WL#11182: TLS support in mysql-server-mock

Affects: Server-8.0   —   Status: Complete

Motivation

Testing if client applications handle different TLS scenarios currently involves:

  1. setup a mysql-server with the right certificates and configuration
  2. start the mysql-server
  3. test the application
  4. stop the mysql-server
  5. rinse-and-repeat

Each cycle tests a few seconds for shutdown and startup. As only the protocol layer is going to be tested, the mysql-server-mock is better suited for this task as it starts up faster and allows to run these tests quicker.

User Stories

  1. As a tester I want to check if a client application handles ssl-mode = (required, preferred, disabled, verify_ca, verify_identity) correctly.

  2. As a tester I want to check if a client application handle REQUIRE X509 requirements correctly.

Goal

  1. Allow to enable TLS support in the test-file
  2. Allow to set supported ciphers in the test-file
  3. Allow to detect if a valid X509 certificate was sent and match its CN
  4. Allow to fail authentication

Requirements

FR1
mock-server MUST support --ssl-mode DISABLED, PREFERRED, REQUIRED, VERIFY_CA and VERIFY_IDENTITY
FR1.1
mock-server MUST use DISABLED if --ssl-mode is not specified.
FR1.2
mock-server MUST fail to start if --ssl-mode is provided with an unsupported value.

ssl_mode not DISABLED

If ssl_mode is not DISABLED ...

FR2
mock-server MUST load certificate and key provided by --ssl-key and --ssl-cert.
FR2.1
mock-server MUST fail of loading certificate fails.
FR3
mock-server MUST load trusted certificates from a PEM file specified by --ssl-ca.
FR4
mock-server MUST check for trusted certificates in the directory specified by --ssl-capath.
FR5
mock-server MUST validate certificates provided by clients against trusted certificates.
FR6
mock-server MUST load CRL from a PEM file specified by --ssl-crl.
FR7
mock-server MUST check for CRLs in the directory specified by --ssl-crlpath.
FR8
mock-server MUST check certificates against the provided CRLs.
FR9
mock-server MUST set the pre-TLSv1.3 ciphers that may be negotiated with --ssl-cipher.
FR10
mock-server MUST validate the client-certificate if specified in the test-file and verification is requested.
FR10.1
mock-server MUST fail authentication if client-cert validate fails.

Command line options

New command line options are added to the mysql_server_mock:

  • --ssl-key
  • --ssl-cert
  • --ssl-mode
  • --ssl-ca
  • --ssl-capath
  • --ssl-crl
  • --ssl-crlpath
  • --ssl-cipher
  • --ssl-verify

Behaviour should be equivalent to the behaviour of the MySQL Server.

Configuration File

New configuration options are added to the [mock_server] section:

  • ssl_key
  • ssl_cert
  • ssl_mode
  • ssl_ca
  • ssl_capath
  • ssl_crl
  • ssl_crlpath
  • ssl_cipher
  • ssl_verify

Behaviour should be equivalent to the behaviour of the MySQL Server.



Copyright (c) 2000, 2024, Oracle Corporation and/or its affiliates. All rights reserved.