Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-33822

Every MTR test that uses NOSSL is broken

Details

    • Bug
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Cannot Reproduce
    • 11.4
    • N/A
    • SSL, Tests
    • None

    Description

      In 585c096aa53c ("cleanup: unify client's setting of ssl options"), serg introduced a bug that causes the USE_SSL_FORBIDDEN case to be treated identically to the USE_SSL_REQUIRED case.

      These means that any and all tests which use connect(..., NOSSL) to try to establish a non-SSL connection are actually establish an SSL-required connection.

      Completely breaks and/or inverts the logic of all these tests.

      See https://github.com/mariadb/server/commit/585c096aa53c#r140576270 for the details.

      The short summary is that there's a critical missing case in the SET_SSL_OPTS macro:

      #define SET_SSL_OPTS(M)                                                 \
      		 
        do {                                                                  \
      		 
          if (opt_use_ssl)                                                    \
      		 
          /* if (opt_use_ssl == -1) {} else */ /* SSL forbidden THIS IS THE MISSING CASE */            \
      		 
          if (opt_use_ssl) /* SSL required */                                 \
      		 
          {                                                                   \
      		 
            mysql_ssl_set((M), opt_ssl_key, opt_ssl_cert, opt_ssl_ca,         \
      		 
                          opt_ssl_capath, opt_ssl_cipher);                    \
      		 
            mysql_options((M), MYSQL_OPT_SSL_CRL, opt_ssl_crl);               \
      		 
            mysql_options((M), MYSQL_OPT_SSL_CRLPATH, opt_ssl_crlpath);       \
      		 
            mysql_options((M), MARIADB_OPT_TLS_VERSION, opt_tls_version);     \
      		 
            mysql_options((M), MARIADB_OPT_TLS_PEER_FP, opt_ssl_fp);          \
      		 
            mysql_options((M), MARIADB_OPT_TLS_PEER_FP_LIST, opt_ssl_fplist); \
      		 
          }                                                                   \
      		 
         else /* SSL if available */                                         \
      		 
            opt_ssl_verify_server_cert= 0;                                    \
      		 
          mysql_options((M),MYSQL_OPT_SSL_VERIFY_SERVER_CERT,                 \
      		 
                        &opt_ssl_verify_server_cert);                         \
      		 
        } while(0)

      Attachments

        Activity

          Ascending order - Click to sort in descending order
          dlenski Daniel Lenski (Inactive) created issue -
          dlenski Daniel Lenski (Inactive) made changes -
          Field Original Value New Value
          Description In [585c096aa53c|https://github.com/mariadb/server/commit/585c096aa53c] ("cleanup: unify client's setting of ssl options"), [~serg] introduced a bug that causes the {{USE_SSL_FORBIDDEN}} case to be treated _identically_ to the {{USE_SSL_REQUIRED}} case.

          These means that any and all tests which [use {{connect(..., NOSSL)}}|https://github.com/mariadb/server/blob/585c096aa53c/client/mysqltest.cc#L6085-L6086] to try to establish a *non-SSL* connection are actually establish an *SSL-required* connection.

          {color:red}Completely breaks and/or inverts the logic of all these tests.{color}

          See https://github.com/mariadb/server/commit/585c096aa53c#r140576270 for the details.

          The short summary is that there's a critical missing case in the {{SET_SSL_OPTS}} macro:

          {code:c}
          #define SET_SSL_OPTS(M) \
            do { \
              if (opt_use_ssl) \
              /* if (opt_use_ssl == -1) {} else */ /* SSL forbidden THIS IS THE MISSING CASE */ \
              if (opt_use_ssl) /* SSL required */ \
              { \
                mysql_ssl_set((M), opt_ssl_key, opt_ssl_cert, opt_ssl_ca, \
                              opt_ssl_capath, opt_ssl_cipher); \
                mysql_options((M), MYSQL_OPT_SSL_CRL, opt_ssl_crl); \
                mysql_options((M), MYSQL_OPT_SSL_CRLPATH, opt_ssl_crlpath); \
                mysql_options((M), MARIADB_OPT_TLS_VERSION, opt_tls_version); \
                mysql_options((M), MARIADB_OPT_TLS_PEER_FP, opt_ssl_fp); \
                mysql_options((M), MARIADB_OPT_TLS_PEER_FP_LIST, opt_ssl_fplist); \
              } \
             else /* SSL if available */ \
                opt_ssl_verify_server_cert= 0; \
              mysql_options((M),MYSQL_OPT_SSL_VERIFY_SERVER_CERT, \
                            &opt_ssl_verify_server_cert); \
            } while(0)
          {code}           		In [585c096aa53c|https://github.com/mariadb/server/commit/585c096aa53c] ("cleanup: unify client's setting of ssl options"), [~serg] introduced a bug that causes the {{USE_SSL_FORBIDDEN}} case to be treated _identically_ to the {{USE_SSL_REQUIRED}} case.

          These means that any and all tests which [use {{connect(..., NOSSL)}}|https://github.com/mariadb/server/blob/585c096aa53c/client/mysqltest.cc#L6085-L6086] to try to establish a *non-SSL* connection are actually establish an *SSL-required* connection.

          Completely breaks and/or inverts the logic of all these tests.

          See https://github.com/mariadb/server/commit/585c096aa53c#r140576270 for the details.

          The short summary is that there's a critical missing case in the {{SET_SSL_OPTS}} macro:

          {code:c}
          #define SET_SSL_OPTS(M) \
            do { \
              if (opt_use_ssl) \
              /* if (opt_use_ssl == -1) {} else */ /* SSL forbidden THIS IS THE MISSING CASE */ \
              if (opt_use_ssl) /* SSL required */ \
              { \
                mysql_ssl_set((M), opt_ssl_key, opt_ssl_cert, opt_ssl_ca, \
                              opt_ssl_capath, opt_ssl_cipher); \
                mysql_options((M), MYSQL_OPT_SSL_CRL, opt_ssl_crl); \
                mysql_options((M), MYSQL_OPT_SSL_CRLPATH, opt_ssl_crlpath); \
                mysql_options((M), MARIADB_OPT_TLS_VERSION, opt_tls_version); \
                mysql_options((M), MARIADB_OPT_TLS_PEER_FP, opt_ssl_fp); \
                mysql_options((M), MARIADB_OPT_TLS_PEER_FP_LIST, opt_ssl_fplist); \
              } \
             else /* SSL if available */ \
                opt_ssl_verify_server_cert= 0; \
              mysql_options((M),MYSQL_OPT_SSL_VERIFY_SERVER_CERT, \
                            &opt_ssl_verify_server_cert); \
            } while(0)
          {code}
          serg Sergei Golubchik made changes -
          Status Open [ 1 ] Needs Feedback [ 10501 ]
          serg Sergei Golubchik made changes -
          Assignee Sergei Golubchik [ serg ]
          serg Sergei Golubchik made changes -
          Status Needs Feedback [ 10501 ] Open [ 1 ]
          serg Sergei Golubchik made changes -
          Affects Version/s 11.4 [ 29301 ]
          serg Sergei Golubchik made changes -
          Fix Version/s 11.4 [ 29301 ]
          serg Sergei Golubchik made changes -
          Component/s SSL [ 10112 ]
          Component/s Tests [ 10800 ]
          Fix Version/s N/A [ 14700 ]
          Fix Version/s 11.4 [ 29301 ]
          Resolution Cannot Reproduce [ 5 ]
          Status Open [ 1 ] Closed [ 6 ]

          People

            serg Sergei Golubchik
            dlenski Daniel Lenski (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.