################################################################################ # Test to verify the SSL Fips mode on the Group replication plugin # # Test: # 0. The test requires two servers: M1 and M2. # 1. Setup the first member (M1) with a recovery user that requires SSL with # ssl_fips_mode= 'ON'. # 2. Start and bootstrap M1. # 3. Insert some data and verify that it gives warning for MD5(). # 4. Configure joining member (M2) to use SSL and Fips mode options on recovery. # Start GR on M2. Check the data is there. # 5. Restart M2 with weak cipher with Fips mode ON and verify it does not start. # 6. Clean up. ################################################################################ --source include/big_test.inc --source include/have_fips.inc --source include/have_group_replication_plugin.inc --let $rpl_skip_group_replication_start= 1 --source include/group_replication.inc --echo # --echo # 1. Setup the first member (M1) with a recovery user that requires SSL --echo # with ssl_fips_mode= 'ON'. --echo # --let $rpl_connection_name= server1 --source include/rpl_connection.inc # create a user for replication that requires ssl encryption SET SESSION sql_log_bin= 0; CREATE USER 'rec_ssl_user'@'%' REQUIRE SSL; GRANT replication slave ON *.* TO 'rec_ssl_user'@'%'; SET SESSION sql_log_bin= 1; # set ssl fips mode SET @ssl_fips_mode_save= @@GLOBAL.ssl_fips_mode; SET @@GLOBAL.ssl_fips_mode= 'ON'; --echo # --echo # 2. Start and bootstrap M1. --echo # --source include/start_and_bootstrap_group_replication.inc --echo # --echo # 3. Insert some data and verify that it gives warning for MD5(). --echo # CREATE TABLE t1 (c1 INT NOT NULL PRIMARY KEY, hash CHAR(32)) ENGINE=InnoDB; INSERT INTO t1 VALUES (1, 'test'); INSERT INTO t1 VALUES (2, MD5(8)); SHOW WARNINGS; --echo # --echo # 4. Configure joining member (M2) to use SSL and Fips mode options on recovery. --echo # Start GR on M2. Check the data is there. --echo # --let $rpl_connection_name= server2 --source include/rpl_connection.inc SET @group_replication_recovery_use_ssl_save= @@GLOBAL.group_replication_recovery_use_ssl; SET @group_replication_recovery_ssl_ca_save= @@GLOBAL.group_replication_recovery_ssl_ca; SET @group_replication_recovery_ssl_cert_save= @@GLOBAL.group_replication_recovery_ssl_cert; SET @group_replication_recovery_ssl_key_save= @@GLOBAL.group_replication_recovery_ssl_key; SET @group_replication_recovery_ssl_cipher_save= @@GLOBAL.group_replication_recovery_ssl_cipher; SET @group_replication_recovery_retry_count_save= @@GLOBAL.group_replication_recovery_retry_count; --disable_warnings CHANGE MASTER TO MASTER_USER="rec_ssl_user" FOR CHANNEL "group_replication_recovery"; --enable_warnings SET GLOBAL group_replication_recovery_use_ssl= 1; --replace_result $MYSQL_TEST_DIR MYSQL_TEST_DIR --eval SET GLOBAL group_replication_recovery_ssl_ca= '$MYSQL_TEST_DIR/std_data/cacert.pem' --replace_result $MYSQL_TEST_DIR MYSQL_TEST_DIR --eval SET GLOBAL group_replication_recovery_ssl_cert= '$MYSQL_TEST_DIR/std_data/client-cert.pem' --replace_result $MYSQL_TEST_DIR MYSQL_TEST_DIR --eval SET GLOBAL group_replication_recovery_ssl_key= '$MYSQL_TEST_DIR/std_data/client-key.pem' # set ssl fips mode SET @ssl_fips_mode_save= @@GLOBAL.ssl_fips_mode; SET @@GLOBAL.ssl_fips_mode= 'ON'; --source include/start_group_replication.inc --echo # --echo # Check the data is there --echo # --let $assert_text= On the recovered member, the table should exist and have 1 elements; --let $assert_cond= [select count(*) from t1] = 2; --source include/assert.inc DROP TABLE t1; --source include/rpl_sync.inc --echo # --echo # 5. Restart M2 with weak cipher with Fips mode ON and verify it --echo # does not start. --echo # --source include/stop_group_replication.inc SET SESSION sql_log_bin= 0; call mtr.add_suppression("There was an error when connecting to the donor server. Please check that group_replication_recovery channel credentials and all MEMBER_HOST column values of performance_schema.replication_group_members table are correct and DNS resolvable."); call mtr.add_suppression("For details please check performance_schema.replication_connection_status table and error log messages of Slave I/O for channel group_replication_recovery."); call mtr.add_suppression("Maximum number of retries when trying to connect to a donor reached. Aborting group replication incremental recovery."); call mtr.add_suppression("Fatal error during the Recovery process of Group Replication. The server will leave the group."); call mtr.add_suppression("Skipping leave operation: concurrent attempt to leave the group is on-going."); call mtr.add_suppression("The server was automatically set into read only mode after an error was detected."); SET SESSION sql_log_bin= 1; SET GLOBAL group_replication_recovery_ssl_cipher= 'CAMELLIA256-SHA'; SET GLOBAL group_replication_recovery_retry_count= 1; --let $group_replication_start_member_state= ERROR --source include/start_group_replication.inc --source include/stop_group_replication.inc --echo # --echo # Clean up --echo # SET @@GLOBAL.ssl_fips_mode= @ssl_fips_mode_save; SET @@GLOBAL.group_replication_recovery_use_ssl= @group_replication_recovery_use_ssl_save; SET @@GLOBAL.group_replication_recovery_ssl_ca= @group_replication_recovery_ssl_ca_save; SET @@GLOBAL.group_replication_recovery_ssl_cert= @group_replication_recovery_ssl_cert_save; SET @@GLOBAL.group_replication_recovery_ssl_key= @group_replication_recovery_ssl_key_save; SET @@GLOBAL.group_replication_recovery_ssl_cipher= @group_replication_recovery_ssl_cipher_save; SET @@GLOBAL.group_replication_recovery_retry_count= @group_replication_recovery_retry_count_save; --let $rpl_connection_name= server1 --source include/rpl_connection.inc SET @@GLOBAL.ssl_fips_mode= @ssl_fips_mode_save; SET SESSION sql_log_bin= 0; DROP USER 'rec_ssl_user'; SET SESSION sql_log_bin= 1; --source include/group_replication_end.inc