Merge pull request #535 from sodabrew/travis_ssl

Enable SSL tests on Travis

Author: sodabrew

.travis.yml

@@ -7,17 +7,7 @@ before_install:
   - |
     bash -c " # Install MariaDB if DB=mariadb
     if [[ x$DB =~ xmariadb ]]; then
-      sudo service mysql stop
-      sudo apt-get purge '^mysql*' 'libmysql*'
-      sudo apt-get install python-software-properties
-      sudo apt-key adv --recv-keys --keyserver hkp://keyserver.ubuntu.com:80 0xcbcb082a1bb943db
-      if [[ x$DB = xmariadb55 ]]; then
-        sudo add-apt-repository 'deb http://ftp.osuosl.org/pub/mariadb/repo/5.5/ubuntu precise main'
-      elif [[ x$DB = xmariadb10 ]]; then
-        sudo add-apt-repository 'deb http://ftp.osuosl.org/pub/mariadb/repo/10.0/ubuntu precise main'
-      fi
-      sudo apt-get update
-      sudo apt-get -o Dpkg::Options::=--force-confdef -o Dpkg::Options::=--force-confold -y install mariadb-server libmariadbd-dev
+      sudo bash .travis_mariadb.sh '$DB'
     fi
     "
   - |
@@ -27,6 +17,10 @@ before_install:
       mysql.server start
     fi
     "
+  - |
+    bash -c " # Configure SSL support
+    sudo bash .travis_ssl.sh
+    "
   - mysqld --version
   - mysql -u root -e "CREATE DATABASE IF NOT EXISTS test"
 os:

.travis_mariadb.sh

@@ -0,0 +1,15 @@
+#!/bin/bash
+
+service mysql stop
+apt-get purge '^mysql*' 'libmysql*'
+apt-get install python-software-properties
+apt-key adv --recv-keys --keyserver hkp://keyserver.ubuntu.com:80 0xcbcb082a1bb943db
+
+if [[ x$1 = xmariadb55 ]]; then
+  add-apt-repository 'deb http://ftp.osuosl.org/pub/mariadb/repo/5.5/ubuntu precise main'
+elif [[ x$1 = xmariadb10 ]]; then
+  add-apt-repository 'deb http://ftp.osuosl.org/pub/mariadb/repo/10.0/ubuntu precise main'
+fi
+
+apt-get update
+apt-get -o Dpkg::Options::=--force-confdef -o Dpkg::Options::=--force-confold -y install mariadb-server libmariadbd-dev

.travis_ssl.sh

@@ -0,0 +1,67 @@
+#!/bin/bash
+
+# Halt the tests on error
+set -e
+
+# Whever MySQL configs live, go there (this is for cross-platform)
+cd $(my_print_defaults --help | grep my.cnf | xargs find 2>/dev/null | xargs dirname)
+
+# Create config files to run openssl in batch mode
+# Set the CA startdate to yesterday to avoid "ASN: before date in the future"
+# (there can be 90k seconds in a daylight saving change day)
+
+echo "
+[ ca ]
+default_startdate = $(ruby -e 'print (Time.now - 90000).strftime("%y%m%d000000Z")')
+
+[ req ]
+distinguished_name = req_distinguished_name
+
+[ req_distinguished_name ]
+# If this isn't set, the error is "error, no objects specified in config file"
+commonName = Common Name (hostname, IP, or your name)
+
+countryName_default            = US
+stateOrProvinceName_default    = CA
+localityName_default           = San Francisco
+0.organizationName_default     = test_example
+organizationalUnitName_default = Testing
+emailAddress_default           = [email protected]
+" | tee ca.cnf cert.cnf
+
+# The client and server certs must have a diferent common name than the CA
+# to avoid "SSL connection error: error:00000001:lib(0):func(0):reason(1)"
+
+echo "
+commonName_default             = ca_name
+" >> ca.cnf
+
+echo "
+commonName_default             = cert_name
+" >> cert.cnf
+
+# Generate a set of certificates
+openssl genrsa -out ca-key.pem 2048
+openssl req -new -x509 -nodes -days 1000 -key ca-key.pem -out ca-cert.pem -batch -config ca.cnf
+openssl req -newkey rsa:2048 -days 1000 -nodes -keyout pkcs8-server-key.pem -out server-req.pem -batch -config cert.cnf
+openssl x509 -req -in server-req.pem -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
+openssl req -newkey rsa:2048 -days 1000 -nodes -keyout pkcs8-client-key.pem -out client-req.pem -batch -config cert.cnf
+openssl x509 -req -in client-req.pem -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem
+
+# Convert format from PKCS#8 to PKCS#1
+openssl rsa -in pkcs8-server-key.pem -out server-key.pem
+openssl rsa -in pkcs8-client-key.pem -out client-key.pem
+
+# Put the configs into the server
+echo "
+[mysqld]
+ssl-ca=/etc/mysql/ca-cert.pem
+ssl-cert=/etc/mysql/server-cert.pem
+ssl-key=/etc/mysql/server-key.pem
+" >> my.cnf
+
+# FIXME The startdate code above isn't doing the trick, we must wait until the minute moves
+ruby -e 'start = Time.now.min; while Time.now.min == start; sleep 2; end'
+
+# Ok, let's see what we got!
+service mysql restart || brew services restart mysql

