Port for OpenSSL 1.1

Change few SSL calls Fix tests that expect some particular ciphers
2017-12-08 15:55:22 +01:00 · 2017-12-08 15:55:22 +01:00 · 41cb3dcd0a
commit 41cb3dcd0a
parent 6fd9a625c7
2 changed files with 525 additions and 6 deletions
--- a/community-mysql-openssl11.patch
+++ b/community-mysql-openssl11.patch
@ -0,0 +1,517 @@
+Add OpenSSL 1.1 compatibility
+
+Based on patches in upstream tracker (bellow), and patches from MariaDB for the same feature.
+
+Upstream tracker: https://bugs.mysql.com/bug.php?id=83814
+
+diff -rup mysql-5.7.20-sslbak/mysql-test/suite/auth_sec/t/mysql_ssl_connection.test mysql-5.7.20/mysql-test/suite/auth_sec/t/mysql_ssl_connection.test
+--- mysql-5.7.20-sslbak/mysql-test/suite/auth_sec/t/mysql_ssl_connection.test	2017-12-08 09:00:52.578760787 +0100
+++ mysql-5.7.20/mysql-test/suite/auth_sec/t/mysql_ssl_connection.test	2017-12-08 22:19:40.033870734 +0100
+@@ -7,7 +7,7 @@
+ connection default;
+ CREATE USER u_20693153@localhost IDENTIFIED BY 'abcd';
+ 
+---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+ --exec $MYSQL --protocol=TCP -uu_20693153 -pabcd --ssl-ca=$MYSQL_TEST_DIR/std_data/cacert.pem -e "SHOW STATUS LIKE 'Ssl_cipher';"
+ 
+ DROP USER u_20693153@localhost;
+diff -rup mysql-5.7.20-sslbak/mysql-test/suite/auth_sec/t/openssl_cert_generation.test mysql-5.7.20/mysql-test/suite/auth_sec/t/openssl_cert_generation.test
+--- mysql-5.7.20-sslbak/mysql-test/suite/auth_sec/t/openssl_cert_generation.test	2017-12-08 09:00:52.579760795 +0100
+++ mysql-5.7.20/mysql-test/suite/auth_sec/t/openssl_cert_generation.test	2017-12-08 22:19:40.033870734 +0100
+@@ -183,7 +183,7 @@ let SEARCH_PATTERN= Auto generated SSL c
+ --file_exists $MYSQLTEST_VARDIR/mysqld.1/data/public_key.pem
+ 
+ --echo # Ensure that server is ssl enabled
+---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+ --exec $MYSQL -uroot --ssl-mode=REQUIRED -e "show status like 'Ssl_cipher'"
+ #-----------------------------------------------------------------------------
+ 
+@@ -285,7 +285,7 @@ grant usage on *.* to wl7699_sha256 iden
+ 
+ # Using SSL certificates
+ --echo # Should be able to connect to server using generated SSL certificates.
+---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+ --exec $MYSQL -uwl7699_sha256 -pabcd --ssl-mode=REQUIRED -e "show status like 'Ssl_cipher'"
+ # Using RSA key pair
+ --echo # Should be able to connect to server using RSA key pair.
+@@ -351,7 +351,7 @@ show variables like 'sha256%';
+ 
+ --echo # 6.3 : SSL connection
+ --echo # Should be able to connect to server using generated SSL certificates.
+---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+ --exec $MYSQL -uroot --ssl-mode=REQUIRED -e "show status like 'Ssl_cipher'"
+ 
+ 
+@@ -362,7 +362,7 @@ grant usage on *.* to wl7699_sha256 iden
+ 
+ # Using SSL certificates
+ --echo # Should be able to connect to server using generated SSL certificates.
+---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+ --exec $MYSQL -uwl7699_sha256 -pabcd --ssl-mode=REQUIRED -e "show status like 'Ssl_cipher'"
+ # Using RSA key pair
+ --echo # Should be able to connect to server using RSA key pair.
