summaryrefslogtreecommitdiffstats
path: root/mysql-cipherspec.patch
blob: 5210055c73718f7638a92e056ee95e9829e74e5b (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
Some test items assume the default SSL cipher is DHE-RSA-AES256-SHA, 
which is no longer the case as of openssl 1.0.1.
This patch enhances connect command by an option to specify a cipher 
and tests are adjusted to specify the expected cipher explicitly.
Upstream bug report: http://bugs.mysql.com/bug.php?id=64461

diff -up mysql-5.5.28/client/mysqltest.cc.p18 mysql-5.5.28/client/mysqltest.cc
--- mysql-5.5.28/client/mysqltest.cc.p18	2012-08-29 10:50:46.000000000 +0200
+++ mysql-5.5.28/client/mysqltest.cc	2012-12-06 14:25:46.370001422 +0100
@@ -5458,6 +5458,7 @@ void do_connect(struct st_command *comma
   my_bool con_ssl= 0, con_compress= 0;
   my_bool con_pipe= 0, con_shm= 0, con_cleartext_enable= 0;
   struct st_connection* con_slot;
+  char *con_cipher=NULL;
 
   static DYNAMIC_STRING ds_connection_name;
   static DYNAMIC_STRING ds_host;
@@ -5548,6 +5549,8 @@ void do_connect(struct st_command *comma
       con_shm= 1;
     else if (!strncmp(con_options, "CLEARTEXT", 9))
       con_cleartext_enable= 1;
+    else if (!strncmp(con_options, "CIPHER:", 7))
+      con_cipher = con_options + 7;
     else
       die("Illegal option to connect: %.*s", 
           (int) (end - con_options), con_options);
@@ -5595,8 +5598,11 @@ void do_connect(struct st_command *comma
   if (con_ssl)
   {
 #if defined(HAVE_OPENSSL) && !defined(EMBEDDED_LIBRARY)
+  /* default cipher */
+    if (con_cipher == NULL && opt_ssl_cipher != NULL)
+      con_cipher = opt_ssl_cipher;
     mysql_ssl_set(&con_slot->mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca,
-		  opt_ssl_capath, opt_ssl_cipher);
+		  opt_ssl_capath, con_cipher);
 #if MYSQL_VERSION_ID >= 50000
     /* Turn on ssl_verify_server_cert only if host is "localhost" */
     opt_ssl_verify_server_cert= !strcmp(ds_host.str, "localhost");
diff -up mysql-5.5.28/mysql-test/t/openssl_1.test.p18 mysql-5.5.28/mysql-test/t/openssl_1.test
--- mysql-5.5.28/mysql-test/t/openssl_1.test.p18	2012-08-29 10:50:47.000000000 +0200
+++ mysql-5.5.28/mysql-test/t/openssl_1.test	2012-12-06 14:25:46.371001424 +0100
@@ -20,13 +20,13 @@ grant select on test.* to ssl_user4@loca
 grant select on test.* to ssl_user5@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "xxx";
 flush privileges;
 
-connect (con1,localhost,ssl_user1,,,,,SSL);
-connect (con2,localhost,ssl_user2,,,,,SSL);
-connect (con3,localhost,ssl_user3,,,,,SSL);
-connect (con4,localhost,ssl_user4,,,,,SSL);
+connect (con1,localhost,ssl_user1,,,,,SSL CIPHER:DHE-RSA-AES256-SHA);
+connect (con2,localhost,ssl_user2,,,,,SSL CIPHER:DHE-RSA-AES256-SHA);
+connect (con3,localhost,ssl_user3,,,,,SSL CIPHER:DHE-RSA-AES256-SHA);
+connect (con4,localhost,ssl_user4,,,,,SSL CIPHER:DHE-RSA-AES256-SHA);
 --replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT
 --error ER_ACCESS_DENIED_ERROR
-connect (con5,localhost,ssl_user5,,,,,SSL);
+connect (con5,localhost,ssl_user5,,,,,SSL CIPHER:DHE-RSA-AES256-SHA);
 
 connection con1;
 # Check ssl turned on
@@ -125,7 +125,7 @@ drop table t1;
 # verification of servers certificate by setting both ca certificate
 # and ca path to NULL
 #
---exec $MYSQL --ssl --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem -e "SHOW STATUS LIKE 'ssl_Cipher'" 2>&1
+--exec $MYSQL --ssl --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem --ssl-cipher=DHE-RSA-AES256-SHA -e "SHOW STATUS LIKE 'ssl_Cipher'" 2>&1
 --echo End of 5.0 tests
 
 #
@@ -250,7 +250,7 @@ select 'is still running; no cipher requ
 
 GRANT SELECT ON test.* TO bug42158@localhost REQUIRE X509;
 FLUSH PRIVILEGES;
-connect(con1,localhost,bug42158,,,,,SSL);
+connect(con1,localhost,bug42158,,,,,SSL CIPHER:DHE-RSA-AES256-SHA);
 SHOW STATUS LIKE 'Ssl_cipher';
 disconnect con1;
 connection default;
diff -up mysql-5.5.28/mysql-test/t/ssl_8k_key.test.p18 mysql-5.5.28/mysql-test/t/ssl_8k_key.test
--- mysql-5.5.28/mysql-test/t/ssl_8k_key.test.p18	2012-08-29 10:50:47.000000000 +0200
+++ mysql-5.5.28/mysql-test/t/ssl_8k_key.test	2012-12-06 14:25:46.371001424 +0100
@@ -2,7 +2,7 @@
 #
 # Bug#29784 YaSSL assertion failure when reading 8k key.
 #
---exec $MYSQL --ssl --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem -e "SHOW STATUS LIKE 'ssl_Cipher'" 2>&1
+--exec $MYSQL --ssl --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem --ssl-cipher=DHE-RSA-AES256-SHA -e "SHOW STATUS LIKE 'ssl_Cipher'" 2>&1
 
 ##  This test file is for testing encrypted communication only, not other
 ##  encryption routines that the SSL library happens to provide!
diff -up mysql-5.5.28/mysql-test/t/ssl_compress.test.p18 mysql-5.5.28/mysql-test/t/ssl_compress.test
--- mysql-5.5.28/mysql-test/t/ssl_compress.test.p18	2012-08-29 10:50:47.000000000 +0200
+++ mysql-5.5.28/mysql-test/t/ssl_compress.test	2012-12-06 14:25:46.371001424 +0100
@@ -7,7 +7,7 @@
 # Save the initial number of concurrent sessions
 --source include/count_sessions.inc
 
-connect (ssl_compress_con,localhost,root,,,,,SSL COMPRESS);
+connect (ssl_compress_con,localhost,root,,,,,SSL COMPRESS CIPHER:DHE-RSA-AES256-SHA);
 
 # Check ssl turned on
 SHOW STATUS LIKE 'Ssl_cipher';
diff -up mysql-5.5.28/mysql-test/t/ssl.test.p18 mysql-5.5.28/mysql-test/t/ssl.test
--- mysql-5.5.28/mysql-test/t/ssl.test.p18	2012-08-29 10:50:47.000000000 +0200
+++ mysql-5.5.28/mysql-test/t/ssl.test	2012-12-06 14:25:46.371001424 +0100
@@ -6,7 +6,7 @@
 # Save the initial number of concurrent sessions
 --source include/count_sessions.inc
 
-connect (ssl_con,localhost,root,,,,,SSL);
+connect (ssl_con,localhost,root,,,,,SSL CIPHER:DHE-RSA-AES256-SHA);
 
 # Check ssl turned on
 SHOW STATUS LIKE 'Ssl_cipher';