MDEV-16266 - New command FLUSH SSL to reload server's SSL certificate(private key,CRL,etc)

19d3d3e8 · Vladislav Vaintroub · f570da51 · 19d3d3e8 · 19d3d3e8 · 19d3d3e8
Commit 19d3d3e8 authored Dec 11, 2018 by Vladislav Vaintroub
13 changed files
--- a/include/mysql_com.h
+++ b/include/mysql_com.h
@@ -231,6 +231,7 @@ enum enum_indicator_type
 #define REFRESH_DES_KEY_FILE    (1ULL << 18)
 #define REFRESH_USER_RESOURCES  (1ULL << 19)
 #define REFRESH_FOR_EXPORT      (1ULL << 20) /* FLUSH TABLES ... FOR EXPORT */
+#define REFRESH_SSL             (1ULL << 21)

 #define REFRESH_GENERIC         (1ULL << 30)
 #define REFRESH_FAST            (1ULL << 31) /* Intern flag */

--- a/mysql-test/lib/generate-ssl-certs.sh
+++ b/mysql-test/lib/generate-ssl-certs.sh
@@ -21,6 +21,11 @@ openssl rsa -in server-key.pem -out server-key.pem
 # sign the server certificate with CA certificate
 openssl ca -keyfile cakey.pem -days 7300 -batch -cert cacert.pem -policy policy_anything -out server-cert.pem -infiles demoCA/server-req.pem

+# Certificate with different validity period (MDEV-7598)
+openssl req -newkey rsa:1024 -keyout server-new-key.pem -out demoCA/server-new-req.pem -days 7301 -nodes -subj '/CN=server-new/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB'
+openssl rsa -in server-new-key.pem -out server-new-key.pem
+openssl ca -keyfile cakey.pem -days 7301 -batch -cert cacert.pem -policy policy_anything -out server-new-cert.pem -infiles demoCA/server-new-req.pem
+
 openssl req -newkey rsa:8192 -keyout server8k-key.pem -out demoCA/server8k-req.pem -days 7300 -nodes -subj '/CN=server8k/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB'
 openssl rsa -in server8k-key.pem -out server8k-key.pem
 openssl ca -keyfile cakey.pem -days 7300 -batch -cert cacert.pem -policy policy_anything -out server8k-cert.pem -infiles demoCA/server8k-req.pem

