4493d40a-92aa-4162-9dfc-bfc4ec0996e6
/
polardbxengine
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
polardbxengine/mysql-test/suite/x/r/connection_openssl.result

1579 lines
53 KiB
Plaintext
Raw Blame History

## Preamble
SET GLOBAL mysqlx_connect_timeout = 300;
call mtr.add_suppression("Maximum number of authentication attempts reached");
call mtr.add_suppression("Access denied for user .*");
CREATE USER user1_mysqlx@localhost
IDENTIFIED WITH 'mysql_native_password' BY 'auth_string1';
CREATE USER user2_mysqlx@localhost
IDENTIFIED WITH 'mysql_native_password' BY 'auth_string2'
PASSWORD EXPIRE;
CREATE USER user3_mysqlx@localhost
IDENTIFIED WITH 'mysql_native_password' BY 'auth_string3'
REQUIRE CIPHER "AES256-SHA" AND
SUBJECT "/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=Client"
ISSUER "/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=CA"
PASSWORD EXPIRE NEVER;
CREATE USER user4_mysqlx@localhost REQUIRE SSL ACCOUNT LOCK;
CREATE USER user5_mysqlx@localhost
IDENTIFIED WITH 'mysql_native_password' BY 'auth_string'
REQUIRE SSL;
CREATE USER user6_mysqlx@localhost
IDENTIFIED WITH 'mysql_native_password' BY 'dwh@#ghd'
REQUIRE x509;
CREATE USER user7_mysqlx@localhost
IDENTIFIED WITH 'mysql_native_password' BY ''
REQUIRE CIPHER "AES256-SHA";
GRANT ALL ON *.* TO user1_mysqlx@localhost;
GRANT ALL ON *.* TO user2_mysqlx@localhost;
GRANT ALL ON *.* TO user3_mysqlx@localhost;
GRANT ALL ON *.* TO user4_mysqlx@localhost;
GRANT ALL ON *.* TO user5_mysqlx@localhost;
GRANT ALL ON *.* TO user6_mysqlx@localhost;
GRANT ALL ON *.* TO user7_mysqlx@localhost;
## I. Verify handling of SSL with normal account ('mysql_native_password')
#
Verify ["SELECT USER() as column_user" returns in "column_user" column, following value user1_mysqlx@localhost]
Verify ["SELECT CONNECTION_TYPE FROM performance_schema.threads WHERE processlist_id = connection_id()" returns in "CONNECTION_TYPE" column, following value SSL/TLS]
Verify [Status variable "Mysqlx_ssl_version" needs to have a value of TLSv1]
Verify [Status variable "Mysqlx_ssl_cipher" needs to have a value of DHE-RSA-AES256-SHA]
Verify [Status variable "Mysqlx_ssl_accepts" needs to have a value of 1]
Verify [Status variable "Mysqlx_ssl_finished_accepts" needs to have a value of 1]
Mysqlx.Ok {
msg: "bye!"
}
ok
## II. Verify handling of SSL with super account and XProtocol message
## CapabilitySet (without SSL options on it)
#
# 1. Try to set "tls" capability with invalid data (no-ssl connection)
# 2. Try to set "tls" capability with valid data (ssl connection)
#
# II.1
# setting read/write tls param with possible invalid data types:
# V_SINT,V_UINT ,V_NULL,V_OCTETS ,V_DOUBLE,V_FLOAT,V_STRING
send Mysqlx.Connection.CapabilitiesGet {
}
Mysqlx.Connection.Capabilities(capabilities[0]) = Mysqlx.Connection.Capability {
name: "tls"
value {
type: SCALAR
scalar {
type: V_BOOL
v_bool: false
}
}
}
# Checking CapSet TLS to bool 0
send Mysqlx.Connection.CapabilitiesSet {
capabilities {
capabilities {
name: "tls"
value {
type: SCALAR
scalar {
type: V_BOOL
v_bool: false
}
}
}
}
}
Got expected error:
Mysqlx.Error {
severity: ERROR
code: 5001
msg: "Capability prepare failed for \'tls\'"
sql_state: "HY000"
}
# CapSet TLS to null
send Mysqlx.Connection.CapabilitiesSet {
capabilities {
capabilities {
name: "tls"
value {
type: SCALAR
scalar {
type: V_NULL
}
}
}
}
}
Got expected error:
Mysqlx.Error {
severity: ERROR
code: 5001
msg: "Capability prepare failed for \'tls\'"
sql_state: "HY000"
}
# CapSet TLS to empty octet
send Mysqlx.Connection.CapabilitiesSet {
capabilities {
capabilities {
name: "tls"
value {
type: SCALAR
scalar {
type: V_OCTETS
}
}
}
}
}
Got expected error:
Mysqlx.Error {
severity: ERROR
code: 5001
msg: "Capability prepare failed for \'tls\'"
sql_state: "HY000"
}
# CapSet TLS to empty uint
send Mysqlx.Connection.CapabilitiesSet {
capabilities {
capabilities {
name: "tls"
value {
type: SCALAR
scalar {
type: V_UINT
}
}
}
}
}
Got expected error:
Mysqlx.Error {
severity: ERROR
code: 5001
msg: "Capability prepare failed for \'tls\'"
sql_state: "HY000"
}
# CapSet TLS to empty sint
send Mysqlx.Connection.CapabilitiesSet {
capabilities {
capabilities {
name: "tls"
value {
type: SCALAR
scalar {
type: V_SINT
}
}
}
}
}
Got expected error:
Mysqlx.Error {
severity: ERROR
code: 5001
msg: "Capability prepare failed for \'tls\'"
sql_state: "HY000"
}
ok
# II.2
send Mysqlx.Connection.CapabilitiesGet {
}
Mysqlx.Connection.Capabilities(capabilities[0]) = Mysqlx.Connection.Capability {
name: "tls"
value {
type: SCALAR
scalar {
type: V_BOOL
v_bool: false
}
}
}
send Mysqlx.Connection.CapabilitiesSet {
capabilities {
capabilities {
name: "tls"
value {
type: SCALAR
scalar {
type: V_BOOL
v_bool: true
}
}
}
}
}
Mysqlx.Ok {
}
# SSL Enabled
send Mysqlx.Connection.CapabilitiesGet {
}
Mysqlx.Connection.Capabilities(capabilities[0]) = Mysqlx.Connection.Capability {
name: "tls"
value {
type: SCALAR
scalar {
type: V_BOOL
v_bool: true
}
}
}
ok
## III. Verify handling of expired password with user2_mysqlx account ('mysql_native_password')
#
# 1. When client doesn't support handling of expired password,
# then connection must be rejected
# 2. When client support expired password, then he must be able
# to alter password
# 3. Verify that after the alter password, account can be used
# without any additional support for expired password on the client
# 4. When client support expired password, then he must be able
# to set the password
# 5. Verify that after the set password, account can be used
# without any additional support for expired password on the client
#
# III.1
Application terminated with expected error: Your password has expired. To log in you must change it using a client that supports expired passwords. (code 1862)
ok
# III.2
NOTICE: Account password expired
RUN ALTER USER USER() IDENTIFIED BY 'alter-new-auth'
0 rows affected
Mysqlx.Ok {
msg: "bye!"
}
ok
# III.3
Verify ["SELECT USER() as column_user" returns in "column_user" column, following value user2_mysqlx@localhost]
Verify ["SELECT CONNECTION_TYPE FROM performance_schema.threads WHERE processlist_id = connection_id()" returns in "CONNECTION_TYPE" column, following value SSL/TLS]
Verify [Status variable "Mysqlx_ssl_version" needs to have a value of TLSv1]
Verify [Status variable "Mysqlx_ssl_cipher" needs to have a value of DHE-RSA-AES256-SHA]
Verify [Status variable "Mysqlx_ssl_accepts" needs to have a value of 5]
Verify [Status variable "Mysqlx_ssl_finished_accepts" needs to have a value of 5]
Mysqlx.Ok {
msg: "bye!"
