1call mtr.add_suppression("Failed to set up SSL because of the following SSL library error"); 2call mtr.add_suppression("Failed to initialize TLS for channel: mysql_main"); 3# Check if ssl is on 4SELECT LENGTH(VARIABLE_VALUE) > 0 FROM performance_schema.session_status 5WHERE VARIABLE_NAME='Ssl_cipher'; 6LENGTH(VARIABLE_VALUE) > 0 71 8################## FR1.1 and FR 1.4: ALTER INSTANCE RELOAD TLS 9ALTER INSTANCE RELOAD TLS; 10# Check if ssl is still turned on after reload 11SELECT LENGTH(VARIABLE_VALUE) > 0 FROM performance_schema.session_status 12WHERE VARIABLE_NAME='Ssl_cipher'; 13LENGTH(VARIABLE_VALUE) > 0 141 15# FR1.1: check if old sessions continue 16SET @must_be_present= 'present'; 17ALTER INSTANCE RELOAD TLS; 18# Success criteria: value must be present 19SELECT @must_be_present; 20@must_be_present 21present 22# cleanup 23################## FR 1.2: check if new sessions get the new vals 24# Save the defaults 25SET @orig_ssl_cipher = @@global.ssl_cipher; 26SET @orig_tls_version = @@global.tls_version; 27# in ssl_con 28# check if the session has the original values 29SHOW STATUS LIKE 'Ssl_cipher'; 30Variable_name Value 31Ssl_cipher orig_cipher 32# in default connection 33# setting new values for ssl_cipher 34SET GLOBAL ssl_cipher = "DHE-RSA-AES256-SHA256"; 35SET GLOBAL tls_version = "TLSv1.2"; 36ALTER INSTANCE RELOAD TLS; 37# in ssl_new_con 38# Save the new defaults 39# Check if the old and the new not afters differ 40# in ssl_con 41# the con session must have the original values 42SHOW STATUS LIKE 'Ssl_cipher'; 43Variable_name Value 44Ssl_cipher orig_cipher; 45# cleanup 46# in default connection 47SET GLOBAL ssl_cipher = @orig_ssl_cipher; 48SET GLOBAL tls_version = @orig_tls_version; 49ALTER INSTANCE RELOAD TLS; 50################## FR 1.5: new values effective only after RELOAD TLS 51# Save the defaults 52SET @orig_ssl_cipher = @@global.ssl_cipher; 53# setting new values for ssl_cipher 54SET GLOBAL ssl_cipher = "DHE-RSA-AES256-SHA256"; 55# in ssl_con 56# Check if the old and the new not afters differ 57# cleanup 58# in default connection 59SET GLOBAL ssl_cipher = @orig_ssl_cipher; 60################## FR 1.7: CONNECTION_ADMIN will be required to execute 61# ALTER INSTANCE RELOAD TLS 62CREATE USER test_connection_admin@localhost; 63# in ssl_con 64# Must fail 65ALTER INSTANCE RELOAD TLS; 66ERROR 42000: Access denied; you need (at least one of) the CONNECTION_ADMIN privilege(s) for this operation 67# in default connection 68GRANT SUPER ON *.* TO test_connection_admin@localhost; 69Warnings: 70Warning 1287 The SUPER privilege identifier is deprecated 71# in ssl_con 72# Must fail 73ALTER INSTANCE RELOAD TLS; 74ERROR 42000: Access denied; you need (at least one of) the CONNECTION_ADMIN privilege(s) for this operation 75# in default connection 76REVOKE SUPER ON *.