Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-7794

MariaDB - mysql-test - fips: some ssl tests with cipher are failing

        Details

        • Type: Bug
        • Status: Closed
        • Priority: Major
        • Resolution: Fixed
        • Affects Version/s: 10.0.16
        • Fix Version/s: 10.0.18
        • Component/s: SSL
        • Labels:
        • Environment:
          SLES 12 x86-64

          Description

          When FIPS=1 some ssl tests are failing.

          see bug #920865

          :/usr/share/mysql-test # ./mysql-test-run.pl --do-test=ssl --force
Logging: ./mysql-test-run.pl  --do-test=ssl --force
vardir: /usr/share/mysql-test/var
Checking leftover processes...
Removing old var directory...
Creating var directory '/usr/share/mysql-test/var'...
Checking supported features...
MariaDB Version 10.0.16-MariaDB
 - SSL connections supported
Using suites: main-,archive-,binlog-,csv-,federated-,funcs_1-,funcs_2-,handler-,heap-,innodb-,innodb_fts-,innodb_zip-,maria-,multi_source-,optimizer_unfixed_bugs-,parts-,percona-,perfschema-,plugins-,roles-,rpl-,sys_vars-,unit-,vcol-,connect,metadata_lock_info,mroonga/storage,mroonga/wrapper,query_response_time,sequence,spider,spider/bg,sql_discovery
Collecting tests...
Installing system database...

==============================================================================

TEST                                      RESULT   TIME (ms) or COMMENT
--------------------------------------------------------------------------

worker[1] Using MTR_BUILD_THREAD 300, with reserved ports 16000..16019
worker[1] mysql-test-run: WARNING: running this script as _root_ will cause some tests to be skipped
main.ssl-big                             [ skipped ]  Test needs --big-test
main.ssl_crl                             [ disabled ]  broken upstream
main.ssl_crl_clients_valid               [ disabled ]  broken upstream
main.ssl_crl_clrpath                     [ disabled ]  broken upstream
main.ssl_and_innodb 'innodb_plugin'      [ pass ]     19
main.ssl_and_innodb 'xtradb'             [ pass ]     31
main.ssl_8k_key                          [ fail ]
        Test ended at 2015-03-05 15:57:28

CURRENT_TEST: main.ssl_8k_key
mysqltest: At line 8: exec of '/usr/bin/mysql --defaults-file=/usr/share/mysql-test/var/my.cnf --ssl --ssl-key=/usr/share/mysql-test/std_data/client-key.pem --ssl-cert=/usr/share/mysql-test/std_data/client-cert.pem -e "SHOW STATUS LIKE 'ssl_Cipher'" 2>&1' failed, error: 256, status: 1, errno: 2
Output from before failure:
ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

 - saving '/usr/share/mysql-test/var/log/main.ssl_8k_key/' to '/usr/share/mysql-test/var/log/main.ssl_8k_key/'
main.ssl_cipher                          [ pass ]    109
main.ssl_crl_clients                     [ pass ]    203
main.ssl                                 [ fail ]
        Test ended at 2015-03-05 15:57:32

CURRENT_TEST: main.ssl
--- /usr/share/mysql-test/r/ssl.result	2015-01-25 16:21:40.000000000 +0100
+++ /usr/share/mysql-test/r/ssl.reject	2015-03-05 15:57:32.128759583 +0100
@@ -1,12 +1,12 @@
 SHOW STATUS LIKE 'Ssl_cipher';
 Variable_name	Value
-Ssl_cipher	DHE-RSA-AES256-SHA
+Ssl_cipher	AES256-GCM-SHA384
 SHOW STATUS LIKE 'Ssl_server_not_before';
 Variable_name	Value
-Ssl_server_not_before	Feb 20 02:55:06 2010 GMT
+Ssl_server_not_before	Mar  4 14:55:11 2015 GMT
 SHOW STATUS LIKE 'Ssl_server_not_after';
 Variable_name	Value
-Ssl_server_not_after	Sep  3 02:55:06 2030 GMT
+Ssl_server_not_after	Feb 27 14:55:11 2035 GMT
 drop table if exists t1,t2,t3,t4;
 CREATE TABLE t1 (
 Period smallint(4) unsigned zerofill DEFAULT '0000' NOT NULL,
@@ -2165,4 +2165,4 @@
 drop table t1;
 SHOW STATUS LIKE 'Ssl_cipher';
 Variable_name	Value
-Ssl_cipher	DHE-RSA-AES256-SHA
+Ssl_cipher	AES256-GCM-SHA384

mysqltest: Result length mismatch

 - saving '/usr/share/mysql-test/var/log/main.ssl/' to '/usr/share/mysql-test/var/log/main.ssl/'
main.ssl_compress                        [ fail ]
        Test ended at 2015-03-05 15:57:34

