fields are also checked for apart from the Common Name in the subject. 6# When openssl versions is 1.0.2 and greater, # 'X509_check_host()' / 7# 'X509_check_ip()' functions are used. Otherwise, manual traversal of SAN 8# records is performed. 9# 10# === Related bugs and/or worklogs === 11# Bug #16211011 - SSL CERTIFICATE SUBJECT ALT NAMES WITH IPS NOT RESPECTED WITH ssl-mode=VERIFY_IDENTITY 12 13--source include/have_openssl.inc 14--source include/have_openssl_support.inc 15--source include/not_embedded.inc 16 17--echo ### Trying to connect with ssl-mode as DISABLED. This should establish an unencrypted connection. 18--exec $MYSQL --ssl-mode=DISABLED --ssl-ca=$MYSQL_TEST_DIR/std_data/ca-cert-verify-san.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert-verify-san.pem --ssl-key=$MYSQL_TEST_DIR/std_data/client-key-verify-san.pem test -e "SHOW STATUS LIKE 'Ssl_cipher'" 2> $MYSQLTEST_VARDIR/tmp/bug24732452_stderr 19--cat_file $MYSQLTEST_VARDIR/tmp/bug24732452_stderr 20 21--echo ### Trying to connect with ssl-mode as REQUIRED. This should establish an encrypted connection. 22--replace_regex $ALLOWED_CIPHERS_REGEX 23--exec $MYSQL --ssl-mode=REQUIRED --ssl-ca=$MYSQL_TEST_DIR/std_data/ca-cert-verify-san.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert-verify-san.pem --ssl-key=$MYSQL_TEST_DIR/std_data/client-key-verify-san.pem test -e "SHOW STATUS LIKE 'Ssl_cipher'" 2> $MYSQLTEST_VARDIR/tmp/bug24732452_stderr 24--cat_file $MYSQLTEST_VARDIR/tmp/bug24732452_stderr 25 26--echo ### Trying to connect with ssl-mode as VERIFY_CA. This should establish an encrypted connection. 27--replace_regex $ALLOWED_CIPHERS_REGEX 28--exec $MYSQL --ssl-mode=VERIFY_CA --ssl-ca=$MYSQL_TEST_DIR/std_data/ca-cert-verify-san.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert-verify-san.pem --ssl-key=$MYSQL_TEST_DIR/std_data/client-key-verify-san.pem test -e "SHOW STATUS LIKE 'Ssl_cipher'" 2> $MYSQLTEST_VARDIR/tmp/bug24732452_stderr 29--cat_file $MYSQLTEST_VARDIR/tmp/bug24732452_stderr 30 31--echo ### Trying to connect with ssl-mode as VERIFY_IDENTITY. This should establish an encrypted connection. 32--replace_regex $ALLOWED_CIPHERS_REGEX 33--exec $MYSQL --ssl-mode=VERIFY_IDENTITY --ssl-ca=$MYSQL_TEST_DIR/std_data/ca-cert-verify-san.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert-verify-san.pem --ssl-key=$MYSQL_TEST_DIR/std_data/client-key-verify-san.pem test -e "SHOW STATUS LIKE 'Ssl_cipher'" 2> $MYSQLTEST_VARDIR/tmp/bug24732452_stderr 34--cat_file $MYSQLTEST_VARDIR/tmp/bug24732452_stderr 35 36--echo ### Trying to connect with ssl-mode as VERIFY_IDENTITY and hostname as nonexistent. This should fail. 37--error 1 38--exec $MYSQL --host=nonexistent --ssl-mode=VERIFY_IDENTITY --ssl-ca=$MYSQL_TEST_DIR/std_data/ca-cert-verify-san.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert-verify-san.pem --ssl-key=$MYSQL_TEST_DIR/std_data/client-key-verify-san.pem test -e "SHOW STATUS LIKE 'Ssl_cipher'" 2> $MYSQLTEST_VARDIR/tmp/bug24732452_stderr 39let SEARCH_FILE= $MYSQLTEST_VARDIR/tmp/bug24732452_stderr; 40--echo #Search for the error in the file 41--let SEARCH_PATTERN= ERROR 2005 \(HY000\): Unknown MySQL server host 'nonexistent' 42--source include/search_pattern_in_file.inc 43 44--echo ### Trying to connect with ssl-mode as VERIFY_IDENTITY and hostname as localhost. This should establish an encrypted connection as localhost is present in Alternative Subject Name in the certificate. 45--replace_regex $ALLOWED_CIPHERS_REGEX 46--exec $MYSQL --host=localhost --ssl-mode=VERIFY_IDENTITY --ssl-ca=$MYSQL_TEST_DIR/std_data/ca-cert-verify-san.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert-verify-san.pem --ssl-key=$MYSQL_TEST_DIR/std_data/client-key-verify-san.pem test -e "SHOW STATUS LIKE 'Ssl_cipher'" 2> $MYSQLTEST_VARDIR/tmp/bug24732452_stderr 47--cat_file $MYSQLTEST_VARDIR/tmp/bug24732452_stderr 48 49--echo ### Trying to connect with ssl-mode as VERIFY_IDENTITY and hostname as 127.0.0.1. This should establish an encrypted connection as localhost is present in Alternative Subject Name in the certificate. 50--replace_regex $ALLOWED_CIPHERS_REGEX 51--exec $MYSQL --host=127.0.0.1 --ssl-mode=VERIFY_IDENTITY --ssl-ca=$MYSQL_TEST_DIR/std_data/ca-cert-verify-san.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert-verify-san.pem --ssl-key=$MYSQL_TEST_DIR/std_data/client-key-verify-san.pem test -e "SHOW STATUS LIKE 'Ssl_cipher'" 2> $MYSQLTEST_VARDIR/tmp/bug24732452_stderr 52--cat_file $MYSQLTEST_VARDIR/tmp/bug24732452_stderr 53 54#Cleanup 55--remove_file $MYSQLTEST_VARDIR/tmp/bug24732452_stderr 56