+diff -rup mysql-5.7.20-sslbak/mysql-test/suite/auth_sec/t/ssl_auto_detect.test mysql-5.7.20/mysql-test/suite/auth_sec/t/ssl_auto_detect.test
+--- mysql-5.7.20-sslbak/mysql-test/suite/auth_sec/t/ssl_auto_detect.test	2017-12-08 09:00:52.583760826 +0100
+++ mysql-5.7.20/mysql-test/suite/auth_sec/t/ssl_auto_detect.test	2017-12-08 22:19:40.034870741 +0100
+@@ -54,7 +54,7 @@ let SEARCH_PATTERN= CA certificate .* is
+ 
+ --echo # Try to establish SSL connection : This must succeed.
+ connect (ssl_root_1,localhost,root,,,,,SSL);
+---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+ SHOW STATUS LIKE 'Ssl_cipher';
+ SHOW VARIABLES LIKE 'have_ssl';
+ 
+@@ -68,7 +68,7 @@ connection default;
+ disconnect ssl_root_1;
+ 
+ --echo # Connect using mysql client : This must succeed.
+---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+ --exec $MYSQL -uroot --ssl-mode=REQUIRED -e "show status like 'Ssl_cipher';"
+ 
+ 
+@@ -140,7 +140,7 @@ let SEARCH_PATTERN= CA certificate .* is
+ --source include/search_pattern_in_file.inc
+ 
+ --echo # Try creating SSL connection
+---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+ --exec $MYSQL -uroot --ssl-mode=REQUIRED -e "show status like 'Ssl_cipher';"
+ 
+ 
+diff -rup mysql-5.7.20-sslbak/mysql-test/suite/auth_sec/t/tls.test mysql-5.7.20/mysql-test/suite/auth_sec/t/tls.test
+--- mysql-5.7.20-sslbak/mysql-test/suite/auth_sec/t/tls.test	2017-12-08 09:00:52.584760834 +0100
+++ mysql-5.7.20/mysql-test/suite/auth_sec/t/tls.test	2017-12-08 22:56:42.786710772 +0100
+@@ -36,7 +36,7 @@ let $cipher_default= DHE-RSA-AES256-SHA;
+ let $tls_default= TLSv1.1;
+ let $openssl= query_get_value("SHOW STATUS LIKE 'Rsa_public_key'", Variable_name, 1);
+ if ($openssl == 'Rsa_public_key'){
+-  let $cipher_default= DHE-RSA-AES128-GCM-SHA256;
+  let $cipher_default= ECDHE-RSA-AES128-GCM-SHA256;
+   let $tls_default= TLSv1.2;
+ }
+ --echo #T1: Default TLS connection
+diff -rup mysql-5.7.20-sslbak/mysql-test/t/mysql_ssl_default.test mysql-5.7.20/mysql-test/t/mysql_ssl_default.test
+--- mysql-5.7.20-sslbak/mysql-test/t/mysql_ssl_default.test	2017-12-08 09:00:55.717784968 +0100
+++ mysql-5.7.20/mysql-test/t/mysql_ssl_default.test	2017-12-08 22:19:40.035870748 +0100
+@@ -14,15 +14,15 @@
+ 
+ --echo # verify that mysql default connect with ssl channel when using TCP/IP
+ --echo # connection
+---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+ --exec $MYSQL --host=127.0.0.1 -P $MASTER_MYPORT -e "SHOW STATUS like 'Ssl_cipher'"
+ 
+ --echo # verify that mysql --ssl=0 connect with unencrypted channel
+---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+ --exec $MYSQL --host=127.0.0.1 -P $MASTER_MYPORT -e "SHOW STATUS like 'Ssl_cipher'" --ssl-mode=DISABLED
+ 
+ --echo # verify that mysql --ssl=1 connect with ssl channel
+---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+ --exec $MYSQL --host=127.0.0.1 -P $MASTER_MYPORT -e "SHOW STATUS like 'Ssl_cipher'" --ssl-mode=REQUIRED
+ 
+ CREATE USER u1@localhost IDENTIFIED BY 'secret' REQUIRE SSL;
+diff -rup mysql-5.7.20-sslbak/mysql-test/t/openssl_1.test mysql-5.7.20/mysql-test/t/openssl_1.test
+--- mysql-5.7.20-sslbak/mysql-test/t/openssl_1.test	2017-12-08 09:00:55.729785060 +0100
+++ mysql-5.7.20/mysql-test/t/openssl_1.test	2017-12-08 22:19:40.035870748 +0100
+@@ -19,17 +19,17 @@ insert into t1 values (5);
+ let $cipher_val= "DHE-RSA-AES256-SHA";
+ let $shavars= query_get_value("SHOW STATUS LIKE 'Rsa_public_key'", Variable_name, 1);
+ if ($shavars == 'Rsa_public_key'){
