Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-39318

some MTR tests fail with --ssl

    XMLWordPrintable

Details

    • Bug
    • Status: Open (View Workflow)
    • Major
    • Resolution: Unresolved
    • 10.11.16, 11.8.6, 12.3.1
    • None
    • Tests, MTR
    • any MTR run with '--ssl'

    Description

      When MTR runs with --ssl (as Fedora's %check does), all client connections use TLS. This causes four categories of test failure. All fixes are test-side, backward-compatible, and produce identical results without --ssl.

      PR: https://github.com/MariaDB/server/pull/4929

      1. TLS error codes replace MySQL protocol error codes

      The connector's TLS layer intercepts server-side errors before the MySQL protocol can report them. For example, error 2026 (CR_SSL_CONNECTION_ERROR) replaces 2013 (CR_SERVER_LOST) on killed/crashed connections, and error 2002 (CR_CONNECTION_ERROR) replaces 1040 (ER_CON_COUNT_ERROR) when max_connections is exceeded.

      This was partially addressed in two earlier commits (CONC-603 in 2022, MDEV-30452 in 2023), but only for tests actively failing upstream at the time. Thirteen tests remained unfixed.

      This is arguably a connector bug — the connector should propagate the server's error code through the TLS layer rather than replacing it with a generic TLS error. The test-side fix (adding the TLS error codes to --error directives) is needed until the connector is fixed, and becomes a harmless no-op afterward.

      2. Value differences in test output

      connection_type in performance_schema.threads shows 'SSL/TLS' instead of 'Socket'. The server_audit plugin logs the TLS version (e.g. 'TLSv1.3') in CONNECT/DISCONNECT events.

      Fix: --replace_result and --replace_regex to normalize the output. Without --ssl the replacements are no-ops.

      3. Missing PFS socket instrumentation

      Under TLS, data flows through SSL_read/SSL_write instead of direct recv/send syscalls, completely bypassing the performance_schema socket I/O instrumentation hooks. Tests that verify socket wait events or byte counters get zero values.

      Fix: detect active TLS session via Ssl_cipher status variable and skip the affected tests. The existing not_ssl.inc checks @@have_ssl (server capability), which is always 'YES' on OpenSSL builds and would skip too aggressively.

      4. Ssl_cipher_list truncation

      Ssl_cipher_list contains the full list of supported ciphers (~2047 chars on Fedora's OpenSSL 3.x), exceeding the VARCHAR(1024) VARIABLE_VALUE column in PFS and information_schema tables. This causes ER_DATA_TOO_LONG in multi-table UPDATEs with STRICT_TRANS_TABLES, and Warning 1265 in information_schema SELECTs.

      Fix: temporarily relax sql_mode for PFS-joining UPDATEs; wrap information_schema SELECTs with --disable_warnings.

      Upstream CI doesn't use --ssl, so these failures go unnoticed.

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. CONC-818 ma_tls_read() reports CR_SSL_CONNECTION_ERROR instead of CR_SERVER_LOST on connection close

          • Major - Major loss of function.
          • Open

          Activity

            People

              Unassigned Unassigned
              mschorm Michal Schorm
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.