}
ok
# III.4
ALTER USER user2_mysqlx@localhost PASSWORD EXPIRE;
NOTICE: Account password expired
RUN SET PASSWORD='set-new-auth'
0 rows affected
Mysqlx.Ok {
msg: "bye!"
}
ok
# III.5
Verify ["SELECT USER() as column_user" returns in "column_user" column, following value user2_mysqlx@localhost]
Verify ["SELECT CONNECTION_TYPE FROM performance_schema.threads WHERE processlist_id = connection_id()" returns in "CONNECTION_TYPE" column, following value SSL/TLS]
Verify [Status variable "Mysqlx_ssl_version" needs to have a value of TLSv1]
Verify [Status variable "Mysqlx_ssl_cipher" needs to have a value of DHE-RSA-AES256-SHA]
Verify [Status variable "Mysqlx_ssl_accepts" needs to have a value of 7]
Verify [Status variable "Mysqlx_ssl_finished_accepts" needs to have a value of 7]
Mysqlx.Ok {
msg: "bye!"
}
ok
## IV. Verify handling of account that has requires concrete cipher, signed cert
## ('mysql_native_password')
#
# 1. Verify that user can connect when it has allowed cipher and matching cert
# 2. Verify that user can't connect when it has allowed cipher and non-matching cert
# 3. Verify that user can't connect when it doesn't use SSL
# 4. Verify that user can't connect when it use basic SSL configuration
# 5. Verify that user can't connect when it has allowed cipher and its without a cert
#
# IV.1
Verify ["SELECT USER() as column_user" returns in "column_user" column, following value user3_mysqlx@localhost]
Verify ["SELECT CONNECTION_TYPE FROM performance_schema.threads WHERE processlist_id = connection_id()" returns in "CONNECTION_TYPE" column, following value SSL/TLS]
Verify [Status variable "Mysqlx_ssl_version" needs to have a value of TLSv1]
Verify [Status variable "Mysqlx_ssl_cipher" needs to have a value of AES256-SHA]
Verify [Status variable "Mysqlx_ssl_accepts" needs to have a value of 8]
Verify [Status variable "Mysqlx_ssl_finished_accepts" needs to have a value of 8]
Mysqlx.Ok {
msg: "bye!"
}
ok
# IV.2
Application terminated with expected error: Access denied for user 'user3_mysqlx'@'localhost' (using password: YES) (code 1045)
ok
# IV.3
Application terminated with expected error: Access denied for user 'user3_mysqlx'@'localhost' (using password: YES) (code 1045)
ok
# IV.4
Application terminated with expected error: Access denied for user 'user3_mysqlx'@'localhost' (using password: YES) (code 1045)
ok
# IV.5
Application terminated with expected error: Access denied for user 'user3_mysqlx'@'localhost' (using password: YES) (code 1045)
ok
## V. Verify handling of locked account ('mysql_native_password')
#
# 1. Verify that locked account can't connect
# 2. Unlock the account and verify that it can connect
#
# V.1
Application terminated with expected error: Access denied for user 'user4_mysqlx'@'localhost'. Account is locked. (code 3118)
ok
# V.2
ALTER USER user4_mysqlx@localhost ACCOUNT UNLOCK;
Verify ["SELECT USER() as column_user" returns in "column_user" column, following value user4_mysqlx@localhost]
Verify ["SELECT CONNECTION_TYPE FROM performance_schema.threads WHERE processlist_id = connection_id()" returns in "CONNECTION_TYPE" column, following value SSL/TLS]
Verify [Status variable "Mysqlx_ssl_version" needs to have a value of TLSv1]
Verify [Status variable "Mysqlx_ssl_cipher" needs to have a value of DHE-RSA-AES256-SHA]
Verify [Status variable "Mysqlx_ssl_accepts" needs to have a value of 14]
Verify [Status variable "Mysqlx_ssl_finished_accepts" needs to have a value of 14]
Mysqlx.Ok {
msg: "bye!"
}
ok
## VI. Verify handling of account that was marked as SSL required ('mysql_native_password')
#
# 1. Verify connection with basic SSL configuration
# 2. Verify connection with SSL key & cert
# 3. Verify connection with SSL ca
#
# VI.1
Verify ["SELECT USER() as column_user" returns in "column_user" column, following value user5_mysqlx@localhost]
Verify ["SELECT CONNECTION_TYPE FROM performance_schema.threads WHERE processlist_id = connection_id()" returns in "CONNECTION_TYPE" column, following value SSL/TLS]
Verify [Status variable "Mysqlx_ssl_version" needs to have a value of TLSv1]
Verify [Status variable "Mysqlx_ssl_cipher" needs to have a value of DHE-RSA-AES256-SHA]
Verify [Status variable "Mysqlx_ssl_accepts" needs to have a value of 15]
Verify [Status variable "Mysqlx_ssl_finished_accepts" needs to have a value of 15]
Mysqlx.Ok {
msg: "bye!"
}
ok
# VI.2
Verify ["SELECT USER() as column_user" returns in "column_user" column, following value user5_mysqlx@localhost]
Verify ["SELECT CONNECTION_TYPE FROM performance_schema.threads WHERE processlist_id = connection_id()" returns in "CONNECTION_TYPE" column, following value SSL/TLS]
Verify [Status variable "Mysqlx_ssl_version" needs to have a value of TLSv1]
Verify [Status variable "Mysqlx_ssl_cipher" needs to have a value of DHE-RSA-AES256-SHA]
Verify [Status variable "Mysqlx_ssl_accepts" needs to have a value of 16]
Verify [Status variable "Mysqlx_ssl_finished_accepts" needs to have a value of 16]
Mysqlx.Ok {
msg: "bye!"
}
ok
# VI.3
Verify ["SELECT USER() as column_user" returns in "column_user" column, following value user5_mysqlx@localhost]
Verify ["SELECT CONNECTION_TYPE FROM performance_schema.threads WHERE processlist_id = connection_id()" returns in "CONNECTION_TYPE" column, following value SSL/TLS]
Verify [Status variable "Mysqlx_ssl_version" needs to have a value of TLSv1]
Verify [Status variable "Mysqlx_ssl_cipher" needs to have a value of DHE-RSA-AES256-SHA]
Verify [Status variable "Mysqlx_ssl_accepts" needs to have a value of 17]
Verify [Status variable "Mysqlx_ssl_finished_accepts" needs to have a value of 17]
Mysqlx.Ok {
msg: "bye!"
}
ok
## VII. Verify handling of account that was marked as SSL required with signed cert
## ('mysql_native_password')
#
# 1. Verify connection with signed cert
# 2. Verify that connection is rejected when SSL is disabled
# 3. Verify that connection is rejected when CA is set
# 4. Verify that connection is rejected when using basic SSL configuration
#
# VII.1
Verify ["SELECT USER() as column_user" returns in "column_user" column, following value user6_mysqlx@localhost]
Verify ["SELECT CONNECTION_TYPE FROM performance_schema.threads WHERE processlist_id = connection_id()" returns in "CONNECTION_TYPE" column, following value SSL/TLS]
Verify [Status variable "Mysqlx_ssl_version" needs to have a value of TLSv1]
Verify [Status variable "Mysqlx_ssl_cipher" needs to have a value of DHE-RSA-AES256-SHA]
Verify [Status variable "Mysqlx_ssl_accepts" needs to have a value of 18]
Verify [Status variable "Mysqlx_ssl_finished_accepts" needs to have a value of 18]
Mysqlx.Ok {
msg: "bye!"
}
ok
# VII.2
Application terminated with expected error: Authentication failed, check username and password or try a secure connection (code 2510)
ok
# VII.3
Application terminated with expected error: Access denied for user 'user6_mysqlx'@'localhost' (using password: YES) (code 1045)
ok
# VII.4
Application terminated with expected error: Access denied for user 'user6_mysqlx'@'localhost' (using password: YES) (code 1045)
ok
## VIII. Verify handling of account that was marked that requires concrete SSL cipher
## ('mysql_native_password')
#
# 1. Verify connection with concrete cipher and signed cert
# 2. Verify that connection is rejected with concrete cipher and without a cert
# 3. Verify that connection is rejected when SSL is disabled
# 4. Verify that connection is rejected with basic SSL configuration
# 5. Verify that connection is rejected with wrong cipher and signed cert
#
# VIII.1
Verify ["SELECT USER() as column_user" returns in "column_user" column, following value user7_mysqlx@localhost]
Verify ["SELECT CONNECTION_TYPE FROM performance_schema.threads WHERE processlist_id = connection_id()" returns in "CONNECTION_TYPE" column, following value SSL/TLS]
Verify [Status variable "Mysqlx_ssl_version" needs to have a value of TLSv1]
Verify [Status variable "Mysqlx_ssl_cipher" needs to have a value of AES256-SHA]
Verify [Status variable "Mysqlx_ssl_accepts" needs to have a value of 21]
Verify [Status variable "Mysqlx_ssl_finished_accepts" needs to have a value of 21]
Mysqlx.Ok {
msg: "bye!"
}
ok
# VIII.2
Application terminated with expected error: Access denied for user 'user7_mysqlx'@'localhost' (using password: NO) (code 1045)
ok
# VIII.3
Application terminated with expected error: Authentication failed, check username and password or try a secure connection (code 2510)
ok
# VIII.4
Application terminated with expected error: Access denied for user 'user7_mysqlx'@'localhost' (using password: NO) (code 1045)
ok
# VIII.5
Application terminated with expected error: Access denied for user 'user7_mysqlx'@'localhost' (using password: NO) (code 1045)
ok
## IX. Verify X Plugins global and session status variables ('mysql_native_password')
#
# 1. Verify global SSL setup
# 2. Verify session SSL setup
#
# IX.1
SHOW GLOBAL STATUS WHERE `Variable_name` RLIKE '^Mysqlx_ssl_(cipher_list|ctx_verify_(depth|mode)|server_not_(after|before)|verify_(depth|mode))$';
Variable_name Value
Mysqlx_ssl_cipher_list
Mysqlx_ssl_ctx_verify_depth -1
Mysqlx_ssl_ctx_verify_mode 5
Mysqlx_ssl_server_not_after Dec 1 04:48:40 2029 GMT
Mysqlx_ssl_server_not_before Dec 5 04:48:40 2014 GMT
Mysqlx_ssl_verify_depth
Mysqlx_ssl_verify_mode
# IX.2
RUN SHOW STATUS WHERE `Variable_name` RLIKE '^Mysqlx_ssl_(cipher_list|ctx_verify_(depth|mode)|server_not_(after|before)|verify_(depth|mode))$'
Variable_name Value
Mysqlx_ssl_cipher_list DHE-RSA-AES256-SHA:AES256-SHA
Mysqlx_ssl_ctx_verify_depth -1
Mysqlx_ssl_ctx_verify_mode 5
Mysqlx_ssl_server_not_after Dec 1 04:48:40 2029 GMT
Mysqlx_ssl_server_not_before Dec 5 04:48:40 2014 GMT
Mysqlx_ssl_verify_depth -1
Mysqlx_ssl_verify_mode 5
0 rows affected
Mysqlx.Ok {
msg: "bye!"
}
ok
## X. Lets confirm that Mysqlx plugin validates the connection_type vs 'require_secure_transport'
## system variable ('mysql_native_password')
#
# 1. Connection without SSL (fails on TCP, it works on UNIX socket)
# 2. Connection with SSL (always must be successful)
#
# X.1
SET GLOBAL require_secure_transport:=1;
Application terminated with expected error: Connections using insecure transport are prohibited while --require_secure_transport=ON. (code 3159)
ok
# X.2
Verify ["SELECT USER() as column_user" returns in "column_user" column, following value x_root@localhost]
Verify ["SELECT CONNECTION_TYPE FROM performance_schema.threads WHERE processlist_id = connection_id()" returns in "CONNECTION_TYPE" column, following value SSL/TLS]
Verify [Status variable "Mysqlx_ssl_version" needs to have a value of TLSv1]
Verify [Status variable "Mysqlx_ssl_cipher" needs to have a value of DHE-RSA-AES256-SHA]
Verify [Status variable "Mysqlx_ssl_accepts" needs to have a value of 26]
Verify [Status variable "Mysqlx_ssl_finished_accepts" needs to have a value of 26]
Mysqlx.Ok {
msg: "bye!"
}
ok
SET GLOBAL require_secure_transport:=0;
## Cleanup
DROP USER user1_mysqlx@localhost;
DROP USER user2_mysqlx@localhost;
DROP USER user3_mysqlx@localhost;
DROP USER user4_mysqlx@localhost;
DROP USER user5_mysqlx@localhost;
DROP USER user6_mysqlx@localhost;
DROP USER user7_mysqlx@localhost;
SET GLOBAL mysqlx_connect_timeout = DEFAULT;
## Preamble
SET GLOBAL mysqlx_connect_timeout = 300;
call mtr.add_suppression("Maximum number of authentication attempts reached");
call mtr.add_suppression("Access denied for user .*");
CREATE USER user1_mysqlx@localhost
IDENTIFIED WITH 'sha256_password' BY 'auth_string1';
CREATE USER user2_mysqlx@localhost
IDENTIFIED WITH 'sha256_password' BY 'auth_string2'
PASSWORD EXPIRE;
CREATE USER user3_mysqlx@localhost
IDENTIFIED WITH 'sha256_password' BY 'auth_string3'
REQUIRE CIPHER "AES256-SHA" AND
SUBJECT "/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=Client"
ISSUER "/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=CA"
PASSWORD EXPIRE NEVER;
CREATE USER user4_mysqlx@localhost REQUIRE SSL ACCOUNT LOCK;
CREATE USER user5_mysqlx@localhost
IDENTIFIED WITH 'sha256_password' BY 'auth_string'
REQUIRE SSL;
CREATE USER user6_mysqlx@localhost
IDENTIFIED WITH 'sha256_password' BY 'dwh@#ghd'
REQUIRE x509;
CREATE USER user7_mysqlx@localhost
IDENTIFIED WITH 'sha256_password' BY ''
REQUIRE CIPHER "AES256-SHA";
GRANT ALL ON *.* TO user1_mysqlx@localhost;
GRANT ALL ON *.* TO user2_mysqlx@localhost;
GRANT ALL ON *.* TO user3_mysqlx@localhost;
GRANT ALL ON *.* TO user4_mysqlx@localhost;
GRANT ALL ON *.* TO user5_mysqlx@localhost;
GRANT ALL ON *.* TO user6_mysqlx@localhost;
GRANT ALL ON *.* TO user7_mysqlx@localhost;
## I. Verify handling of SSL with normal account ('sha256_password')
#
Verify ["SELECT USER() as column_user" returns in "column_user" column, following value user1_mysqlx@localhost]
Verify ["SELECT CONNECTION_TYPE FROM performance_schema.threads WHERE processlist_id = connection_id()" returns in "CONNECTION_TYPE" column, following value SSL/TLS]
Verify [Status variable "Mysqlx_ssl_version" needs to have a value of TLSv1]
Verify [Status variable "Mysqlx_ssl_cipher" needs to have a value of DHE-RSA-AES256-SHA]
Verify [Status variable "Mysqlx_ssl_accepts" needs to have a value of 1]
Verify [Status variable "Mysqlx_ssl_finished_accepts" needs to have a value of 1]
Mysqlx.Ok {
msg: "bye!"