+-  let $cipher_val= "DHE-RSA-AES128-GCM-SHA256";
+  let $cipher_val= "ECDHE-RSA-AES128-GCM-SHA256";
+ }
+ 
+ grant select on test.* to ssl_user1@localhost require SSL;
+---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+ -- eval grant select on test.* to ssl_user2@localhost require cipher $cipher_val
+---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+ -- eval grant select on test.* to ssl_user3@localhost require cipher $cipher_val AND SUBJECT "/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=Client"
+---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+ -- eval grant select on test.* to ssl_user4@localhost require cipher $cipher_val AND SUBJECT "/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=Client" ISSUER "/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=CA"
+---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+ -- eval grant select on test.* to ssl_user5@localhost require cipher $cipher_val AND SUBJECT "xxx"
+ flush privileges;
+ 
+@@ -43,7 +43,7 @@ connect (con5,localhost,ssl_user5,,,,,SS
+ 
+ connection con1;
+ # Check ssl turned on
+---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+ SHOW STATUS LIKE 'Ssl_cipher';
+ select * from t1;
+ --error ER_TABLEACCESS_DENIED_ERROR
+@@ -51,7 +51,7 @@ delete from t1;
+ 
+ connection con2;
+ # Check ssl turned on
+---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+ SHOW STATUS LIKE 'Ssl_cipher';
+ select * from t1;
+ --error ER_TABLEACCESS_DENIED_ERROR
+@@ -59,7 +59,7 @@ delete from t1;
+ 
+ connection con3;
+ # Check ssl turned on
+---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+ SHOW STATUS LIKE 'Ssl_cipher';
+ select * from t1;
+ --error ER_TABLEACCESS_DENIED_ERROR
+@@ -67,7 +67,7 @@ delete from t1;
+ 
+ connection con4;
+ # Check ssl turned on
+---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+ SHOW STATUS LIKE 'Ssl_cipher';
+ select * from t1;
+ --error ER_TABLEACCESS_DENIED_ERROR
+@@ -142,7 +142,7 @@ drop table t1;
+ # verification of servers certificate by setting both ca certificate
+ # and ca path to NULL
+ #
+---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+ --exec $MYSQL --ssl-mode=REQUIRED --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem -e "SHOW STATUS LIKE 'ssl_Cipher'" 2>&1
+ --echo End of 5.0 tests
+ 
+@@ -269,7 +269,7 @@ select 'is still running; no cipher requ
+ GRANT SELECT ON test.* TO bug42158@localhost REQUIRE X509;
+ FLUSH PRIVILEGES;
+ connect(con1,localhost,bug42158,,,,,SSL);
+---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+ SHOW STATUS LIKE 'Ssl_cipher';
+ disconnect con1;
+ connection default;
+diff -rup mysql-5.7.20-sslbak/mysql-test/t/plugin_auth_sha256_tls.test mysql-5.7.20/mysql-test/t/plugin_auth_sha256_tls.test
+--- mysql-5.7.20-sslbak/mysql-test/t/plugin_auth_sha256_tls.test	2017-12-08 09:00:55.747785199 +0100
+++ mysql-5.7.20/mysql-test/t/plugin_auth_sha256_tls.test	2017-12-08 22:19:40.035870748 +0100
+@@ -2,7 +2,7 @@
+ --source include/have_ssl.inc
+ 
+ connect (ssl_con,localhost,root,,,,,SSL);
+---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+ SHOW STATUS LIKE 'Ssl_cipher';
+ 
+ CREATE USER 'kristofer' IDENTIFIED WITH 'sha256_password';
+diff -rup mysql-5.7.20-sslbak/mysql-test/t/ssl_8k_key.test mysql-5.7.20/mysql-test/t/ssl_8k_key.test
+--- mysql-5.7.20-sslbak/mysql-test/t/ssl_8k_key.test	2017-12-08 09:00:55.772785392 +0100
+++ mysql-5.7.20/mysql-test/t/ssl_8k_key.test	2017-12-08 22:19:40.036870755 +0100
+@@ -4,7 +4,7 @@
+ #
+ # Bug#29784 YaSSL assertion failure when reading 8k key.
