Commit 6484288c authored by Vladislav Vaintroub's avatar Vladislav Vaintroub

CONC-447 ERROR 2026 (HY000): SSL connection error: Certificate signature check failed

Enable CRL checking on Windows.
Enable certificate verification testing in client testing.
parent 3cc0e0be
...@@ -30,7 +30,7 @@ ...@@ -30,7 +30,7 @@
*/ */
opt_use_ssl= 1; opt_use_ssl= 1;
/* crl has no effect in yaSSL */ /* crl has no effect in yaSSL */
#ifdef HAVE_YASSL #if defined (HAVE_YASSL) && (!defined (_WIN32) || defined (MYSQL_SERVER))
opt_ssl_crl= NULL; opt_ssl_crl= NULL;
opt_ssl_crlpath= NULL; opt_ssl_crlpath= NULL;
#endif #endif
......
Subproject commit c8833751cf48d0085d9d7a4285aafdc967a63a4d Subproject commit 63df45ce3df3fbc04d8fab9bceb77f9d1cccd4aa
...@@ -21,15 +21,6 @@ create procedure have_ssl() ...@@ -21,15 +21,6 @@ create procedure have_ssl()
--exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/cacert.pem --ssl-verify-server-cert -e "call test.have_ssl()" 2>&1 --exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/cacert.pem --ssl-verify-server-cert -e "call test.have_ssl()" 2>&1
--echo mysql --ssl --ssl-verify-server-cert -e "call test.have_ssl()" --echo mysql --ssl --ssl-verify-server-cert -e "call test.have_ssl()"
# this is the test where certificate verification fails. --replace_regex /SSL connection error.*certificate[^\n]*/SSL connection error: Failed to verify the server certificate/
# but yassl doesn't support certificate verification, so --exec $MYSQL --ssl --ssl-verify-server-cert -e "call test.have_ssl()" 2>&1
# we fake the test result for yassl
let yassl=`select variable_value='Unknown' from information_schema.session_status where variable_name='Ssl_session_cache_mode'`;
if (!$yassl) {
--replace_result "self signed certificate in certificate chain" "Failed to verify the server certificate" "Error in the certificate." "Failed to verify the server certificate"
--exec $MYSQL --ssl --ssl-verify-server-cert -e "call test.have_ssl()" 2>&1
}
if ($yassl) {
--echo ERROR 2026 (HY000): SSL connection error: Failed to verify the server certificate
}
drop procedure have_ssl; drop procedure have_ssl;
# This test should work in embedded server after we fix mysqltest # This test should work in embedded server after we fix mysqltest
-- source include/not_embedded.inc -- source include/not_embedded.inc
-- source include/have_openssl.inc
if (`SELECT COUNT(*) = 0 FROM information_schema.GLOBAL_VARIABLES
WHERE (VARIABLE_NAME ='version_compile_os' AND VARIABLE_VALUE LIKE 'Win%' OR
VARIABLE_NAME='have_openssl' AND VARIABLE_VALUE='YES')`)
{
skip Need openssl or Windows;
}
--echo # Test clients with and without CRL lists --echo # Test clients with and without CRL lists
...@@ -14,10 +20,12 @@ copy_file $MYSQL_TEST_DIR/std_data/server-cert.crl $MYSQL_TMP_DIR/ed1f42db.r0; ...@@ -14,10 +20,12 @@ copy_file $MYSQL_TEST_DIR/std_data/server-cert.crl $MYSQL_TMP_DIR/ed1f42db.r0;
--echo ############ Test mysql ############## --echo ############ Test mysql ##############
--echo # Test mysql connecting to a server with a certificate revoked by -crl --echo # Test mysql connecting to a server with a certificate revoked by -crl
--replace_result "Server certificate validation failed. The certificate is revoked. Error 0x80092010(CRYPT_E_REVOKED)" "certificate revoked"
--error 1 --error 1
--exec $MYSQL $ssl_crl test -e "SHOW STATUS LIKE 'Ssl_version'" 2>&1 --exec $MYSQL $ssl_crl test -e "SHOW STATUS LIKE 'Ssl_version'" 2>&1
--echo # Test mysql connecting to a server with a certificate revoked by -crlpath --echo # Test mysql connecting to a server with a certificate revoked by -crlpath
--replace_result "Server certificate validation failed. The certificate is revoked. Error 0x80092010(CRYPT_E_REVOKED)" "certificate revoked"
--error 1 --error 1
--exec $MYSQL $ssl_crlpath test -e "SHOW STATUS LIKE 'Ssl_version'" 2>&1 --exec $MYSQL $ssl_crlpath test -e "SHOW STATUS LIKE 'Ssl_version'" 2>&1
...@@ -26,11 +34,11 @@ copy_file $MYSQL_TEST_DIR/std_data/server-cert.crl $MYSQL_TMP_DIR/ed1f42db.r0; ...@@ -26,11 +34,11 @@ copy_file $MYSQL_TEST_DIR/std_data/server-cert.crl $MYSQL_TMP_DIR/ed1f42db.r0;
let $admin_suffix = --default-character-set=latin1 -S $MASTER_MYSOCK -P $MASTER_MYPORT -u root --password= ping; let $admin_suffix = --default-character-set=latin1 -S $MASTER_MYSOCK -P $MASTER_MYPORT -u root --password= ping;
--echo # Test mysqladmin connecting to a server with a certificate revoked by -crl --echo # Test mysqladmin connecting to a server with a certificate revoked by -crl
--replace_regex /.*mysqladmin.*:/mysqladmin:/ --replace_regex /.*mysqladmin.*:/mysqladmin:/ /SSL connection error: .*CRYPT_E_REVOKED./SSL connection error: certificate revoked/
--error 1 --error 1
--exec $MYSQLADMIN $ssl_crl $admin_suffix 2>&1 --exec $MYSQLADMIN $ssl_crl $admin_suffix 2>&1
--echo # Test mysqladmin connecting to a server with a certificate revoked by -crlpath --echo # Test mysqladmin connecting to a server with a certificate revoked by -crlpath
--replace_regex /.*mysqladmin.*:/mysqladmin:/ --replace_regex /.*mysqladmin.*:/mysqladmin:/ /SSL connection error: .*CRYPT_E_REVOKED./SSL connection error: certificate revoked/
--error 1 --error 1
--exec $MYSQLADMIN $ssl_crlpath $admin_suffix 2>&1 --exec $MYSQLADMIN $ssl_crlpath $admin_suffix 2>&1
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment