Accept the ciphers property in connection ssl option

closes mysqljs#1185

Author: dougwilson

Changes.md

@@ -6,6 +6,7 @@ you spot any mistakes.
 
 ## HEAD
 
+* Accept the `ciphers` property in connection `ssl` option #1185
 * Fix bad timezone conversion from `Date` to string for certain times #1045 #1155
 
 ## v2.8.0 (2015-07-13)

lib/Connection.js

@@ -278,10 +278,11 @@ if (tls.TLSSocket) {
   // 0.11+ environment
   Connection.prototype._startTLS = function _startTLS(onSecure) {
     var secureContext = tls.createSecureContext({
-      key        : this.config.ssl.key,
+      ca         : this.config.ssl.ca,
       cert       : this.config.ssl.cert,
-      passphrase : this.config.ssl.passphrase,
-      ca         : this.config.ssl.ca
+      ciphers    : this.config.ssl.ciphers,
+      key        : this.config.ssl.key,
+      passphrase : this.config.ssl.passphrase
     });
 
     // "unpipe"
@@ -319,10 +320,11 @@ if (tls.TLSSocket) {
     //  _socket <-> securePair.encrypted <-> securePair.cleartext <-> _protocol
 
     var credentials = Crypto.createCredentials({
-      key        : this.config.ssl.key,
+      ca         : this.config.ssl.ca,
       cert       : this.config.ssl.cert,
-      passphrase : this.config.ssl.passphrase,
-      ca         : this.config.ssl.ca
+      ciphers    : this.config.ssl.ciphers,
+      key        : this.config.ssl.key,
+      passphrase : this.config.ssl.passphrase
     });
 
     var rejectUnauthorized = this.config.ssl.rejectUnauthorized;

test/FakeServer.js

@@ -56,6 +56,7 @@ function FakeConnection(socket) {
   EventEmitter.call(this);
 
   this._socket = socket;
+  this._ssl    = null;
   this._stream = socket;
   this._parser = new Parser({onPacket: this._parsePacket.bind(this)});
 
@@ -206,6 +207,39 @@ FakeConnection.prototype._handleQueryPacket = function _handleQueryPacket(packet
     return;
   }
 
+  if ((match = /^SHOW STATUS LIKE 'Ssl_cipher';?$/i.exec(sql))) {
+    this._sendPacket(new Packets.ResultSetHeaderPacket({
+      fieldCount: 2
+    }));
+
+    this._sendPacket(new Packets.FieldPacket({
+      catalog    : 'def',
+      charsetNr  : Charsets.UTF8_GENERAL_CI,
+      name       : 'Variable_name',
+      protocol41 : true,
+      type       : Types.VARCHAR
+    }));
+
+    this._sendPacket(new Packets.FieldPacket({
+      catalog    : 'def',
+      charsetNr  : Charsets.UTF8_GENERAL_CI,
+      name       : 'Value',
+      protocol41 : true,
+      type       : Types.VARCHAR
+    }));
+
+    this._sendPacket(new Packets.EofPacket());
+
+    var writer = new PacketWriter();
+    writer.writeLengthCodedString('Ssl_cipher');
+    writer.writeLengthCodedString(this._ssl ? this._ssl.getCurrentCipher().name : '');
+    this._stream.write(writer.toBuffer(this._parser));
+
+    this._sendPacket(new Packets.EofPacket());
+    this._parser.resetPacketNumber();
+    return;
+  }
+
   if (/INVALID/i.test(sql)) {
     this._sendPacket(new Packets.ErrorPacket({
       errno   : Errors.ER_PARSE_ERROR,
@@ -408,6 +442,11 @@ if (tls.TLSSocket) {
     secureSocket.on('data', this._handleData.bind(this));
     this._stream = secureSocket;
 
+    var conn = this;
+    secureSocket.on('secure', function () {
+      conn._ssl = this.ssl;
+    });
+
     // resume
     var parser = this._parser;
     process.nextTick(function() {
@@ -432,6 +471,11 @@ if (tls.TLSSocket) {
     securePair.cleartext.on('data', this._handleData.bind(this));
     securePair.encrypted.pipe(this._socket);
 
+    var conn = this;
+    securePair.on('secure', function () {
+      conn._ssl = this.ssl;
+    });
+
     // resume
     var parser = this._parser;
     process.nextTick(function() {

test/common.js

@@ -135,9 +135,10 @@ common.getTestConfig = function(config) {
 
 common.getSSLConfig = function() {
   return {
-    ca   : fs.readFileSync(path.join(common.fixtures, 'server.crt'), 'ascii'),
-    cert : fs.readFileSync(path.join(common.fixtures, 'server.crt'), 'ascii'),
-    key  : fs.readFileSync(path.join(common.fixtures, 'server.key'), 'ascii')
+    ca      : fs.readFileSync(path.join(common.fixtures, 'server.crt'), 'ascii'),
+    cert    : fs.readFileSync(path.join(common.fixtures, 'server.crt'), 'ascii'),
+    ciphers : 'ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH',
+    key     : fs.readFileSync(path.join(common.fixtures, 'server.key'), 'ascii')
   };
 };
 

test/unit/connection/test-connection-ssl-ciphers.js

@@ -0,0 +1,31 @@
+var assert     = require('assert');
+var common     = require('../../common');
+var connection = common.createConnection({
+  port : common.fakeServerPort,
+  ssl  : {
+    ca      : common.getSSLConfig().ca,
+    ciphers : 'RC4-SHA'
+  }
+});
+
+var server = common.createFakeServer();
+
+server.listen(common.fakeServerPort, function (err) {
+  assert.ifError(err);
+
+  connection.query('SHOW STATUS LIKE \'Ssl_cipher\';', function (err, rows) {
+    assert.ifError(err);
+    assert.equal(rows.length, 1);
+    assert.equal(rows[0].Variable_name, 'Ssl_cipher');
+    assert.equal(rows[0].Value, 'RC4-SHA');
+
+    connection.destroy();
+    server.destroy();
+  });
+});
+
+server.on('connection', function (incomingConnection) {
+  incomingConnection.handshake({
+    serverCapabilities1: common.ClientConstants.CLIENT_SSL
+  });
+});