MDEV-33863: New mysqladmin command tls-info

client/client_priv.h

@@ -112,6 +112,7 @@ enum options_client
  OPT_IGNORE_SERVER_IDS,
  OPT_DO_SERVER_IDS,
  OPT_SSL_FP, OPT_SSL_FPLIST,
+ OPT_TLS_CERT_INFO,
  OPT_MAX_CLIENT_OPTION /* should be always the last */
 };
 

client/mysqladmin.cc

@@ -92,7 +92,8 @@ enum commands {
  ADMIN_FLUSH_TABLE_STATISTICS, ADMIN_FLUSH_INDEX_STATISTICS,
  ADMIN_FLUSH_USER_STATISTICS, ADMIN_FLUSH_CLIENT_STATISTICS,
  ADMIN_FLUSH_USER_RESOURCES,
- ADMIN_FLUSH_ALL_STATUS, ADMIN_FLUSH_ALL_STATISTICS, ADMIN_FLUSH_SSL
+ ADMIN_FLUSH_ALL_STATUS, ADMIN_FLUSH_ALL_STATISTICS, ADMIN_FLUSH_SSL,
+ ADMIN_TLS_INFO
 };
 static const char *command_names[]= {
  "create", "drop", "shutdown",
@@ -108,6 +109,7 @@ static const char *command_names[]= {
  "flush-table-statistics", "flush-index-statistics",
  "flush-user-statistics", "flush-client-statistics", "flush-user-resources",
  "flush-all-status", "flush-all-statistics", "flush-ssl",
+ "tls-info",
  NullS
 };
 
@@ -772,6 +774,40 @@ static int execute_commands(MYSQL *mysql,int argc, char **argv)
  return -1;
  }
  break;
+ case ADMIN_TLS_INFO:
+ if (mysql_get_ssl_cipher(mysql))
+ {
+ MARIADB_X509_INFO *info;
+ new_line=1;
+ char *version;
+
+ printf("Cipher suite:\t%s\n", mysql_get_ssl_cipher(mysql));
+ mariadb_get_infov(mysql, MARIADB_CONNECTION_TLS_VERSION, &version);
+ printf("TLS version:\t%s\n\n", version);
+
+ mariadb_get_infov(mysql, MARIADB_TLS_PEER_CERT_INFO, &info);
+ if (info)
+ {
+ printf("Peer certificate information:\n\n");
+ printf("Version:\t%d\n", info->version);
+ printf("Issuer:\t\t%s\n\n", info->issuer);
+ printf("Subject:\t%s\n\n", info->subject);
+ printf("Valid not before:\t%04d-%02d-%02d %02d:%02d\n", info->not_before.tm_year + 1900,
+ info->not_before.tm_mon + 1, info->not_before.tm_mday,
+ info->not_before.tm_hour, info->not_before.tm_min);
+ printf("Valid not after:\t%04d-%02d-%02d %02d:%02d\n\n", info->not_after.tm_year + 1900,
+ info->not_after.tm_mon + 1, info->not_after.tm_mday,
+ info->not_after.tm_hour, info->not_after.tm_min);
+ printf("SHA256 fingerprint: %s\n", info->fingerprint);
+ } else {
+ my_printf_error(0, "Unable to retrieve peer certificate", 0);
+ return 1;
+ }
+ } else {
+ my_printf_error(0, "No TLS connection", 0);
+ return 1;
+ }
+ break;
  case ADMIN_VER:
  new_line=1;
  print_version();

mysql-test/main/tls_version.test

@@ -14,11 +14,6 @@
 --exec $MYSQL --host=localhost --ssl --tls_version=TLSv1.2,TLSv1.3 -e "show status like 'ssl_version';"
 # Highest TLS version number should be used (TLSv1.2)
 --exec $MYSQL --host=localhost --ssl --tls_version=TLSv1.1,TLSv1.2 -e "show status like 'ssl_version';"
-# Errors:
-# TLS v1.0 is disabled on server, so we should get an error
---replace_regex /2026 SSL connection error.*/2026 SSL connection error: xxxx/
---error 1
---exec $MYSQL --host=localhost --ssl --tls_version=TLSv1.0 -e "show status like 'ssl_version';"
 # finally list available protocols
 --exec $MYSQL --host=localhost --ssl -e "select @@tls_version;"
 

mysql-test/main/tls_version1.opt

@@ -1 +1 @@
---tls_version=TLSv1.0
+--tls_version=TLSv1.1

mysql-test/main/tls_version1.result

@@ -1,8 +1,6 @@
 Variable_name Value
-Ssl_version TLSv1
-Variable_name Value
-Ssl_version TLSv1
+Ssl_version TLSv1.1
 @@tls_version
-TLSv1.0
+TLSv1.1
 call mtr.add_suppression("TLSv1.0 and TLSv1.1 are insecure");
 FOUND 1 /TLSv1.0 and TLSv1.1 are insecure/ in mysqld.1.err

mysql-test/main/tls_version1.test

@@ -5,9 +5,6 @@
 --exec $MYSQL --host=localhost --ssl -e "show status like 'ssl_version';"
 --error 1
 --exec $MYSQL --host=localhost --ssl --tls_version=TLSv1.2 -e "show status like 'ssl_version';"
---error 1
---exec $MYSQL --host=localhost --ssl --tls_version=TLSv1.1 -e "show status like 'ssl_version';"
---exec $MYSQL --host=localhost --ssl --tls_version=TLSv1.0 -e "show status like 'ssl_version';"
 --exec $MYSQL --host=localhost --ssl -e "select @@tls_version;"
 
 call mtr.add_suppression("TLSv1.0 and TLSv1.1 are insecure");