diff --git a/mysql-test/main/bad_startup_options.result b/mysql-test/main/bad_startup_options.result index b1eed54e17281..7846e629ef8a9 100644 --- a/mysql-test/main/bad_startup_options.result +++ b/mysql-test/main/bad_startup_options.result @@ -1,2 +1,3 @@ FOUND 1 /\[ERROR\] SSL error: Unable to get certificate/ in errorlog.err +FOUND 1 /\[ERROR\] SSL error: Failed to set ciphers to use/ in errorlog.err # restart diff --git a/mysql-test/main/bad_startup_options.test b/mysql-test/main/bad_startup_options.test index e758d7860497e..ba88476625d8e 100644 --- a/mysql-test/main/bad_startup_options.test +++ b/mysql-test/main/bad_startup_options.test @@ -19,4 +19,11 @@ --source include/search_pattern_in_file.inc --remove_file $SEARCH_FILE +# No valid cipher suites +--error 1 +--exec $MYSQLD --defaults-group-suffix=.1 --defaults-file=$MYSQLTEST_VARDIR/my.cnf --ssl-cipher=ECDHE-ECDSA-FAKE-CIPHER:ECDHE-RSA-INVALID --log-error=$errorlog +--let SEARCH_PATTERN=\[ERROR\] SSL error: Failed to set ciphers to use +--source include/search_pattern_in_file.inc +--remove_file $SEARCH_FILE + --source include/start_mysqld.inc diff --git a/mysql-test/main/ssl_cipher.result b/mysql-test/main/ssl_cipher.result index d549ec7d2b449..c6a6a0d94d59f 100644 --- a/mysql-test/main/ssl_cipher.result +++ b/mysql-test/main/ssl_cipher.result @@ -68,3 +68,6 @@ disconnect ssl_con; connection default; call mtr.add_suppression("TLSv1.0 and TLSv1.1 are insecure"); FOUND 2 /TLSv1.0 and TLSv1.1 are insecure/ in mysqld.1.err +# restart: --ssl-cipher=ECDHE-ECDSA-AES128-GCM-SHA256 +Variable_name Value +Ssl_version diff --git a/mysql-test/main/ssl_cipher.test b/mysql-test/main/ssl_cipher.test index 0d33ec5d5e020..62e9a90d915b1 100644 --- a/mysql-test/main/ssl_cipher.test +++ b/mysql-test/main/ssl_cipher.test @@ -112,3 +112,20 @@ call mtr.add_suppression("TLSv1.0 and TLSv1.1 are insecure"); --let SEARCH_FILE=$MYSQLTEST_VARDIR/log/mysqld.1.err --let SEARCH_PATTERN= TLSv1.0 and TLSv1.1 are insecure --source include/search_pattern_in_file.inc + +# +# Server is configured with ciphers that are not compatible with the server certificate (std_data/cacert.pem is RSA) +# +let $restart_parameters=--ssl-cipher=ECDHE-ECDSA-AES128-GCM-SHA256; +source include/restart_mysqld.inc; + +# Connections are rejected as client attempts tls by default +--error 1 +--exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'ssl_version'" + +# Connections are rejected if client explicitly specifies tls +--error 1 +--exec $MYSQL --host=localhost --ssl-ca=$MYSQL_TEST_DIR/std_data/cacert.pem --ssl-verify-server-cert -e "SHOW STATUS LIKE 'ssl_version'" + +# Connections can be made with --skip-ssl +--exec $MYSQL --host=localhost --skip-ssl -e "SHOW STATUS LIKE 'ssl_version'"