+ #
+---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+ --exec $MYSQL --ssl-mode=REQUIRED --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem -e "SHOW STATUS LIKE 'ssl_Cipher'" 2>&1
+ 
+ ##  This test file is for testing encrypted communication only, not other
+diff -rup mysql-5.7.20-sslbak/mysql-test/t/ssl_ca.test mysql-5.7.20/mysql-test/t/ssl_ca.test
+--- mysql-5.7.20-sslbak/mysql-test/t/ssl_ca.test	2017-12-08 09:00:55.773785399 +0100
+++ mysql-5.7.20/mysql-test/t/ssl_ca.test	2017-12-08 22:19:40.036870755 +0100
+@@ -10,7 +10,7 @@
+ --exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/wrong-crl-ca-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-cert.pem test -e "SHOW STATUS LIKE 'Ssl_cipher'" 2>&1
+ 
+ --echo # try to connect with correct '--ssl-ca' path : should connect
+---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+ --exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-cert.pem test -e "SHOW STATUS LIKE 'Ssl_cipher'"
+ 
+ --echo #
+@@ -22,15 +22,15 @@
+ 
+ --echo # try to connect with '--ssl-ca' option using tilde home directoy
+ --echo # path substitution : should connect
+---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+ --exec $MYSQL --ssl-ca=$mysql_test_dir_path/std_data/crl-ca-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-cert.pem test -e "SHOW STATUS LIKE 'Ssl_cipher'"
+ 
+ --echo # try to connect with '--ssl-key' option using tilde home directoy
+ --echo # path substitution : should connect
+---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+ --exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem --ssl-key=$mysql_test_dir_path/std_data/crl-client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-cert.pem test -e "SHOW STATUS LIKE 'Ssl_cipher'"
+ 
+ --echo # try to connect with '--ssl-cert' option using tilde home directoy
+ --echo # path substitution : should connect
+---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+ --exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-key.pem --ssl-cert=$mysql_test_dir_path/std_data/crl-client-cert.pem test -e "SHOW STATUS LIKE 'Ssl_cipher'"
+diff -rup mysql-5.7.20-sslbak/mysql-test/t/ssl_compress.test mysql-5.7.20/mysql-test/t/ssl_compress.test
+--- mysql-5.7.20-sslbak/mysql-test/t/ssl_compress.test	2017-12-08 09:00:55.774785407 +0100
+++ mysql-5.7.20/mysql-test/t/ssl_compress.test	2017-12-08 22:19:40.036870755 +0100
+@@ -17,7 +17,7 @@
+ connect (ssl_compress_con,localhost,root,,,,,SSL COMPRESS);
+ 
+ # Check ssl turned on
+---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+ SHOW STATUS LIKE 'Ssl_cipher';
+ 
+ # Check compression turned on
+@@ -27,7 +27,7 @@ SHOW STATUS LIKE 'Compression';
+ -- source include/common-tests.inc
+ 
+ # Check ssl turned on
+---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+ SHOW STATUS LIKE 'Ssl_cipher';
+ 