ext/mysql2/client.c

@@ -169,26 +169,30 @@ static void *nogvl_connect(void *ptr) {
 
 #ifndef _WIN32
 /*
- * Redirect clientfd to a dummy socket for mysql_close to
- * write, shutdown, and close on as a no-op.
- * We do this hack because we want to call mysql_close to release
- * memory, but do not want mysql_close to drop connections in the
- * parent if the socket got shared in fork.
+ * Redirect clientfd to /dev/null for mysql_close and SSL_close to write,
+ * shutdown, and close. The hack is needed to prevent shutdown() from breaking
+ * a socket that may be in use by the parent or other processes after fork.
+ *
+ * /dev/null is used to absorb writes; previously a dummy socket was used, but
+ * it could not abosrb writes and caused openssl to go into an infinite loop.
+ *
  * Returns Qtrue or Qfalse (success or failure)
+ *
+ * Note: if this function is needed on Windows, use "nul" instead of "/dev/null"
  */
 static VALUE invalidate_fd(int clientfd)
 {
 #ifdef SOCK_CLOEXEC
   /* Atomically set CLOEXEC on the new FD in case another thread forks */
-  int sockfd = socket(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, 0);
+  int sockfd = open("/dev/null", O_RDWR | O_CLOEXEC);
   if (sockfd < 0) {
     /* Maybe SOCK_CLOEXEC is defined but not available on this kernel */
-    int sockfd = socket(AF_UNIX, SOCK_STREAM, 0);
+    int sockfd = open("/dev/null", O_RDWR);
     fcntl(sockfd, F_SETFD, FD_CLOEXEC);
   }
 #else
   /* Well we don't have SOCK_CLOEXEC, so just set FD_CLOEXEC quickly */
-  int sockfd = socket(AF_UNIX, SOCK_STREAM, 0);
+  int sockfd = open("/dev/null", O_RDWR);
   fcntl(sockfd, F_SETFD, FD_CLOEXEC);
 #endif
 

spec/mysql2/client_spec.rb

@@ -109,17 +109,20 @@ def connect *args
   end
 
   it "should be able to connect via SSL options" do
-    ssl = @client.query "SHOW VARIABLES LIKE 'have_%ssl'"
-    ssl_enabled = ssl.any? {|x| x['Value'] == 'ENABLED'}
-    pending("DON'T WORRY, THIS TEST PASSES - but SSL is not enabled in your MySQL daemon.") unless ssl_enabled
-    pending("DON'T WORRY, THIS TEST PASSES - but you must update the SSL cert paths in this test and remove this pending state.")
+    ssl = @client.query "SHOW VARIABLES LIKE 'have_ssl'"
+    ssl_uncompiled = ssl.any? {|x| x['Value'] == 'OFF'}
+    pending("DON'T WORRY, THIS TEST PASSES - but SSL is not compiled into your MySQL daemon.") if ssl_uncompiled
+    ssl_disabled = ssl.any? {|x| x['Value'] == 'DISABLED'}
+    pending("DON'T WORRY, THIS TEST PASSES - but SSL is not enabled in your MySQL daemon.") if ssl_disabled
+
+    # You may need to adjust the lines below to match your SSL certificate paths
     ssl_client = nil
     lambda {
       ssl_client = Mysql2::Client.new(
-        :sslkey => '/path/to/client-key.pem',
-        :sslcert => '/path/to/client-cert.pem',
-        :sslca => '/path/to/ca-cert.pem',
-        :sslcapath => '/path/to/newcerts/',
+        :sslkey    => '/etc/mysql/client-key.pem',
+        :sslcert   => '/etc/mysql/client-cert.pem',
+        :sslca     => '/etc/mysql/ca-cert.pem',
+        :sslcapath => '/etc/mysql/',
         :sslcipher => 'DHE-RSA-AES256-SHA'
       )
     }.should_not raise_error(Mysql2::Error)