}
ok
## II. Verify handling of SSL with super account and XProtocol message
## CapabilitySet (without SSL options on it)
#
# 1. Try to set "tls" capability with invalid data (no-ssl connection)
# 2. Try to set "tls" capability with valid data (ssl connection)
#
# II.1
# setting read/write tls param with possible invalid data types:
# V_SINT,V_UINT ,V_NULL,V_OCTETS ,V_DOUBLE,V_FLOAT,V_STRING
send Mysqlx.Connection.CapabilitiesGet {
}
Mysqlx.Connection.Capabilities(capabilities[0]) = Mysqlx.Connection.Capability {
name: "tls"
value {
type: SCALAR
scalar {
type: V_BOOL
v_bool: false
}
}
}
# Checking CapSet TLS to bool 0
send Mysqlx.Connection.CapabilitiesSet {
capabilities {
capabilities {
name: "tls"
value {
type: SCALAR
scalar {
type: V_BOOL
v_bool: false
}
}
}
}
}
Got expected error:
Mysqlx.Error {
severity: ERROR
code: 5001
msg: "Capability prepare failed for \'tls\'"
sql_state: "HY000"
}
# CapSet TLS to null
send Mysqlx.Connection.CapabilitiesSet {
capabilities {
capabilities {
name: "tls"
value {
type: SCALAR
scalar {
type: V_NULL
}
}
}
}
}
Got expected error:
Mysqlx.Error {
severity: ERROR
code: 5001
msg: "Capability prepare failed for \'tls\'"
sql_state: "HY000"
}
# CapSet TLS to empty octet
send Mysqlx.Connection.CapabilitiesSet {
capabilities {
capabilities {
name: "tls"
value {
type: SCALAR
scalar {
type: V_OCTETS
}
}
}
}
}
Got expected error:
Mysqlx.Error {
severity: ERROR
code: 5001
msg: "Capability prepare failed for \'tls\'"
sql_state: "HY000"
}
# CapSet TLS to empty uint
send Mysqlx.Connection.CapabilitiesSet {
capabilities {
capabilities {
name: "tls"
value {
type: SCALAR
scalar {
type: V_UINT
}
}
}
}
}
Got expected error:
Mysqlx.Error {
severity: ERROR
code: 5001
msg: "Capability prepare failed for \'tls\'"
sql_state: "HY000"
}
# CapSet TLS to empty sint
send Mysqlx.Connection.CapabilitiesSet {
capabilities {
capabilities {
name: "tls"
value {
type: SCALAR
scalar {
type: V_SINT
}
}
}
}
}
Got expected error:
Mysqlx.Error {
severity: ERROR
code: 5001
msg: "Capability prepare failed for \'tls\'"
sql_state: "HY000"
}
ok
# II.2
send Mysqlx.Connection.CapabilitiesGet {
}
Mysqlx.Connection.Capabilities(capabilities[0]) = Mysqlx.Connection.Capability {
name: "tls"
value {
type: SCALAR
scalar {
type: V_BOOL
v_bool: false
}
}
}
send Mysqlx.Connection.CapabilitiesSet {
capabilities {
capabilities {
name: "tls"
value {
type: SCALAR
scalar {
type: V_BOOL
v_bool: true
}
}
}
}
}
Mysqlx.Ok {
}
# SSL Enabled
send Mysqlx.Connection.CapabilitiesGet {
}
Mysqlx.Connection.Capabilities(capabilities[0]) = Mysqlx.Connection.Capability {
name: "tls"
value {
type: SCALAR
scalar {
type: V_BOOL
v_bool: true
}
}
}
ok
## III. Verify handling of expired password with user2_mysqlx account ('sha256_password')
#
# 1. When client doesn't support handling of expired password,
# then connection must be rejected
# 2. When client support expired password, then he must be able
# to alter password
# 3. Verify that after the alter password, account can be used
# without any additional support for expired password on the client
# 4. When client support expired password, then he must be able
# to set the password
# 5. Verify that after the set password, account can be used
# without any additional support for expired password on the client
#
# III.1
Application terminated with expected error: Your password has expired. To log in you must change it using a client that supports expired passwords. (code 1862)
ok
# III.2
NOTICE: Account password expired
RUN ALTER USER USER() IDENTIFIED BY 'alter-new-auth'
0 rows affected
Mysqlx.Ok {
msg: "bye!"
}
ok
# III.3
Verify ["SELECT USER() as column_user" returns in "column_user" column, following value user2_mysqlx@localhost]
Verify ["SELECT CONNECTION_TYPE FROM performance_schema.threads WHERE processlist_id = connection_id()" returns in "CONNECTION_TYPE" column, following value SSL/TLS]
Verify [Status variable "Mysqlx_ssl_version" needs to have a value of TLSv1]
Verify [Status variable "Mysqlx_ssl_cipher" needs to have a value of DHE-RSA-AES256-SHA]
Verify [Status variable "Mysqlx_ssl_accepts" needs to have a value of 5]
Verify [Status variable "Mysqlx_ssl_finished_accepts" needs to have a value of 5]
Mysqlx.Ok {
msg: "bye!"
}
ok
# III.4
ALTER USER user2_mysqlx@localhost PASSWORD EXPIRE;
NOTICE: Account password expired
RUN SET PASSWORD='set-new-auth'
0 rows affected
Mysqlx.Ok {
msg: "bye!"
}
ok
# III.5
Verify ["SELECT USER() as column_user" returns in "column_user" column, following value user2_mysqlx@localhost]
Verify ["SELECT CONNECTION_TYPE FROM performance_schema.threads WHERE processlist_id = connection_id()" returns in "CONNECTION_TYPE" column, following value SSL/TLS]
Verify [Status variable "Mysqlx_ssl_version" needs to have a value of TLSv1]
Verify [Status variable "Mysqlx_ssl_cipher" needs to have a value of DHE-RSA-AES256-SHA]
Verify [Status variable "Mysqlx_ssl_accepts" needs to have a value of 7]
Verify [Status variable "Mysqlx_ssl_finished_accepts" needs to have a value of 7]
Mysqlx.Ok {
msg: "bye!"
}
ok
## IV. Verify handling of account that has requires concrete cipher, signed cert
## ('sha256_password')
#
# 1. Verify that user can connect when it has allowed cipher and matching cert
# 2. Verify that user can't connect when it has allowed cipher and non-matching cert
# 3. Verify that user can't connect when it doesn't use SSL
# 4. Verify that user can't connect when it use basic SSL configuration
# 5. Verify that user can't connect when it has allowed cipher and its without a cert
#
# IV.1
Verify ["SELECT USER() as column_user" returns in "column_user" column, following value user3_mysqlx@localhost]
Verify ["SELECT CONNECTION_TYPE FROM performance_schema.threads WHERE processlist_id = connection_id()" returns in "CONNECTION_TYPE" column, following value SSL/TLS]
Verify [Status variable "Mysqlx_ssl_version" needs to have a value of TLSv1]
Verify [Status variable "Mysqlx_ssl_cipher" needs to have a value of AES256-SHA]
Verify [Status variable "Mysqlx_ssl_accepts" needs to have a value of 8]
Verify [Status variable "Mysqlx_ssl_finished_accepts" needs to have a value of 8]
Mysqlx.Ok {
msg: "bye!"