--- a/mysql-test/main/flush_ssl.result
+++ b/mysql-test/main/flush_ssl.result
+# Kill the server
+connect  ssl_con,localhost,root,,,,,SSL;
+SELECT VARIABLE_VALUE INTO @ssl_not_after FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_server_not_after';
+# Use a different certificate ("Not after" certificate field changed)
+FLUSH SSL;
+# Check new certificate used by new connection
+Result
+OK
+# Check that existing SSL connection still works, and uses old certificate, even if new one is loaded in FLUSH SSL
+connection ssl_con;
+SELECT IF(VARIABLE_VALUE=@ssl_not_after,'OK','FAIL') as Result FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_server_not_after';
+Result
+OK
+disconnect ssl_con;
+connection default;
+SELECT VARIABLE_NAME NAME, VARIABLE_VALUE VALUE FROM INFORMATION_SCHEMA.GLOBAL_STATUS WHERE VARIABLE_NAME in ('Ssl_accepts', 'Ssl_finished_accepts');
+NAME	VALUE
+SSL_ACCEPTS	1
+SSL_FINISHED_ACCEPTS	1
+FLUSH SSL;
+SELECT VARIABLE_NAME NAME, VARIABLE_VALUE VALUE FROM INFORMATION_SCHEMA.GLOBAL_STATUS WHERE VARIABLE_NAME in ('Ssl_accepts', 'Ssl_finished_accepts');
+NAME	VALUE
+SSL_ACCEPTS	0
+SSL_FINISHED_ACCEPTS	0
+# Cleanup
+# Kill the server
--- a/mysql-test/main/flush_ssl.test
+++ b/mysql-test/main/flush_ssl.test
+# MDEV-16266 Reload SSL certificate
+# This test reloads server SSL certs FLUSH SSL, and checks that 
+# 1. old SSL connections (that existed before FLUSH) still work and use old certificate
+# 2. new SSL connection use new certificate
+# 3. if FLUSH SSL runs into error, SSL is still functioning
+# SWtatus variable Ssl_server_not_after is used to tell the old certificate from new.
+
+
+source include/have_ssl_communication.inc;
+
+# Restart server with cert. files located in temp directory
+# We are going to remove / replace them within the test, 
+# so we can't use the ones in std_data directly.
+
+let $ssl_cert=$MYSQLTEST_VARDIR/tmp/ssl_cert.pem;
+let $ssl_key=$MYSQLTEST_VARDIR/tmp/ssl_key.pem;
+
+copy_file $MYSQL_TEST_DIR/std_data/server-key.pem $ssl_key;
+copy_file $MYSQL_TEST_DIR/std_data/server-cert.pem $ssl_cert;
+
+let $restart_parameters=--ssl-key=$ssl_key --ssl-cert=$ssl_cert;
+--source include/kill_mysqld.inc
+--source include/start_mysqld.inc
+
+connect  ssl_con,localhost,root,,,,,SSL;
+SELECT VARIABLE_VALUE INTO @ssl_not_after FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_server_not_after';
+let $ssl_not_after=`SELECT @ssl_not_after`;
+
+remove_file $ssl_cert;
+remove_file $ssl_key;
+
+--echo # Use a different certificate ("Not after" certificate field changed)
+copy_file $MYSQL_TEST_DIR/std_data/server-new-key.pem $ssl_key;
+copy_file $MYSQL_TEST_DIR/std_data/server-new-cert.pem $ssl_cert;
+
+FLUSH SSL;
+
+--echo # Check new certificate used by new connection
+exec $MYSQL --ssl  -e  "SELECT IF(VARIABLE_VALUE <> '$ssl_not_after', 'OK', 'FAIL') as Result FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_server_not_after'";
+
+--echo # Check that existing SSL connection still works, and uses old certificate, even if new one is loaded in FLUSH SSL
+connection ssl_con;
+SELECT IF(VARIABLE_VALUE=@ssl_not_after,'OK','FAIL') as Result FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_server_not_after';
+
+disconnect ssl_con;
+connection default;
+
+SELECT VARIABLE_NAME NAME, VARIABLE_VALUE VALUE FROM INFORMATION_SCHEMA.GLOBAL_STATUS WHERE VARIABLE_NAME in ('Ssl_accepts', 'Ssl_finished_accepts');
+FLUSH SSL;
+#Check that accepts are zeroed by FLUSH SSL.
+SELECT VARIABLE_NAME NAME, VARIABLE_VALUE VALUE FROM INFORMATION_SCHEMA.GLOBAL_STATUS WHERE VARIABLE_NAME in ('Ssl_accepts', 'Ssl_finished_accepts');
+
+--echo # Cleanup
+remove_file $ssl_cert;
+remove_file $ssl_key;
+# restart with usuall SSL
+let $restart_parameters=;
+--source include/kill_mysqld.inc
+--source include/start_mysqld.inc
+
+
--- a/mysql-test/std_data/server-new-cert.pem
+++ b/mysql-test/std_data/server-new-cert.pem
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 7 (0x7)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: CN=cacert, C=FI, ST=Helsinki, L=Helsinki, O=MariaDB
+        Validity
+            Not Before: Dec 11 17:13:59 2018 GMT
+            Not After : Dec  7 17:13:59 2038 GMT
+        Subject: C=FI, ST=Helsinki, L=Helsinki, O=MariaDB, CN=server-new
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (1024 bit)
+                Modulus:
+                    00:c9:40:33:d7:fb:b7:a2:bc:4e:d4:65:27:1a:c9:
+                    da:8b:2e:fc:a9:60:1a:69:e8:fd:e3:13:78:b6:08:
+                    3b:3e:fd:d3:b0:d3:6c:a1:79:bd:85:ca:be:a1:0a:
+                    4e:2a:ee:2c:8d:da:72:e6:85:56:ec:3a:7c:46:a3:
+                    d3:18:e7:19:19:8d:14:7e:de:d2:a4:2f:22:56:1c:
