From bdf00944ba329efbbdcef5b8f120dfd2db7ce6fc Mon Sep 17 00:00:00 2001
From: John David Duncan <john.duncan@oracle.com>
Date: Fri, 23 Jun 2023 14:36:50 -0700
Subject: [PATCH] WL#15154 patch #7 MTR tests

Add MTR test cases for Transporter TLS Off and Required.

In these tests, transporter connections to mgmd (which are "upgraded"
from MGM connections) still use cleartext, even in the "Required"
scenario. This will be fixed later, in WL#15524, by starting TLS on
the MGM connection before the upgrade.

Change-Id: Id710f47a19ab930914ccf9013d5045d46e51d32d
---
 .../std_data/ndb-tls/active/ndb-api-cert      | 32 +++++++++++++++
 .../ndb-tls/active/ndb-api-private-key        |  5 +++
 .../ndb-tls/active/ndb-data-node-cert         | 31 +++++++++++++++
 .../ndb-tls/active/ndb-data-node-private-key  |  5 +++
 .../ndb-tls/active/ndb-mgm-server-cert        | 32 +++++++++++++++
 .../ndb-tls/active/ndb-mgm-server-private-key |  5 +++
 mysql-test/suite/ndb_tls/my.cnf               |  1 +
 mysql-test/suite/ndb_tls/no_path.cnf          | 14 +++++++
 mysql-test/suite/ndb_tls/no_path.result       |  5 +++
 mysql-test/suite/ndb_tls/no_path.test         | 11 ++++++
 mysql-test/suite/ndb_tls/tls_off_certs.cnf    | 16 ++++++++
 mysql-test/suite/ndb_tls/tls_off_certs.result | 13 +++++++
 mysql-test/suite/ndb_tls/tls_off_certs.test   | 15 +++++++
 mysql-test/suite/ndb_tls/tls_required.cnf     | 22 +++++++++++
 mysql-test/suite/ndb_tls/tls_required.result  | 24 ++++++++++++
 mysql-test/suite/ndb_tls/tls_required.test    | 39 +++++++++++++++++++
 16 files changed, 270 insertions(+)
 create mode 100644 mysql-test/std_data/ndb-tls/active/ndb-api-cert
 create mode 100644 mysql-test/std_data/ndb-tls/active/ndb-api-private-key
 create mode 100644 mysql-test/std_data/ndb-tls/active/ndb-data-node-cert
 create mode 100644 mysql-test/std_data/ndb-tls/active/ndb-data-node-private-key
 create mode 100644 mysql-test/std_data/ndb-tls/active/ndb-mgm-server-cert
 create mode 100644 mysql-test/std_data/ndb-tls/active/ndb-mgm-server-private-key
 create mode 100644 mysql-test/suite/ndb_tls/no_path.cnf
 create mode 100644 mysql-test/suite/ndb_tls/no_path.result
 create mode 100644 mysql-test/suite/ndb_tls/no_path.test
 create mode 100644 mysql-test/suite/ndb_tls/tls_off_certs.cnf
 create mode 100644 mysql-test/suite/ndb_tls/tls_off_certs.result
 create mode 100644 mysql-test/suite/ndb_tls/tls_off_certs.test
 create mode 100644 mysql-test/suite/ndb_tls/tls_required.cnf
 create mode 100644 mysql-test/suite/ndb_tls/tls_required.result
 create mode 100644 mysql-test/suite/ndb_tls/tls_required.test

diff --git a/mysql-test/std_data/ndb-tls/active/ndb-api-cert b/mysql-test/std_data/ndb-tls/active/ndb-api-cert
new file mode 100644
index 000000000000..bfc13d0702e8
--- /dev/null
+++ b/mysql-test/std_data/ndb-tls/active/ndb-api-cert
@@ -0,0 +1,32 @@
+-----BEGIN CERTIFICATE-----
+MIICGDCCAQCgAwIBAgIKe6gT+9hCjqPJBjANBgkqhkiG9w0BAQsFADAoMSYwJAYD
+VQQDDB1NeVNRTCBOREIgQ2x1c3RlciBDZXJ0aWZpY2F0ZTAeFw0yMzAzMTYwNTAx
+MThaFw0yNDA0MTkwNTAxMThaMBwxGjAYBgNVBAMMEU5EQiBOb2RlIE1hciAyMDIz
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEOyNOrCPzL3D9s+4jgVwBI7haMMto
+JhCqIi4fFOi/zvt41jfiAl1+U+lUs1scjotlXQCGhjleIM3qL40RYqcv4aMbMBkw
+FwYDVR0RAQH/BA0wC4IJbG9jYWxob3N0MA0GCSqGSIb3DQEBCwUAA4IBAQB54m3T
+Jh/X0dx0FBwSbvC02sXWYF84rxI8332lttGIcN88IVjO0vMGJJhMm98r97RlE95M
+MY09MYm/yKemXVe+szNANLDfZ/SLkDaUZyJrI6lhznMljj8xnDJN0fRhAnm4iwcT
+vHG0osyTiDm/4CXLr5V3UVDDoDfpktCVSsrstaKOPLMzXhGgat/Y3/hvC0QvvnuC
+/bGcF+5ZJTJTx1lbXE5ef/51oU4u/hi0c6UhuO63+oNM3v+Fdg9wmOz3ITdHfuXp
+MiEjMzY2L5vuB1DrOwlpK9K+PijkbDCjHcntZuDQrviyN/l8VpCuGoUTU53/o4K7
+BV1g75aefCy1+y8s
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIC6DCCAdCgAwIBAgILAOJzsRsTdsy+5KIwDQYJKoZIhvcNAQELBQAwKDEmMCQG
+A1UEAwwdTXlTUUwgTkRCIENsdXN0ZXIgQ2VydGlmaWNhdGUwHhcNMjIwNjA2MDEy
+NzAxWhcNMjYwNjA2MDEyNzAxWjAoMSYwJAYDVQQDDB1NeVNRTCBOREIgQ2x1c3Rl
+ciBDZXJ0aWZpY2F0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJtZ
+p2cfo6Q9TG7krVpfcdKWoAM9yjaWVt7TD6O+N2Zk1fxjgFigQEa20uMwfmaZ4L7n
+djWWpK6oa+TaCdfsNAaAdkE2HXA/mcFsd+fPFXOEELgkPoin83HnFRLWnPnj6wRU
+3O4r7TsDVqgPjEh4O3vmyOUYR7jw3B6rajDVQFtXT54ZrrsoH+QzWX8mX8Q0WSQd
+hKKFekQqnRyLucjJcMfb7B1fLwZGi5dC9/UzDIT4NM0a2mMBL4/9xjg94LYHfTmN
+MbmSaLbYQjuGrCwf3nelQIAq5UZ04/7mQ8mNMyEnXDI37FfMhIX1HzYew5nD4nxE
+sh/8RrFKpqHSayNj1d0CAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG
+9w0BAQsFAAOCAQEAJop7adeLAgULgwp4SwXr64DQ7aw2HsSHnI/iCOz6tV96hoDq
+COi02L4M5T8PS/T5/JjawZ82D/Xs2m61c3VTNblxP/WIWPMfTRH3cDd7YDjRPRZE
+xPZvbAJawMnkV/GtMxXPEScJzoIqjugaZ9B2KXCn20EGlXJ82qDBQZT/9HrYNKki
+Cc080C8ybLw2Sm7Ty8SzetS+fMmdfAzqdIHB+IlATOzkhsIvC1A3MG0TP17vtcUW
+JcL0sjI//5kX14Sz63lZl1ecVMl4e8oHrdOtrDfM7m2D4x4dfsn0VehP6ZmqygJ/
+Pzp7VdwefvR0almfGq4hSGgXI1sR8DspPbgItw==
+-----END CERTIFICATE-----
diff --git a/mysql-test/std_data/ndb-tls/active/ndb-api-private-key b/mysql-test/std_data/ndb-tls/active/ndb-api-private-key
new file mode 100644
index 000000000000..fffd6735fcd9
--- /dev/null
+++ b/mysql-test/std_data/ndb-tls/active/ndb-api-private-key
@@ -0,0 +1,5 @@
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgQ3qE2Dcmyz4pGEtB
+/GC2+lE0er1DhWbIYV82wFoUosuhRANCAAQ7I06sI/MvcP2z7iOBXAEjuFowy2gm
+EKoiLh8U6L/O+3jWN+ICXX5T6VSzWxyOi2VdAIaGOV4gzeovjRFipy/h
+-----END PRIVATE KEY-----
diff --git a/mysql-test/std_data/ndb-tls/active/ndb-data-node-cert b/mysql-test/std_data/ndb-tls/active/ndb-data-node-cert
new file mode 100644
index 000000000000..7c4a43d73864
--- /dev/null
+++ b/mysql-test/std_data/ndb-tls/active/ndb-data-node-cert
@@ -0,0 +1,31 @@
+-----BEGIN CERTIFICATE-----
+MIICADCB6aADAgECAgsAtxUy1a7/x+HiSjANBgkqhkiG9w0BAQsFADAoMSYwJAYD
+VQQDDB1NeVNRTCBOREIgQ2x1c3RlciBDZXJ0aWZpY2F0ZTAeFw0yMzAzMTYwNTAx
+MThaFw0yNDA0MTkwNTAxMThaMCExHzAdBgNVBAMMFk5EQiBEYXRhIE5vZGUgTWFy
+IDIwMjMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATbVN3EfgsY8mAgD9WCkRiI
+OOzFtdS91cvi5QBsnMIvoeLa7pylcncNA7hVHJoAny8IkhY1KbIlIkoBxi21lxFT
+MA0GCSqGSIb3DQEBCwUAA4IBAQARaCq4DFBZGaZk5uKYKUBEqmkaTy6zOGSu+754
+2D8a2kpmk41BJh+gxUkOMGK4cIUHB+QZA8TgekDZR0OXQMrueDkAoj9IvmoQSw6X
+7HOGK0HOhdHGYcMKcQ15npYWcwKTxFbbllwtNDG1EdLOa0zGxeIdN5mEWm2spAhu
+kGRE/Zxii2tB1EChPBZyS09gNSqEOTj7N30phqX9omEIVZixxGGMGq1j059YZDET
+y6Z33YfYCsB0GybD6hFYArLRUkGgSOE3TJ2mE021tcklirWG9hi626BxPDlbwLbj
+NahfVZgv7QBPn2N+ZFVq8rhzh+W7LF6rJadmSgF9oG+sMxr4
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIC6DCCAdCgAwIBAgILAOJzsRsTdsy+5KIwDQYJKoZIhvcNAQELBQAwKDEmMCQG
+A1UEAwwdTXlTUUwgTkRCIENsdXN0ZXIgQ2VydGlmaWNhdGUwHhcNMjIwNjA2MDEy
+NzAxWhcNMjYwNjA2MDEyNzAxWjAoMSYwJAYDVQQDDB1NeVNRTCBOREIgQ2x1c3Rl
+ciBDZXJ0aWZpY2F0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJtZ
+p2cfo6Q9TG7krVpfcdKWoAM9yjaWVt7TD6O+N2Zk1fxjgFigQEa20uMwfmaZ4L7n
+djWWpK6oa+TaCdfsNAaAdkE2HXA/mcFsd+fPFXOEELgkPoin83HnFRLWnPnj6wRU
+3O4r7TsDVqgPjEh4O3vmyOUYR7jw3B6rajDVQFtXT54ZrrsoH+QzWX8mX8Q0WSQd
+hKKFekQqnRyLucjJcMfb7B1fLwZGi5dC9/UzDIT4NM0a2mMBL4/9xjg94LYHfTmN
+MbmSaLbYQjuGrCwf3nelQIAq5UZ04/7mQ8mNMyEnXDI37FfMhIX1HzYew5nD4nxE
+sh/8RrFKpqHSayNj1d0CAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG
+9w0BAQsFAAOCAQEAJop7adeLAgULgwp4SwXr64DQ7aw2HsSHnI/iCOz6tV96hoDq
+COi02L4M5T8PS/T5/JjawZ82D/Xs2m61c3VTNblxP/WIWPMfTRH3cDd7YDjRPRZE
+xPZvbAJawMnkV/GtMxXPEScJzoIqjugaZ9B2KXCn20EGlXJ82qDBQZT/9HrYNKki
+Cc080C8ybLw2Sm7Ty8SzetS+fMmdfAzqdIHB+IlATOzkhsIvC1A3MG0TP17vtcUW
+JcL0sjI//5kX14Sz63lZl1ecVMl4e8oHrdOtrDfM7m2D4x4dfsn0VehP6ZmqygJ/
+Pzp7VdwefvR0almfGq4hSGgXI1sR8DspPbgItw==
+-----END CERTIFICATE-----
diff --git a/mysql-test/std_data/ndb-tls/active/ndb-data-node-private-key b/mysql-test/std_data/ndb-tls/active/ndb-data-node-private-key
new file mode 100644
index 000000000000..0a72be21b7e6
--- /dev/null
+++ b/mysql-test/std_data/ndb-tls/active/ndb-data-node-private-key