}
ok
# IV.2
Application terminated with expected error: Access denied for user 'user3_mysqlx'@'localhost' (using password: YES) (code 1045)
ok
# IV.3
Application terminated with expected error: Access denied for user 'user3_mysqlx'@'localhost' (using password: YES) (code 1045)
ok
# IV.4
Application terminated with expected error: Access denied for user 'user3_mysqlx'@'localhost' (using password: YES) (code 1045)
ok
# IV.5
Application terminated with expected error: Access denied for user 'user3_mysqlx'@'localhost' (using password: YES) (code 1045)
ok
## V. Verify handling of locked account ('sha256_password')
#
# 1. Verify that locked account can't connect
# 2. Unlock the account and verify that it can connect
#
# V.1
Application terminated with expected error: Access denied for user 'user4_mysqlx'@'localhost'. Account is locked. (code 3118)
ok
# V.2
ALTER USER user4_mysqlx@localhost ACCOUNT UNLOCK;
Verify ["SELECT USER() as column_user" returns in "column_user" column, following value user4_mysqlx@localhost]
Verify ["SELECT CONNECTION_TYPE FROM performance_schema.threads WHERE processlist_id = connection_id()" returns in "CONNECTION_TYPE" column, following value SSL/TLS]
Verify [Status variable "Mysqlx_ssl_version" needs to have a value of TLSv1]
Verify [Status variable "Mysqlx_ssl_cipher" needs to have a value of DHE-RSA-AES256-SHA]
Verify [Status variable "Mysqlx_ssl_accepts" needs to have a value of 14]
Verify [Status variable "Mysqlx_ssl_finished_accepts" needs to have a value of 14]
Mysqlx.Ok {
msg: "bye!"
}
ok
## VI. Verify handling of account that was marked as SSL required ('sha256_password')
#
# 1. Verify connection with basic SSL configuration
# 2. Verify connection with SSL key & cert
# 3. Verify connection with SSL ca
#
# VI.1
Verify ["SELECT USER() as column_user" returns in "column_user" column, following value user5_mysqlx@localhost]
Verify ["SELECT CONNECTION_TYPE FROM performance_schema.threads WHERE processlist_id = connection_id()" returns in "CONNECTION_TYPE" column, following value SSL/TLS]
Verify [Status variable "Mysqlx_ssl_version" needs to have a value of TLSv1]
Verify [Status variable "Mysqlx_ssl_cipher" needs to have a value of DHE-RSA-AES256-SHA]
Verify [Status variable "Mysqlx_ssl_accepts" needs to have a value of 15]
Verify [Status variable "Mysqlx_ssl_finished_accepts" needs to have a value of 15]
Mysqlx.Ok {
msg: "bye!"
}
ok
# VI.2
Verify ["SELECT USER() as column_user" returns in "column_user" column, following value user5_mysqlx@localhost]
Verify ["SELECT CONNECTION_TYPE FROM performance_schema.threads WHERE processlist_id = connection_id()" returns in "CONNECTION_TYPE" column, following value SSL/TLS]
Verify [Status variable "Mysqlx_ssl_version" needs to have a value of TLSv1]
Verify [Status variable "Mysqlx_ssl_cipher" needs to have a value of DHE-RSA-AES256-SHA]
Verify [Status variable "Mysqlx_ssl_accepts" needs to have a value of 16]
Verify [Status variable "Mysqlx_ssl_finished_accepts" needs to have a value of 16]
Mysqlx.Ok {
msg: "bye!"
}
ok
# VI.3
Verify ["SELECT USER() as column_user" returns in "column_user" column, following value user5_mysqlx@localhost]
Verify ["SELECT CONNECTION_TYPE FROM performance_schema.threads WHERE processlist_id = connection_id()" returns in "CONNECTION_TYPE" column, following value SSL/TLS]
Verify [Status variable "Mysqlx_ssl_version" needs to have a value of TLSv1]
Verify [Status variable "Mysqlx_ssl_cipher" needs to have a value of DHE-RSA-AES256-SHA]
Verify [Status variable "Mysqlx_ssl_accepts" needs to have a value of 17]
Verify [Status variable "Mysqlx_ssl_finished_accepts" needs to have a value of 17]
Mysqlx.Ok {
msg: "bye!"
}
ok
## VII. Verify handling of account that was marked as SSL required with signed cert
## ('sha256_password')
#
# 1. Verify connection with signed cert
# 2. Verify that connection is rejected when SSL is disabled
# 3. Verify that connection is rejected when CA is set
# 4. Verify that connection is rejected when using basic SSL configuration
#
# VII.1
Verify ["SELECT USER() as column_user" returns in "column_user" column, following value user6_mysqlx@localhost]
Verify ["SELECT CONNECTION_TYPE FROM performance_schema.threads WHERE processlist_id = connection_id()" returns in "CONNECTION_TYPE" column, following value SSL/TLS]
Verify [Status variable "Mysqlx_ssl_version" needs to have a value of TLSv1]
Verify [Status variable "Mysqlx_ssl_cipher" needs to have a value of DHE-RSA-AES256-SHA]
Verify [Status variable "Mysqlx_ssl_accepts" needs to have a value of 18]
Verify [Status variable "Mysqlx_ssl_finished_accepts" needs to have a value of 18]
Mysqlx.Ok {
msg: "bye!"
}
ok
# VII.2
Application terminated with expected error: Authentication failed, check username and password or try a secure connection (code 2510)
ok
# VII.3
Application terminated with expected error: Access denied for user 'user6_mysqlx'@'localhost' (using password: YES) (code 1045)
ok
# VII.4
Application terminated with expected error: Access denied for user 'user6_mysqlx'@'localhost' (using password: YES) (code 1045)
ok
## VIII. Verify handling of account that was marked that requires concrete SSL cipher
## ('sha256_password')
#
# 1. Verify connection with concrete cipher and signed cert
# 2. Verify that connection is rejected with concrete cipher and without a cert
# 3. Verify that connection is rejected when SSL is disabled
# 4. Verify that connection is rejected with basic SSL configuration
# 5. Verify that connection is rejected with wrong cipher and signed cert
#
# VIII.1
Verify ["SELECT USER() as column_user" returns in "column_user" column, following value user7_mysqlx@localhost]
Verify ["SELECT CONNECTION_TYPE FROM performance_schema.threads WHERE processlist_id = connection_id()" returns in "CONNECTION_TYPE" column, following value SSL/TLS]
Verify [Status variable "Mysqlx_ssl_version" needs to have a value of TLSv1]
Verify [Status variable "Mysqlx_ssl_cipher" needs to have a value of AES256-SHA]
Verify [Status variable "Mysqlx_ssl_accepts" needs to have a value of 21]
Verify [Status variable "Mysqlx_ssl_finished_accepts" needs to have a value of 21]
Mysqlx.Ok {
msg: "bye!"
}
ok
# VIII.2
Application terminated with expected error: Access denied for user 'user7_mysqlx'@'localhost' (using password: NO) (code 1045)
ok
# VIII.3
Application terminated with expected error: Authentication failed, check username and password or try a secure connection (code 2510)
ok
# VIII.4
Application terminated with expected error: Access denied for user 'user7_mysqlx'@'localhost' (using password: NO) (code 1045)
ok
# VIII.5
Application terminated with expected error: Access denied for user 'user7_mysqlx'@'localhost' (using password: NO) (code 1045)
ok
## IX. Verify X Plugins global and session status variables ('sha256_password')
#
# 1. Verify global SSL setup
# 2. Verify session SSL setup
#
# IX.1
SHOW GLOBAL STATUS WHERE `Variable_name` RLIKE '^Mysqlx_ssl_(cipher_list|ctx_verify_(depth|mode)|server_not_(after|before)|verify_(depth|mode))$';
Variable_name Value
Mysqlx_ssl_cipher_list
Mysqlx_ssl_ctx_verify_depth -1
Mysqlx_ssl_ctx_verify_mode 5
Mysqlx_ssl_server_not_after Dec 1 04:48:40 2029 GMT
Mysqlx_ssl_server_not_before Dec 5 04:48:40 2014 GMT
Mysqlx_ssl_verify_depth
Mysqlx_ssl_verify_mode
# IX.2
RUN SHOW STATUS WHERE `Variable_name` RLIKE '^Mysqlx_ssl_(cipher_list|ctx_verify_(depth|mode)|server_not_(after|before)|verify_(depth|mode))$'
Variable_name Value
Mysqlx_ssl_cipher_list DHE-RSA-AES256-SHA:AES256-SHA
Mysqlx_ssl_ctx_verify_depth -1
Mysqlx_ssl_ctx_verify_mode 5
Mysqlx_ssl_server_not_after Dec 1 04:48:40 2029 GMT
Mysqlx_ssl_server_not_before Dec 5 04:48:40 2014 GMT
Mysqlx_ssl_verify_depth -1
Mysqlx_ssl_verify_mode 5
0 rows affected
Mysqlx.Ok {
msg: "bye!"