* FROM test_connection_admin@localhost; 77Warnings: 78Warning 1287 The SUPER privilege identifier is deprecated 79GRANT CONNECTION_ADMIN ON *.* TO test_connection_admin@localhost; 80# in ssl_con 81# Must pass 82ALTER INSTANCE RELOAD TLS; 83# cleanup 84# in default connection 85DROP USER test_connection_admin@localhost; 86################## FR 1.8 and 1.9: disable SSL on wrong values 87# Save the defaults 88SET @orig_ssl_ca= @@global.ssl_ca; 89# Seet CA to invalid value 90SET GLOBAL ssl_ca = 'gizmo'; 91# Must fail and not change the SSL params 92ALTER INSTANCE RELOAD TLS; 93ERROR HY000: Failed to set up SSL because of the following SSL library error: SSL_CTX_set_default_verify_paths failed 94# Must be 1 95SELECT COUNT(*) FROM performance_schema.session_status 96WHERE VARIABLE_NAME = 'Current_tls_ca' AND VARIABLE_VALUE = @orig_ssl_ca; 97COUNT(*) 981 99# Must return gizmo 100SELECT @@global.ssl_ca; 101@@global.ssl_ca 102gizmo 103# Must connect successfully 1041 1051 106# Must pass with a warning and disable SSL 107ALTER INSTANCE RELOAD TLS NO ROLLBACK ON ERROR; 108Warnings: 109Warning 3888 Failed to set up SSL because of the following SSL library error: SSL_CTX_set_default_verify_paths failed 110# Must be 1 111SELECT COUNT(*) FROM performance_schema.session_status 112WHERE VARIABLE_NAME = 'Current_tls_ca' AND VARIABLE_VALUE = 'gizmo'; 113COUNT(*) 1141 115# Must fail to connect 116# cleanup 117SET GLOBAL ssl_ca = @orig_ssl_ca; 118ALTER INSTANCE RELOAD TLS; 119# FR 1.9: Must connect successfully 1201 1211 122################## FR2 and FR6: --ssl-* variables settable at runtime. 123SET @orig_ssl_ca= @@global.ssl_ca; 124SET @orig_ssl_cert= @@global.ssl_cert; 125SET @orig_ssl_key= @@global.ssl_key; 126SET @orig_ssl_capath= @@global.ssl_capath; 127SET @orig_ssl_crl= @@global.ssl_crl; 128SET @orig_ssl_crlpath= @@global.ssl_crlpath; 129SET @orig_ssl_cipher= @@global.ssl_cipher; 130SET @orig_tls_cipher= @@global.tls_ciphersuites; 131SET @orig_tls_version= @@global.tls_version; 132# Must pass 133SET GLOBAL ssl_ca = 'gizmo'; 134SET GLOBAL ssl_cert = 'gizmo'; 135SET GLOBAL ssl_key = 'gizmo'; 136SET GLOBAL ssl_capath = 'gizmo'; 137SET GLOBAL ssl_crl = 'gizmo'; 138SET GLOBAL ssl_crlpath = 'gizmo'; 139SET GLOBAL ssl_cipher = 'gizmo'; 140SET GLOBAL tls_ciphersuites = 'gizmo'; 141SET GLOBAL tls_version = 'gizmo'; 142# Must fail 143SET SESSION ssl_ca = 'gizmo'; 144ERROR HY000: Variable 'ssl_ca' is a GLOBAL variable and should be set with SET GLOBAL 145SET SESSION ssl_cert = 'gizmo'; 146ERROR HY000: Variable 'ssl_cert' is a GLOBAL variable and should be set with SET GLOBAL 147SET SESSION ssl_key = 'gizmo'; 148ERROR HY000: Variable 'ssl_key' is a GLOBAL variable and should be set with SET GLOBAL 149SET SESSION ssl_capath = 'gizmo'; 150ERROR HY000: Variable 'ssl_capath' is a GLOBAL variable and should be set with SET GLOBAL 151SET SESSION ssl_crl = 'gizmo'; 152ERROR