+                    21:03:24:f6:2d:55:4e:49:25:9f:32:01:94:66:47:
+                    e4:fa:fa:45:b1:b7:33:26:da:f1:c7:29:3b:ba:fe:
+                    e8:d4:f1:fc:29:57:6b:3a:be:ef:2e:1d:da:ef:0a:
+                    d7:54:8d:67:00:7b:7a:29:2b
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Comment: 
+                OpenSSL Generated Certificate
+            X509v3 Subject Key Identifier: 
+                FF:42:5E:88:AC:6A:C8:80:63:A8:AF:20:C6:BE:E8:A4:02:D5:42:AF
+            X509v3 Authority Key Identifier: 
+                keyid:1C:C7:2B:AA:1B:B1:BB:2E:9A:F4:0F:B1:86:60:57:38:C2:41:05:12
+
+    Signature Algorithm: sha256WithRSAEncryption
+         7c:cc:c1:93:43:83:a9:ea:19:9d:1c:a1:f8:e1:c1:61:58:c0:
+         db:ef:43:6e:d7:cf:4d:75:38:6e:cb:03:25:5d:21:af:03:b1:
+         86:5f:b3:d1:e2:6f:8c:89:55:b7:82:6a:c0:d6:46:08:0c:68:
+         9d:ef:cc:2e:79:f5:d8:0b:f2:13:3a:52:cc:08:d5:3a:f0:d8:
+         5c:9e:85:a7:38:31:9d:7c:61:2b:59:ee:c0:16:a6:16:dd:80:
+         e2:ef:96:3d:b0:13:ec:9b:9a:91:69:3f:6c:46:87:05:55:b7:
+         32:85:51:da:02:c3:ac:2d:c3:5e:9a:51:f8:96:75:0b:63:29:
+         4e:47:47:f1:82:a6:ad:44:3d:51:b3:19:8b:ae:26:a9:15:a0:
+         73:b6:70:6e:4f:72:9d:69:4e:b2:9b:2a:a8:50:87:b8:9f:c0:
+         a7:37:0f:9e:bc:4c:80:b9:b8:47:28:8e:33:c3:7f:d7:fe:31:
+         f0:a9:1c:7a:f7:a3:34:21:d4:e4:53:86:a3:7e:1d:1c:a7:65:
+         fb:ec:f9:1f:17:1e:4f:19:f9:fe:dd:ee:53:0f:b5:98:b7:7a:
+         ef:12:6c:8d:32:78:66:a5:42:d7:3d:a5:09:f8:06:05:a4:ff:
+         bd:4e:e7:85:c4:f0:dc:dc:20:26:84:91:69:e8:cf:3b:27:9f:
+         35:36:cc:ff
+-----BEGIN CERTIFICATE-----
+MIIDIjCCAgqgAwIBAgIBBzANBgkqhkiG9w0BAQsFADBWMQ8wDQYDVQQDDAZjYWNl
+cnQxCzAJBgNVBAYTAkZJMREwDwYDVQQIDAhIZWxzaW5raTERMA8GA1UEBwwISGVs
+c2lua2kxEDAOBgNVBAoMB01hcmlhREIwHhcNMTgxMjExMTcxMzU5WhcNMzgxMjA3
+MTcxMzU5WjBaMQswCQYDVQQGEwJGSTERMA8GA1UECAwISGVsc2lua2kxETAPBgNV
+BAcMCEhlbHNpbmtpMRAwDgYDVQQKDAdNYXJpYURCMRMwEQYDVQQDDApzZXJ2ZXIt
+bmV3MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJQDPX+7eivE7UZScaydqL
+LvypYBpp6P3jE3i2CDs+/dOw02yheb2Fyr6hCk4q7iyN2nLmhVbsOnxGo9MY5xkZ
+jRR+3tKkLyJWHCEDJPYtVU5JJZ8yAZRmR+T6+kWxtzMm2vHHKTu6/ujU8fwpV2s6
+vu8uHdrvCtdUjWcAe3opKwIDAQABo3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIB
+DQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQU/0Je
+iKxqyIBjqK8gxr7opALVQq8wHwYDVR0jBBgwFoAUHMcrqhuxuy6a9A+xhmBXOMJB
+BRIwDQYJKoZIhvcNAQELBQADggEBAHzMwZNDg6nqGZ0cofjhwWFYwNvvQ27Xz011
+OG7LAyVdIa8DsYZfs9Hib4yJVbeCasDWRggMaJ3vzC559dgL8hM6UswI1Trw2Fye
+hac4MZ18YStZ7sAWphbdgOLvlj2wE+ybmpFpP2xGhwVVtzKFUdoCw6wtw16aUfiW
+dQtjKU5HR/GCpq1EPVGzGYuuJqkVoHO2cG5Pcp1pTrKbKqhQh7ifwKc3D568TIC5
+uEcojjPDf9f+MfCpHHr3ozQh1ORThqN+HRynZfvs+R8XHk8Z+f7d7lMPtZi3eu8S
+bI0yeGalQtc9pQn4BgWk/71O54XE8NzcICaEkWnozzsnnzU2zP8=
+-----END CERTIFICATE-----
--- a/mysql-test/std_data/server-new-key.pem
+++ b/mysql-test/std_data/server-new-key.pem
+-----BEGIN RSA PRIVATE KEY-----
+MIICXQIBAAKBgQDJQDPX+7eivE7UZScaydqLLvypYBpp6P3jE3i2CDs+/dOw02yh
+eb2Fyr6hCk4q7iyN2nLmhVbsOnxGo9MY5xkZjRR+3tKkLyJWHCEDJPYtVU5JJZ8y
+AZRmR+T6+kWxtzMm2vHHKTu6/ujU8fwpV2s6vu8uHdrvCtdUjWcAe3opKwIDAQAB
+AoGBAKlH3dPxIdg6+TvjEe+Qlsm4bkKyWcV4fAaDnGfRqLQloej9DkUNOAPQNGUV
+XAb0bHmtpDSPODxgPaTVrH0n9o1tTXrfIijSM7zm0Ub2H7YPMNMUSae+9K3bdXoL
+aHjlYYXBXULa093nXOXNmjX17pBKUmiAkKCoqxTMx9QGW8rRAkEA/aqjdIrbaEJd
+Mky4bLzaSZITls/8+LPekUpH+TXdjgSMMaDxd4OXAnA34fssPOhsD8yzgeo2XZZj
+Snk4wfBHrwJBAMsaITNwvAXj3joX/eTD4Q/FcwdaPt4dL2BS13uJrva/TZGEAnOn
+n5nu2exZDslxyoKA5SBl2oZbhtCAA1elWUUCQQCeo8rZpcWVrHtQa76i8nCpthte
+I/EXMJYu0v+0EUXf/WQX3YllrvwP4FJyl3yREuIR93kD9I/Pc6/g8XLXhwetAkB1
+VG8BrIqyTGVA4kNGOPJ3jfVZtgTDg9CusKzTLULqQLGq8rwH3DoTTyyNoRUtwpLe
+uV+kS7LmE1HaeVl09IyRAkBXb/5p2D+Dfb/3/mx5/YuFNwB07sY+H0CrzO1qSo62
+q0nzNK3/irTzqtuerwy/YkBTz/T75GePIK4P0b9elNlb
+-----END RSA PRIVATE KEY-----
--- a/mysql-test/suite/perfschema/r/dml_setup_instruments.result
+++ b/mysql-test/suite/perfschema/r/dml_setup_instruments.result
@@ -22,13 +22,13 @@ NAME	ENABLED	TIMED
 wait/synch/rwlock/sql/LOCK_dboptions	YES	YES
 wait/synch/rwlock/sql/LOCK_grant	YES	YES
 wait/synch/rwlock/sql/LOCK_SEQUENCE	YES	YES
+wait/synch/rwlock/sql/LOCK_ssl_refresh	YES	YES
 wait/synch/rwlock/sql/LOCK_system_variables_hash	YES	YES
 wait/synch/rwlock/sql/LOCK_sys_init_connect	YES	YES
 wait/synch/rwlock/sql/LOCK_sys_init_slave	YES	YES
 wait/synch/rwlock/sql/LOGGER::LOCK_logger	YES	YES
 wait/synch/rwlock/sql/MDL_context::LOCK_waiting_for	YES	YES
 wait/synch/rwlock/sql/MDL_lock::rwlock	YES	YES
-wait/synch/rwlock/sql/Query_cache_query::lock	YES	YES
 select * from performance_schema.setup_instruments
 where name like 'Wait/Synch/Cond/sql/%'
  and name not in (