}
ok
## X. Lets confirm that Mysqlx plugin validates the connection_type vs 'require_secure_transport'
## system variable ('sha256_password')
#
# 1. Connection without SSL (fails on TCP, it works on UNIX socket)
# 2. Connection with SSL (always must be successful)
#
# X.1
SET GLOBAL require_secure_transport:=1;
Application terminated with expected error: Connections using insecure transport are prohibited while --require_secure_transport=ON. (code 3159)
ok
# X.2
Verify ["SELECT USER() as column_user" returns in "column_user" column, following value x_root@localhost]
Verify ["SELECT CONNECTION_TYPE FROM performance_schema.threads WHERE processlist_id = connection_id()" returns in "CONNECTION_TYPE" column, following value SSL/TLS]
Verify [Status variable "Mysqlx_ssl_version" needs to have a value of TLSv1]
Verify [Status variable "Mysqlx_ssl_cipher" needs to have a value of DHE-RSA-AES256-SHA]
Verify [Status variable "Mysqlx_ssl_accepts" needs to have a value of 26]
Verify [Status variable "Mysqlx_ssl_finished_accepts" needs to have a value of 26]
Mysqlx.Ok {
msg: "bye!"
}
ok
SET GLOBAL require_secure_transport:=0;
## Cleanup
DROP USER user1_mysqlx@localhost;
DROP USER user2_mysqlx@localhost;
DROP USER user3_mysqlx@localhost;
DROP USER user4_mysqlx@localhost;
DROP USER user5_mysqlx@localhost;
DROP USER user6_mysqlx@localhost;
DROP USER user7_mysqlx@localhost;
SET GLOBAL mysqlx_connect_timeout = DEFAULT;
## Preamble
SET GLOBAL mysqlx_connect_timeout = 300;
call mtr.add_suppression("Maximum number of authentication attempts reached");
call mtr.add_suppression("Access denied for user .*");
CREATE USER user1_mysqlx@localhost
IDENTIFIED WITH 'caching_sha2_password' BY 'auth_string1';
CREATE USER user2_mysqlx@localhost
IDENTIFIED WITH 'caching_sha2_password' BY 'auth_string2'
PASSWORD EXPIRE;
CREATE USER user3_mysqlx@localhost
IDENTIFIED WITH 'caching_sha2_password' BY 'auth_string3'
REQUIRE CIPHER "AES256-SHA" AND
SUBJECT "/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=Client"
ISSUER "/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=CA"
PASSWORD EXPIRE NEVER;
CREATE USER user4_mysqlx@localhost REQUIRE SSL ACCOUNT LOCK;
CREATE USER user5_mysqlx@localhost
IDENTIFIED WITH 'caching_sha2_password' BY 'auth_string'
REQUIRE SSL;
CREATE USER user6_mysqlx@localhost
IDENTIFIED WITH 'caching_sha2_password' BY 'dwh@#ghd'
REQUIRE x509;
CREATE USER user7_mysqlx@localhost
IDENTIFIED WITH 'caching_sha2_password' BY ''
REQUIRE CIPHER "AES256-SHA";
GRANT ALL ON *.* TO user1_mysqlx@localhost;
GRANT ALL ON *.* TO user2_mysqlx@localhost;
GRANT ALL ON *.* TO user3_mysqlx@localhost;
GRANT ALL ON *.* TO user4_mysqlx@localhost;
GRANT ALL ON *.* TO user5_mysqlx@localhost;
GRANT ALL ON *.* TO user6_mysqlx@localhost;
GRANT ALL ON *.* TO user7_mysqlx@localhost;
## I. Verify handling of SSL with normal account ('caching_sha2_password')
#
Verify ["SELECT USER() as column_user" returns in "column_user" column, following value user1_mysqlx@localhost]
Verify ["SELECT CONNECTION_TYPE FROM performance_schema.threads WHERE processlist_id = connection_id()" returns in "CONNECTION_TYPE" column, following value SSL/TLS]
Verify [Status variable "Mysqlx_ssl_version" needs to have a value of TLSv1]
Verify [Status variable "Mysqlx_ssl_cipher" needs to have a value of DHE-RSA-AES256-SHA]
Verify [Status variable "Mysqlx_ssl_accepts" needs to have a value of 1]
Verify [Status variable "Mysqlx_ssl_finished_accepts" needs to have a value of 1]
Mysqlx.Ok {
msg: "bye!"
}
ok
## II. Verify handling of SSL with super account and XProtocol message
## CapabilitySet (without SSL options on it)
#
# 1. Try to set "tls" capability with invalid data (no-ssl connection)
# 2. Try to set "tls" capability with valid data (ssl connection)
#
# II.1
# setting read/write tls param with possible invalid data types:
# V_SINT,V_UINT ,V_NULL,V_OCTETS ,V_DOUBLE,V_FLOAT,V_STRING
send Mysqlx.Connection.CapabilitiesGet {
}
Mysqlx.Connection.Capabilities(capabilities[0]) = Mysqlx.Connection.Capability {
name: "tls"
value {
type: SCALAR
scalar {
type: V_BOOL
v_bool: false
}
}
}
# Checking CapSet TLS to bool 0
send Mysqlx.Connection.CapabilitiesSet {
capabilities {
capabilities {
name: "tls"
value {
type: SCALAR
scalar {
type: V_BOOL
v_bool: false
}
}
}
}
}
Got expected error:
Mysqlx.Error {
severity: ERROR
code: 5001
msg: "Capability prepare failed for \'tls\'"
sql_state: "HY000"
}
# CapSet TLS to null
send Mysqlx.Connection.CapabilitiesSet {
capabilities {
capabilities {
name: "tls"
value {
type: SCALAR
scalar {
type: V_NULL
}
}
}
}
}
Got expected error:
Mysqlx.Error {
severity: ERROR
code: 5001
msg: "Capability prepare failed for \'tls\'"
sql_state: "HY000"
}
# CapSet TLS to empty octet
send Mysqlx.Connection.CapabilitiesSet {
capabilities {
capabilities {
name: "tls"
value {
type: SCALAR
scalar {
type: V_OCTETS
}
}
}
}
}
Got expected error:
Mysqlx.Error {
severity: ERROR
code: 5001
msg: "Capability prepare failed for \'tls\'"
sql_state: "HY000"
}
# CapSet TLS to empty uint
send Mysqlx.Connection.CapabilitiesSet {
capabilities {
capabilities {
name: "tls"
value {
type: SCALAR
scalar {
type: V_UINT
}
}
}
}
}
Got expected error:
Mysqlx.Error {
severity: ERROR
code: 5001
msg: "Capability prepare failed for \'tls\'"
sql_state: "HY000"
}
# CapSet TLS to empty sint
send Mysqlx.Connection.CapabilitiesSet {
capabilities {
capabilities {
name: "tls"
value {
type: SCALAR
scalar {
type: V_SINT
}
}
}
}
}
Got expected error:
Mysqlx.Error {
severity: ERROR
code: 5001
msg: "Capability prepare failed for \'tls\'"
sql_state: "HY000"
}
ok
# II.2
send Mysqlx.Connection.CapabilitiesGet {
}
Mysqlx.Connection.Capabilities(capabilities[0]) = Mysqlx.Connection.Capability {
name: "tls"
value {
type: SCALAR
scalar {
type: V_BOOL
v_bool: false
}
}
}
send Mysqlx.Connection.CapabilitiesSet {
capabilities {
capabilities {
name: "tls"
value {
type: SCALAR
scalar {
type: V_BOOL
v_bool: true
}
}
}
}
}
Mysqlx.Ok {
}
# SSL Enabled
send Mysqlx.Connection.CapabilitiesGet {
}
Mysqlx.Connection.Capabilities(capabilities[0]) = Mysqlx.Connection.Capability {
name: "tls"
value {
type: SCALAR
scalar {
type: V_BOOL
v_bool: true
}
}
}
ok
## III. Verify handling of expired password with user2_mysqlx account ('caching_sha2_password')
#
# 1. When client doesn't support handling of expired password,
# then connection must be rejected
# 2. When client support expired password, then he must be able
# to alter password
# 3. Verify that after the alter password, account can be used
# without any additional support for expired password on the client
# 4. When client support expired password, then he must be able
# to set the password
# 5. Verify that after the set password, account can be used
# without any additional support for expired password on the client
#
# III.1
Application terminated with expected error: Your password has expired. To log in you must change it using a client that supports expired passwords. (code 1862)
ok
# III.2
NOTICE: Account password expired
RUN ALTER USER USER() IDENTIFIED BY 'alter-new-auth'
0 rows affected
Mysqlx.Ok {
msg: "bye!"