+ # Check compression turned on
+diff -rup mysql-5.7.20-sslbak/mysql-test/t/ssl_crl.test mysql-5.7.20/mysql-test/t/ssl_crl.test
+--- mysql-5.7.20-sslbak/mysql-test/t/ssl_crl.test	2017-12-08 09:00:55.774785407 +0100
+++ mysql-5.7.20/mysql-test/t/ssl_crl.test	2017-12-08 22:19:40.037870762 +0100
+@@ -32,9 +32,11 @@ if (!$crllen)
+ --echo # try to connect with '--ssl-crl' option using tilde home directoy
+ --echo # path substitution : should connect
+ --replace_result $MYSQL_TEST_DIR MYSQL_TEST_DIR
+--replace_result ECDHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256
+ --exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-cert.pem test --ssl-crl=$mysql_test_dir_path/std_data/crl-client-revoked.crl -e "SHOW STATUS LIKE 'Ssl_cipher'"
+ 
+ --echo # try to connect with '--ssl-crlpath' option using tilde home directoy
+ --echo # path substitution : should connect
+ --replace_result $MYSQL_TEST_DIR MYSQL_TEST_DIR
+--replace_result ECDHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256
+ --exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-cert.pem --ssl-crlpath=$mysql_test_dir_path/std_data/crldir test -e "SHOW STATUS LIKE 'Ssl_cipher'"
+diff -rup mysql-5.7.20-sslbak/mysql-test/t/ssl.test mysql-5.7.20/mysql-test/t/ssl.test
+--- mysql-5.7.20-sslbak/mysql-test/t/ssl.test	2017-12-08 09:00:55.772785392 +0100
+++ mysql-5.7.20/mysql-test/t/ssl.test	2017-12-08 22:19:40.037870762 +0100
+@@ -16,7 +16,7 @@
+ connect (ssl_con,localhost,root,,,,,SSL);
+ 
+ # Check ssl turned on
+---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+ SHOW STATUS LIKE 'Ssl_cipher';
+ 
+ # Check ssl expiration
+@@ -27,7 +27,7 @@ SHOW STATUS LIKE 'Ssl_server_not_after';
+ -- source include/common-tests.inc
+ 
+ # Check ssl turned on
+---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+ SHOW STATUS LIKE 'Ssl_cipher';
+ 
+ connection default;
+diff -rup mysql-5.7.20-sslbak/mysys_ssl/my_aes_openssl.cc mysql-5.7.20/mysys_ssl/my_aes_openssl.cc
+--- mysql-5.7.20-sslbak/mysys_ssl/my_aes_openssl.cc	2017-12-08 09:00:55.851786000 +0100
+++ mysql-5.7.20/mysys_ssl/my_aes_openssl.cc	2017-12-08 22:19:40.037870762 +0100
+@@ -122,7 +122,7 @@ int my_aes_encrypt(const unsigned char *
+                    enum my_aes_opmode mode, const unsigned char *iv,
+                    bool padding)
+ {
+-  EVP_CIPHER_CTX ctx;
+  EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();
+   const EVP_CIPHER *cipher= aes_evp_type(mode);
+   int u_len, f_len;
+   /* The real key to be used for encryption */
+@@ -132,23 +132,23 @@ int my_aes_encrypt(const unsigned char *
+   if (!cipher || (EVP_CIPHER_iv_length(cipher) > 0 && !iv))
+     return MY_AES_BAD_DATA;
+ 
+-  if (!EVP_EncryptInit(&ctx, cipher, rkey, iv))
+  if (!EVP_EncryptInit(ctx, cipher, rkey, iv))
+     goto aes_error;                             /* Error */