--- a/sql/mysqld.cc
+++ b/sql/mysqld.cc
--- a/sql/mysqld.h
+++ b/sql/mysqld.h
@@ -96,6 +96,9 @@ extern void init_net_server_extension(THD *thd);
 extern void handle_accepted_socket(MYSQL_SOCKET new_sock, MYSQL_SOCKET sock);
 extern void create_new_thread(CONNECT *connect);

+extern void ssl_acceptor_stats_update(int sslaccept_ret);
+extern int reinit_ssl();
+
 extern "C" MYSQL_PLUGIN_IMPORT CHARSET_INFO *system_charset_info;
 extern MYSQL_PLUGIN_IMPORT CHARSET_INFO *files_charset_info ;
 extern MYSQL_PLUGIN_IMPORT CHARSET_INFO *national_charset_info;
@@ -633,6 +636,7 @@ extern mysql_mutex_t LOCK_des_key_file;
 extern mysql_mutex_t LOCK_server_started;
 extern mysql_cond_t COND_server_started;
 extern mysql_rwlock_t LOCK_grant, LOCK_sys_init_connect, LOCK_sys_init_slave;
+extern mysql_rwlock_t LOCK_ssl_refresh;
 extern mysql_prlock_t LOCK_system_variables_hash;
 extern mysql_cond_t COND_thread_count, COND_start_thread;
 extern mysql_cond_t COND_manager;