CURRENT_TEST: main.ssl_compress
--- /usr/share/mysql-test/r/ssl_compress.result	2015-01-25 16:21:36.000000000 +0100
+++ /usr/share/mysql-test/r/ssl_compress.reject	2015-03-05 15:57:34.484759583 +0100
@@ -1,6 +1,6 @@
 SHOW STATUS LIKE 'Ssl_cipher';
 Variable_name	Value
-Ssl_cipher	DHE-RSA-AES256-SHA
+Ssl_cipher	AES256-GCM-SHA384
 SHOW STATUS LIKE 'Compression';
 Variable_name	Value
 Compression	ON
@@ -2162,7 +2162,7 @@
 drop table t1;
 SHOW STATUS LIKE 'Ssl_cipher';
 Variable_name	Value
-Ssl_cipher	DHE-RSA-AES256-SHA
+Ssl_cipher	AES256-GCM-SHA384
 SHOW STATUS LIKE 'Compression';
 Variable_name	Value
 Compression	ON

mysqltest: Result length mismatch

 - saving '/usr/share/mysql-test/var/log/main.ssl_compress/' to '/usr/share/mysql-test/var/log/main.ssl_compress/'
main.ssl_connect                         [ pass ]    677
sys_vars.ssl_ca_basic                    [ pass ]      4
sys_vars.ssl_capath_basic                [ pass ]      1
sys_vars.ssl_cert_basic                  [ pass ]      7
sys_vars.ssl_cipher_basic                [ pass ]      1
sys_vars.ssl_crl_basic                   [ pass ]       
sys_vars.ssl_crlpath_basic               [ pass ]       
sys_vars.ssl_key_basic                   [ pass ]      1
--------------------------------------------------------------------------
The servers were restarted 7 times
Spent 1.053 of 21 seconds executing testcases

Completed: Failed 3/15 tests, 80.00% were successful.

Failing test(s): main.ssl_8k_key main.ssl main.ssl_compress

The log files in var/log may give you some hint of what went wrong.

If you want to report this error, please read first the documentation
at http://dev.mysql.com/doc/mysql/en/mysql-test-suite.html

          (bug #920246 - MDEV-7536 - ssl certs regenerated as workaround - do not take in an account SHOW STATUS LIKE 'Ssl_server_not_before'; in main.ssl)

          https://bugzilla.suse.com/show_bug.cgi?id=920896

            Gliffy Diagrams

              Attachments

                Issue Links

                relates to

                Bug - A problem which impairs or prevents the functions of the product. MDEV-7695 MariaDB - ssl - fips: can not connect with --ssl-cipher=DHE-RSA-AES256-SHA - handshake failure

                • Major - Major loss of function.
                • Closed

                Bug - A problem which impairs or prevents the functions of the product. MDEV-7788 my_md5 crashes with openssl in fips mode

                • Major - Major loss of function.
                • Closed

                  Activity

                  Hide
                  Permalink
                  nirbhay_c Nirbhay Choubey added a comment -

                  https://github.com/MariaDB/server/commit/601dcd492000830480ff446b25b17945bc660902

                  Show
                  nirbhay_c Nirbhay Choubey added a comment - https://github.com/MariaDB/server/commit/601dcd492000830480ff446b25b17945bc660902

                    People

                    • Assignee:
                      serg Sergei Golubchik
                      Reporter:
                      nirbhay_c Nirbhay Choubey
                    • Votes:
                      0 Vote for this issue
                      Watchers:
                      2 Start watching this issue

                      Dates

                      • Created:
                        Updated:
                        Resolved:

                        Time Tracking

                        Estimated:
                        Original Estimate - Not Specified
                        Not Specified
                        Remaining:
                        Remaining Estimate - 0 minutes
                        0m
                        Logged:
                        Time Spent - 30 minutes
                        30m