+-  if (!EVP_CIPHER_CTX_set_padding(&ctx, padding))
+  if (!EVP_CIPHER_CTX_set_padding(ctx, padding))
+     goto aes_error;                             /* Error */
+-  if (!EVP_EncryptUpdate(&ctx, dest, &u_len, source, source_length))
+  if (!EVP_EncryptUpdate(ctx, dest, &u_len, source, source_length))
+     goto aes_error;                             /* Error */
+ 
+-  if (!EVP_EncryptFinal(&ctx, dest + u_len, &f_len))
+  if (!EVP_EncryptFinal(ctx, dest + u_len, &f_len))
+     goto aes_error;                             /* Error */
+ 
+-  EVP_CIPHER_CTX_cleanup(&ctx);
+  EVP_CIPHER_CTX_free(ctx);
+   return u_len + f_len;
+ 
+ aes_error:
+   /* need to explicitly clean up the error if we want to ignore it */
+   ERR_clear_error();
+-  EVP_CIPHER_CTX_cleanup(&ctx);
+  EVP_CIPHER_CTX_free(ctx);
+   return MY_AES_BAD_DATA;
+ }
+ 
+@@ -159,7 +159,7 @@ int my_aes_decrypt(const unsigned char *
+                    bool padding)
+ {
+ 
+-  EVP_CIPHER_CTX ctx;
+  EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();
+   const EVP_CIPHER *cipher= aes_evp_type(mode);
+   int u_len, f_len;
+ 
+@@ -170,24 +170,22 @@ int my_aes_decrypt(const unsigned char *
+   if (!cipher || (EVP_CIPHER_iv_length(cipher) > 0 && !iv))
+     return MY_AES_BAD_DATA;
+ 
+-  EVP_CIPHER_CTX_init(&ctx);
+-
+-  if (!EVP_DecryptInit(&ctx, aes_evp_type(mode), rkey, iv))
+  if (!EVP_DecryptInit(ctx, aes_evp_type(mode), rkey, iv))
+     goto aes_error;                             /* Error */
+-  if (!EVP_CIPHER_CTX_set_padding(&ctx, padding))
+  if (!EVP_CIPHER_CTX_set_padding(ctx, padding))
+     goto aes_error;                             /* Error */
+-  if (!EVP_DecryptUpdate(&ctx, dest, &u_len, source, source_length))
+  if (!EVP_DecryptUpdate(ctx, dest, &u_len, source, source_length))
+     goto aes_error;                             /* Error */
+-  if (!EVP_DecryptFinal_ex(&ctx, dest + u_len, &f_len))
+  if (!EVP_DecryptFinal_ex(ctx, dest + u_len, &f_len))
+     goto aes_error;                             /* Error */
+ 
+-  EVP_CIPHER_CTX_cleanup(&ctx);
+  EVP_CIPHER_CTX_free(ctx);
+   return u_len + f_len;
+ 
+ aes_error:
+   /* need to explicitly clean up the error if we want to ignore it */
+   ERR_clear_error();
+-  EVP_CIPHER_CTX_cleanup(&ctx);
+  EVP_CIPHER_CTX_free(ctx);
+   return MY_AES_BAD_DATA;
+ }
+ 
+diff -rup mysql-5.7.20-sslbak/rapid/plugin/group_replication/libmysqlgcs/src/bindings/xcom/xcom/xcom_ssl_transport.c mysql-5.7.20/rapid/plugin/group_replication/libmysqlgcs/src/bindings/xcom/xcom/xcom_ssl_transport.c
+--- mysql-5.7.20-sslbak/rapid/plugin/group_replication/libmysqlgcs/src/bindings/xcom/xcom/xcom_ssl_transport.c	2017-12-08 09:00:55.975786955 +0100
+++ mysql-5.7.20/rapid/plugin/group_replication/libmysqlgcs/src/bindings/xcom/xcom/xcom_ssl_transport.c	2017-12-08 22:19:40.037870762 +0100