--- a/sql/sql_acl.cc
+++ b/sql/sql_acl.cc
@@ -12641,7 +12641,12 @@ static ulong parse_client_handshake_packet(MPVIO_EXT *mpvio,
      return packet_error;

    DBUG_PRINT("info", ("IO layer change in progress..."));
-    if (sslaccept(ssl_acceptor_fd, net->vio, net->read_timeout, &errptr))
+    mysql_rwlock_rdlock(&LOCK_ssl_refresh);
+    int ssl_ret = sslaccept(ssl_acceptor_fd, net->vio, net->read_timeout, &errptr);
+    mysql_rwlock_unlock(&LOCK_ssl_refresh);
+    ssl_acceptor_stats_update(ssl_ret);
+
+    if(ssl_ret)
    {
      DBUG_PRINT("error", ("Failed to accept new SSL connection"));
      return packet_error;

--- a/sql/sql_reload.cc
+++ b/sql/sql_reload.cc
@@ -416,6 +416,11 @@ bool reload_acl_and_cache(THD *thd, unsigned long long options,
 #endif
 if (options & REFRESH_USER_RESOURCES)
   reset_mqh((LEX_USER *) NULL, 0);             /* purecov: inspected */
+ if (options & REFRESH_SSL)
+ {
+   if (reinit_ssl())
+     result= 1;
+ }
 if (options & REFRESH_GENERIC)
 {
   List_iterator_fast<LEX_CSTRING> li(thd->lex->view_list);

--- a/sql/sql_yacc.yy
+++ b/sql/sql_yacc.yy
@@ -14486,6 +14486,8 @@ flush_option:
          { Lex->type|= REFRESH_DES_KEY_FILE; }
        | RESOURCES
          { Lex->type|= REFRESH_USER_RESOURCES; }
+        | SSL_SYM
+          { Lex->type|= REFRESH_SSL;}
        | IDENT_sys remember_tok_start
           {
             Lex->type|= REFRESH_GENERIC;

--- a/sql/sql_yacc_ora.yy
+++ b/sql/sql_yacc_ora.yy
@@ -14541,6 +14541,8 @@ flush_option:
          { Lex->type|= REFRESH_DES_KEY_FILE; }
        | RESOURCES
          { Lex->type|= REFRESH_USER_RESOURCES; }
+        | SSL_SYM
+          { Lex->type|= REFRESH_SSL;}
        | IDENT_sys remember_tok_start
           {
             Lex->type|= REFRESH_GENERIC;