HY000: Variable 'ssl_crl' is a GLOBAL variable and should be set with SET GLOBAL 153SET SESSION ssl_crlpath = 'gizmo'; 154ERROR HY000: Variable 'ssl_crlpath' is a GLOBAL variable and should be set with SET GLOBAL 155SET SESSION ssl_cipher = 'gizmo'; 156ERROR HY000: Variable 'ssl_cipher' is a GLOBAL variable and should be set with SET GLOBAL 157SET SESSION tls_ciphersuites = 'gizmo'; 158ERROR HY000: Variable 'tls_ciphersuites' is a GLOBAL variable and should be set with SET GLOBAL 159SET SESSION tls_version = 'gizmo'; 160ERROR HY000: Variable 'tls_version' is a GLOBAL variable and should be set with SET GLOBAL 161# FR6: Must return 9 162SELECT VARIABLE_NAME FROM performance_schema.session_status WHERE 163VARIABLE_NAME IN 164('Current_tls_ca', 'Current_tls_capath', 'Current_tls_cert', 165'Current_tls_key', 'Current_tls_version', 'Current_tls_cipher', 166'Current_tls_ciphersuites', 'Current_tls_crl', 'Current_tls_crlpath') AND 167VARIABLE_VALUE != 'gizmo' 168 ORDER BY VARIABLE_NAME; 169VARIABLE_NAME 170Current_tls_ca 171Current_tls_capath 172Current_tls_cert 173Current_tls_cipher 174Current_tls_ciphersuites 175Current_tls_crl 176Current_tls_crlpath 177Current_tls_key 178Current_tls_version 179# cleanup 180SET GLOBAL ssl_ca = @orig_ssl_ca; 181SET GLOBAL ssl_cert = @orig_ssl_cert; 182SET GLOBAL ssl_key = @orig_ssl_key; 183SET GLOBAL ssl_capath = @orig_ssl_capath; 184SET GLOBAL ssl_crl = @orig_ssl_crl; 185SET GLOBAL ssl_crlpath = @orig_ssl_crlpath; 186SET GLOBAL ssl_cipher = @orig_ssl_cipher; 187SET GLOBAL tls_ciphersuites = @orig_tls_ciphersuites; 188SET GLOBAL tls_version = @orig_tls_version; 189################## FR8: X plugin do not follow 190# Save the defaults 191SET @orig_ssl_ca= @@global.ssl_ca; 192SET @orig_ssl_cert= @@global.ssl_cert; 193SET @orig_ssl_key= @@global.ssl_key; 194SET @orig_mysqlx_ssl_ca= @@global.mysqlx_ssl_ca; 195SET @orig_mysqlx_ssl_cert= @@global.mysqlx_ssl_cert; 196SET @orig_mysqlx_ssl_key= @@global.mysqlx_ssl_key; 197# setting new values for ssl_cert, ssl_key and ssl_ca 198SET GLOBAL ssl_cert = "MYSQL_TEST_DIR/std_data/server-cert-sha512.pem"; 199SET GLOBAL ssl_key = "MYSQL_TEST_DIR/std_data/server-key-sha512.pem"; 200SET GLOBAL ssl_ca = "MYSQL_TEST_DIR/std_data/ca-sha512.pem"; 201ALTER INSTANCE RELOAD TLS; 202# Check that X variables match the initial ones 203SELECT @@global.mysqlx_ssl_ca = @orig_mysqlx_ssl_ca, 204@@global.mysqlx_ssl_cert = @orig_mysqlx_ssl_cert, 205@@global.mysqlx_ssl_key = @orig_mysqlx_ssl_key; 206@@global.mysqlx_ssl_ca = @orig_mysqlx_ssl_ca 1 207@@global.mysqlx_ssl_cert = @orig_mysqlx_ssl_cert 1 208@@global.mysqlx_ssl_key = @orig_mysqlx_ssl_key 1 209# cleanup 210SET GLOBAL ssl_cert = @orig_ssl_cert; 211SET GLOBAL ssl_key = @orig_ssl_key; 212SET GLOBAL ssl_ca = @orig_ssl_ca; 213ALTER INSTANCE RELOAD TLS; 214################## End of dynamic SSL tests 215