+@@ -104,7 +104,7 @@ static const char* tls_cipher_blocked= "
+   mjxx/bg6bOOjpgZapvB6ABWlWmRmAAWFtwIBBQ==
+   -----END DH PARAMETERS-----
+  */
+-static unsigned char dh2048_p[]=
+static unsigned char dhp_2048[]=
+ {
+   0x8A, 0x5D, 0xFA, 0xC0, 0x66, 0x76, 0x4E, 0x61, 0xFA, 0xCA, 0xC0, 0x37,
+   0x57, 0x5C, 0x6D, 0x3F, 0x83, 0x0A, 0xA1, 0xF5, 0xF1, 0xE6, 0x7F, 0x3C,
+@@ -131,20 +131,24 @@ static unsigned char dh2048_p[]=
+ };
+ 
+ 
+-static unsigned char dh2048_g[]={
+static unsigned char dhg_2048[]={
+   0x05,
+ };
+ 
+ static DH *get_dh2048(void)
+ {
+-  DH *dh;
+-  if ((dh=DH_new()))
+  DH *dh = DH_new();
+  BIGNUM *dhp_bn, *dhg_bn;
+  if (dh != NULL)
+   {
+-    dh->p=BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL);
+-    dh->g=BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL);
+-    if (! dh->p || ! dh->g)
+    dhp_bn = BN_bin2bn(dhp_2048, sizeof (dhp_2048), NULL);
+    dhg_bn = BN_bin2bn(dhg_2048, sizeof (dhg_2048), NULL);
+    if (dhp_bn == NULL || dhg_bn == NULL
+        || !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) 
+     {
+       DH_free(dh);
+      BN_free(dhp_bn);
+      BN_free(dhg_bn);
+       dh=0;
+     }
+   }
+diff -rup mysql-5.7.20-sslbak/sql/mysqld.cc mysql-5.7.20/sql/mysqld.cc
+--- mysql-5.7.20-sslbak/sql/mysqld.cc	2017-12-08 09:00:56.309789528 +0100
+++ mysql-5.7.20/sql/mysqld.cc	2017-12-08 22:19:40.039870776 +0100
+@@ -3376,7 +3376,7 @@ static int init_ssl()
+ {
+ #ifdef HAVE_OPENSSL
+ #ifndef HAVE_YASSL
+-  CRYPTO_malloc_init();
+  OPENSSL_malloc_init();
+ #endif
+   ssl_start();
+ #ifndef EMBEDDED_LIBRARY
+diff -rup mysql-5.7.20-sslbak/sql-common/client.c mysql-5.7.20/sql-common/client.c
+--- mysql-5.7.20-sslbak/sql-common/client.c	2017-12-08 09:00:56.245789035 +0100
+++ mysql-5.7.20/sql-common/client.c	2017-12-08 22:19:40.040870783 +0100
+@@ -2741,7 +2741,7 @@ static int ssl_verify_server_cert(Vio *v
+     goto error;
+   }
+ 
+-  cn= (char *) ASN1_STRING_data(cn_asn1);
+  cn= (char *) ASN1_STRING_get0_data(cn_asn1);
+ 
+   // There should not be any NULL embedded in the CN
+   if ((size_t)ASN1_STRING_length(cn_asn1) != strlen(cn))
+diff -rup mysql-5.7.20-sslbak/vio/viosslfactories.c mysql-5.7.20/vio/viosslfactories.c
+--- mysql-5.7.20-sslbak/vio/viosslfactories.c	2017-12-08 09:00:56.807793365 +0100
+++ mysql-5.7.20/vio/viosslfactories.c	2017-12-08 22:19:40.040870783 +0100
+@@ -86,7 +86,7 @@ static my_bool     ssl_initialized
+   mjxx/bg6bOOjpgZapvB6ABWlWmRmAAWFtwIBBQ==
+   -----END DH PARAMETERS-----
+  */
+-static unsigned char dh2048_p[]=
+static unsigned char dhp_2048[]=
+ {
+   0x8A, 0x5D, 0xFA, 0xC0, 0x66, 0x76, 0x4E, 0x61, 0xFA, 0xCA, 0xC0, 0x37,
+   0x57, 0x5C, 0x6D, 0x3F, 0x83, 0x0A, 0xA1, 0xF5, 0xF1, 0xE6, 0x7F, 0x3C,
+@@ -112,20 +112,25 @@ static unsigned char dh2048_p[]=
+   0x00, 0x05, 0x85, 0xB7,
+ };
+ 