}
ok
# III.3
Verify ["SELECT USER() as column_user" returns in "column_user" column, following value user2_mysqlx@localhost]
Verify ["SELECT CONNECTION_TYPE FROM performance_schema.threads WHERE processlist_id = connection_id()" returns in "CONNECTION_TYPE" column, following value SSL/TLS]
Verify [Status variable "Mysqlx_ssl_version" needs to have a value of TLSv1]
Verify [Status variable "Mysqlx_ssl_cipher" needs to have a value of DHE-RSA-AES256-SHA]
Verify [Status variable "Mysqlx_ssl_accepts" needs to have a value of 5]
Verify [Status variable "Mysqlx_ssl_finished_accepts" needs to have a value of 5]
Mysqlx.Ok {
msg: "bye!"
}
ok
# III.4
ALTER USER user2_mysqlx@localhost PASSWORD EXPIRE;
NOTICE: Account password expired
RUN SET PASSWORD='set-new-auth'
0 rows affected
Mysqlx.Ok {
msg: "bye!"
}
ok
# III.5
Verify ["SELECT USER() as column_user" returns in "column_user" column, following value user2_mysqlx@localhost]
Verify ["SELECT CONNECTION_TYPE FROM performance_schema.threads WHERE processlist_id = connection_id()" returns in "CONNECTION_TYPE" column, following value SSL/TLS]
Verify [Status variable "Mysqlx_ssl_version" needs to have a value of TLSv1]
Verify [Status variable "Mysqlx_ssl_cipher" needs to have a value of DHE-RSA-AES256-SHA]
Verify [Status variable "Mysqlx_ssl_accepts" needs to have a value of 7]
Verify [Status variable "Mysqlx_ssl_finished_accepts" needs to have a value of 7]
Mysqlx.Ok {
msg: "bye!"
}
ok
## IV. Verify handling of account that has requires concrete cipher, signed cert
## ('caching_sha2_password')
#
# 1. Verify that user can connect when it has allowed cipher and matching cert
# 2. Verify that user can't connect when it has allowed cipher and non-matching cert
# 3. Verify that user can't connect when it doesn't use SSL
# 4. Verify that user can't connect when it use basic SSL configuration
# 5. Verify that user can't connect when it has allowed cipher and its without a cert
#
# IV.1
Verify ["SELECT USER() as column_user" returns in "column_user" column, following value user3_mysqlx@localhost]
Verify ["SELECT CONNECTION_TYPE FROM performance_schema.threads WHERE processlist_id = connection_id()" returns in "CONNECTION_TYPE" column, following value SSL/TLS]
Verify [Status variable "Mysqlx_ssl_version" needs to have a value of TLSv1]
Verify [Status variable "Mysqlx_ssl_cipher" needs to have a value of AES256-SHA]
Verify [Status variable "Mysqlx_ssl_accepts" needs to have a value of 8]
Verify [Status variable "Mysqlx_ssl_finished_accepts" needs to have a value of 8]
Mysqlx.Ok {
msg: "bye!"
}
ok
# IV.2
Application terminated with expected error: Access denied for user 'user3_mysqlx'@'localhost' (using password: YES) (code 1045)
ok
# IV.3
Application terminated with expected error: Access denied for user 'user3_mysqlx'@'localhost' (using password: YES) (code 1045)
ok
# IV.4
Application terminated with expected error: Access denied for user 'user3_mysqlx'@'localhost' (using password: YES) (code 1045)
ok
# IV.5
Application terminated with expected error: Access denied for user 'user3_mysqlx'@'localhost' (using password: YES) (code 1045)
ok
## V. Verify handling of locked account ('caching_sha2_password')
#
# 1. Verify that locked account can't connect
# 2. Unlock the account and verify that it can connect
#
# V.1
Application terminated with expected error: Access denied for user 'user4_mysqlx'@'localhost'. Account is locked. (code 3118)
ok
# V.2
ALTER USER user4_mysqlx@localhost ACCOUNT UNLOCK;
Verify ["SELECT USER() as column_user" returns in "column_user" column, following value user4_mysqlx@localhost]
Verify ["SELECT CONNECTION_TYPE FROM performance_schema.threads WHERE processlist_id = connection_id()" returns in "CONNECTION_TYPE" column, following value SSL/TLS]
Verify [Status variable "Mysqlx_ssl_version" needs to have a value of TLSv1]
Verify [Status variable "Mysqlx_ssl_cipher" needs to have a value of DHE-RSA-AES256-SHA]
Verify [Status variable "Mysqlx_ssl_accepts" needs to have a value of 14]
Verify [Status variable "Mysqlx_ssl_finished_accepts" needs to have a value of 14]
Mysqlx.Ok {
msg: "bye!"
}
ok
## VI. Verify handling of account that was marked as SSL required ('caching_sha2_password')
#
# 1. Verify connection with basic SSL configuration
# 2. Verify connection with SSL key & cert
# 3. Verify connection with SSL ca
#
# VI.1
Verify ["SELECT USER() as column_user" returns in "column_user" column, following value user5_mysqlx@localhost]
Verify ["SELECT CONNECTION_TYPE FROM performance_schema.threads WHERE processlist_id = connection_id()" returns in "CONNECTION_TYPE" column, following value SSL/TLS]
Verify [Status variable "Mysqlx_ssl_version" needs to have a value of TLSv1]
Verify [Status variable "Mysqlx_ssl_cipher" needs to have a value of DHE-RSA-AES256-SHA]
Verify [Status variable "Mysqlx_ssl_accepts" needs to have a value of 15]
Verify [Status variable "Mysqlx_ssl_finished_accepts" needs to have a value of 15]
Mysqlx.Ok {
msg: "bye!"