+-static unsigned char dh2048_g[]={
+static unsigned char dhg_2048[]={
+   0x05,
+ };
+ 
+ static DH *get_dh2048(void)
+ {
+-  DH *dh;
+-  if ((dh=DH_new()))
+  DH *dh = DH_new();
+  BIGNUM *dhp_bn, *dhg_bn;
+
+  if (dh != NULL)
+   {
+-    dh->p=BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL);
+-    dh->g=BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL);
+-    if (! dh->p || ! dh->g)
+    dhp_bn = BN_bin2bn(dhp_2048, sizeof (dhp_2048), NULL);
+    dhg_bn = BN_bin2bn(dhg_2048, sizeof (dhg_2048), NULL);
+    if (dhp_bn == NULL || dhg_bn == NULL
+        || !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) 
+     {
+       DH_free(dh);
+      BN_free(dhp_bn);
+      BN_free(dhg_bn);
+       dh=0;
+     }
+   }
+@@ -419,9 +424,7 @@ void ssl_start()
+   {
+     ssl_initialized= TRUE;
+ 
+-    SSL_library_init();
+-    OpenSSL_add_all_algorithms();
+-    SSL_load_error_strings();
+    OPENSSL_init_ssl(0, NULL);
+ 
+ #ifndef HAVE_YASSL
+     init_ssl_locks();
--- a/community-mysql.spec
+++ b/community-mysql.spec
@ -90,7 +90,7 @@

 Name:             community-mysql
 Version:          5.7.20
-Release:          2%{?with_debug:.debug}%{?dist}
+Release:          3%{?with_debug:.debug}%{?dist}
 Summary:          MySQL client programs and shared libraries
 Group:            Applications/Databases
 URL:              http://www.mysql.com
@ -133,6 +133,7 @@ Patch7:           %{pkgnamepatch}-md5_fips.patch
 Patch51:          %{pkgnamepatch}-chain-certs.patch
 Patch52:          %{pkgnamepatch}-sharedir.patch
 Patch70:          %{pkgnamepatch}-5.7.9-major.patch
+Patch71:          %{pkgnamepatch}-openssl11.patch

 # Patches taken from boost 1.59
 Patch115: boost-1.58.0-pool.patch
@ -152,11 +153,7 @@ BuildRequires:    mecab-devel
 %ifnarch aarch64 %{arm} s390 s390x
 BuildRequires:    numactl-devel
 %endif
-%if 0%{?fedora} < 26
 BuildRequires:    openssl-devel
-%else
-BuildRequires:    compat-openssl10-devel
-%endif
 %if 0%{?fedora} > 24 || 0%{?rhel} > 7
 BuildRequires:    perl-interpreter
 BuildRequires:    perl-generators
@ -416,6 +413,7 @@ the MySQL sources.
 %if %{with_shared_lib_major_hack}
 %patch70 -p1
 %endif
+%patch71 -p1

 # Patch Boost
 pushd boost/boost_1_59_0
@ -474,7 +472,7 @@ cp %{SOURCE2} %{SOURCE3} %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} \
 %endif

 # build out of source
-mkdir build && pushd build
+mkdir -p build && pushd build

 # The INSTALL_xxx macros have to be specified relative to CMAKE_INSTALL_PREFIX
 # so we can't use %%{_datadir} and so forth here.
@ -974,6 +972,10 @@ fi
 %endif

 %changelog
+* Sat Dec 09 2017 Honza Horak <hhorak@redhat.com> - 5.7.20-3
+- Port for OpenSSL 1.1
+  Fix tests that expect some particular ciphers
+
 * Tue Nov 28 2017 Michal Schorm <mschorm@redhat.com> - 5.7.20-2
 - In F>27 stick to upstream library version naming