}
ok
# VI.2
Verify ["SELECT USER() as column_user" returns in "column_user" column, following value user5_mysqlx@localhost]
Verify ["SELECT CONNECTION_TYPE FROM performance_schema.threads WHERE processlist_id = connection_id()" returns in "CONNECTION_TYPE" column, following value SSL/TLS]
Verify [Status variable "Mysqlx_ssl_version" needs to have a value of TLSv1]
Verify [Status variable "Mysqlx_ssl_cipher" needs to have a value of DHE-RSA-AES256-SHA]
Verify [Status variable "Mysqlx_ssl_accepts" needs to have a value of 16]
Verify [Status variable "Mysqlx_ssl_finished_accepts" needs to have a value of 16]
Mysqlx.Ok {
msg: "bye!"
}
ok
# VI.3
Verify ["SELECT USER() as column_user" returns in "column_user" column, following value user5_mysqlx@localhost]
Verify ["SELECT CONNECTION_TYPE FROM performance_schema.threads WHERE processlist_id = connection_id()" returns in "CONNECTION_TYPE" column, following value SSL/TLS]
Verify [Status variable "Mysqlx_ssl_version" needs to have a value of TLSv1]
Verify [Status variable "Mysqlx_ssl_cipher" needs to have a value of DHE-RSA-AES256-SHA]
Verify [Status variable "Mysqlx_ssl_accepts" needs to have a value of 17]
Verify [Status variable "Mysqlx_ssl_finished_accepts" needs to have a value of 17]
Mysqlx.Ok {
msg: "bye!"
}
ok
## VII. Verify handling of account that was marked as SSL required with signed cert
## ('caching_sha2_password')
#
# 1. Verify connection with signed cert
# 2. Verify that connection is rejected when SSL is disabled
# 3. Verify that connection is rejected when CA is set
# 4. Verify that connection is rejected when using basic SSL configuration
#
# VII.1
Verify ["SELECT USER() as column_user" returns in "column_user" column, following value user6_mysqlx@localhost]
Verify ["SELECT CONNECTION_TYPE FROM performance_schema.threads WHERE processlist_id = connection_id()" returns in "CONNECTION_TYPE" column, following value SSL/TLS]
Verify [Status variable "Mysqlx_ssl_version" needs to have a value of TLSv1]
Verify [Status variable "Mysqlx_ssl_cipher" needs to have a value of DHE-RSA-AES256-SHA]
Verify [Status variable "Mysqlx_ssl_accepts" needs to have a value of 18]
Verify [Status variable "Mysqlx_ssl_finished_accepts" needs to have a value of 18]
Mysqlx.Ok {
msg: "bye!"
}
ok
# VII.2
Application terminated with expected error: Authentication failed, check username and password or try a secure connection (code 2510)
ok
# VII.3
Application terminated with expected error: Access denied for user 'user6_mysqlx'@'localhost' (using password: YES) (code 1045)
ok
# VII.4
Application terminated with expected error: Access denied for user 'user6_mysqlx'@'localhost' (using password: YES) (code 1045)
ok
## VIII. Verify handling of account that was marked that requires concrete SSL cipher
## ('caching_sha2_password')
#
# 1. Verify connection with concrete cipher and signed cert
# 2. Verify that connection is rejected with concrete cipher and without a cert
# 3. Verify that connection is rejected when SSL is disabled
# 4. Verify that connection is rejected with basic SSL configuration
# 5. Verify that connection is rejected with wrong cipher and signed cert
#
# VIII.1
Verify ["SELECT USER() as column_user" returns in "column_user" column, following value user7_mysqlx@localhost]
Verify ["SELECT CONNECTION_TYPE FROM performance_schema.threads WHERE processlist_id = connection_id()" returns in "CONNECTION_TYPE" column, following value SSL/TLS]
Verify [Status variable "Mysqlx_ssl_version" needs to have a value of TLSv1]
Verify [Status variable "Mysqlx_ssl_cipher" needs to have a value of AES256-SHA]
Verify [Status variable "Mysqlx_ssl_accepts" needs to have a value of 21]
Verify [Status variable "Mysqlx_ssl_finished_accepts" needs to have a value of 21]
Mysqlx.Ok {
msg: "bye!"
}
ok
# VIII.2
Application terminated with expected error: Access denied for user 'user7_mysqlx'@'localhost' (using password: NO) (code 1045)
ok
# VIII.3
Application terminated with expected error: Authentication failed, check username and password or try a secure connection (code 2510)
ok
# VIII.4
Application terminated with expected error: Access denied for user 'user7_mysqlx'@'localhost' (using password: NO) (code 1045)
ok
# VIII.5
Application terminated with expected error: Access denied for user 'user7_mysqlx'@'localhost' (using password: NO) (code 1045)
ok
## IX. Verify X Plugins global and session status variables ('caching_sha2_password')
#
# 1. Verify global SSL setup
# 2. Verify session SSL setup
#
# IX.1
SHOW GLOBAL STATUS WHERE `Variable_name` RLIKE '^Mysqlx_ssl_(cipher_list|ctx_verify_(depth|mode)|server_not_(after|before)|verify_(depth|mode))$';
Variable_name Value
Mysqlx_ssl_cipher_list
Mysqlx_ssl_ctx_verify_depth -1
Mysqlx_ssl_ctx_verify_mode 5
Mysqlx_ssl_server_not_after Dec 1 04:48:40 2029 GMT
Mysqlx_ssl_server_not_before Dec 5 04:48:40 2014 GMT
Mysqlx_ssl_verify_depth
Mysqlx_ssl_verify_mode
# IX.2
RUN SHOW STATUS WHERE `Variable_name` RLIKE '^Mysqlx_ssl_(cipher_list|ctx_verify_(depth|mode)|server_not_(after|before)|verify_(depth|mode))$'
Variable_name Value
Mysqlx_ssl_cipher_list DHE-RSA-AES256-SHA:AES256-SHA
Mysqlx_ssl_ctx_verify_depth -1
Mysqlx_ssl_ctx_verify_mode 5
Mysqlx_ssl_server_not_after Dec 1 04:48:40 2029 GMT
Mysqlx_ssl_server_not_before Dec 5 04:48:40 2014 GMT
Mysqlx_ssl_verify_depth -1
Mysqlx_ssl_verify_mode 5
0 rows affected
Mysqlx.Ok {
msg: "bye!"
}
ok
## X. Lets confirm that Mysqlx plugin validates the connection_type vs 'require_secure_transport'
## system variable ('caching_sha2_password')
#
# 1. Connection without SSL (fails on TCP, it works on UNIX socket)
# 2. Connection with SSL (always must be successful)
#
# X.1
SET GLOBAL require_secure_transport:=1;
Application terminated with expected error: Connections using insecure transport are prohibited while --require_secure_transport=ON. (code 3159)
ok
# X.2
Verify ["SELECT USER() as column_user" returns in "column_user" column, following value x_root@localhost]
Verify ["SELECT CONNECTION_TYPE FROM performance_schema.threads WHERE processlist_id = connection_id()" returns in "CONNECTION_TYPE" column, following value SSL/TLS]
Verify [Status variable "Mysqlx_ssl_version" needs to have a value of TLSv1]
Verify [Status variable "Mysqlx_ssl_cipher" needs to have a value of DHE-RSA-AES256-SHA]
Verify [Status variable "Mysqlx_ssl_accepts" needs to have a value of 26]
Verify [Status variable "Mysqlx_ssl_finished_accepts" needs to have a value of 26]
Mysqlx.Ok {
msg: "bye!"
}
ok
SET GLOBAL require_secure_transport:=0;
## Cleanup
DROP USER user1_mysqlx@localhost;
DROP USER user2_mysqlx@localhost;
DROP USER user3_mysqlx@localhost;
DROP USER user4_mysqlx@localhost;
DROP USER user5_mysqlx@localhost;
DROP USER user6_mysqlx@localhost;
DROP USER user7_mysqlx@localhost;
SET GLOBAL mysqlx_connect_timeout = DEFAULT;
Reference in New Issue View Git Blame Copy Permalink