@@ -0,0 +1,5 @@
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgcLBjUXRm1C3yc0+U
+s3k0GbR2l+2rnYqUFkzRG7OUSkuhRANCAATbVN3EfgsY8mAgD9WCkRiIOOzFtdS9
+1cvi5QBsnMIvoeLa7pylcncNA7hVHJoAny8IkhY1KbIlIkoBxi21lxFT
+-----END PRIVATE KEY-----
diff --git a/mysql-test/std_data/ndb-tls/active/ndb-mgm-server-cert b/mysql-test/std_data/ndb-tls/active/ndb-mgm-server-cert
new file mode 100644
index 000000000000..d848839c7ce5
--- /dev/null
+++ b/mysql-test/std_data/ndb-tls/active/ndb-mgm-server-cert
@@ -0,0 +1,32 @@
+-----BEGIN CERTIFICATE-----
+MIICIzCCAQugAwIBAgIKIHADuL5fx/uoPjANBgkqhkiG9w0BAQsFADAoMSYwJAYD
+VQQDDB1NeVNRTCBOREIgQ2x1c3RlciBDZXJ0aWZpY2F0ZTAeFw0yMzAzMTYwNTAx
+MThaFw0yNDA0MTkwNTAxMThaMCcxJTAjBgNVBAMMHE5EQiBNYW5hZ2VtZW50IE5v
+ZGUgTWFyIDIwMjMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATmsuHpwU+xx8o7
+AV9Pn2TZ3HNvr9p311Ix4lJjc68d2jZHEQnh/U9ymVB4aDCxbFpTG5c4xPEz6Jdo
+nHrsonskoxswGTAXBgNVHREBAf8EDTALgglsb2NhbGhvc3QwDQYJKoZIhvcNAQEL
+BQADggEBAGrk2sWxAvrp7XfcawerV2oAQhvRXplhxWzY3wS0VinbJSGCnqCeHHvC
+fJ4oYwhcqobkA1hMD0uQepdH2nLs5TTHEncwF2s++n565sqw/Vj77Ew1ayqo/6ml
+/Np5ccnzCks7eas+mIKi+Z/0YAtUSbZHkjCyhkGDnHpXAD4ZhM3rlXcLBbWhfmLT
+v/bua1W/MkyLBfI0zR7VSi+t/DzsF1Ga8tHzi/ZrMYmRayqVw8xB1cVeoPqPK++i
+J7pTnOokfBrqVv26D5ne6fNVLp4iWhTTmp+BinMFNOmCGcrvMzUfOFoeaOoh6pG/
+18qS23O6VP2GdGwxomZggluykKc+TFA=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIC6DCCAdCgAwIBAgILAOJzsRsTdsy+5KIwDQYJKoZIhvcNAQELBQAwKDEmMCQG
+A1UEAwwdTXlTUUwgTkRCIENsdXN0ZXIgQ2VydGlmaWNhdGUwHhcNMjIwNjA2MDEy
+NzAxWhcNMjYwNjA2MDEyNzAxWjAoMSYwJAYDVQQDDB1NeVNRTCBOREIgQ2x1c3Rl
+ciBDZXJ0aWZpY2F0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJtZ
+p2cfo6Q9TG7krVpfcdKWoAM9yjaWVt7TD6O+N2Zk1fxjgFigQEa20uMwfmaZ4L7n
+djWWpK6oa+TaCdfsNAaAdkE2HXA/mcFsd+fPFXOEELgkPoin83HnFRLWnPnj6wRU
+3O4r7TsDVqgPjEh4O3vmyOUYR7jw3B6rajDVQFtXT54ZrrsoH+QzWX8mX8Q0WSQd
+hKKFekQqnRyLucjJcMfb7B1fLwZGi5dC9/UzDIT4NM0a2mMBL4/9xjg94LYHfTmN
+MbmSaLbYQjuGrCwf3nelQIAq5UZ04/7mQ8mNMyEnXDI37FfMhIX1HzYew5nD4nxE
+sh/8RrFKpqHSayNj1d0CAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG
+9w0BAQsFAAOCAQEAJop7adeLAgULgwp4SwXr64DQ7aw2HsSHnI/iCOz6tV96hoDq
+COi02L4M5T8PS/T5/JjawZ82D/Xs2m61c3VTNblxP/WIWPMfTRH3cDd7YDjRPRZE
+xPZvbAJawMnkV/GtMxXPEScJzoIqjugaZ9B2KXCn20EGlXJ82qDBQZT/9HrYNKki
+Cc080C8ybLw2Sm7Ty8SzetS+fMmdfAzqdIHB+IlATOzkhsIvC1A3MG0TP17vtcUW
+JcL0sjI//5kX14Sz63lZl1ecVMl4e8oHrdOtrDfM7m2D4x4dfsn0VehP6ZmqygJ/
+Pzp7VdwefvR0almfGq4hSGgXI1sR8DspPbgItw==
+-----END CERTIFICATE-----
diff --git a/mysql-test/std_data/ndb-tls/active/ndb-mgm-server-private-key b/mysql-test/std_data/ndb-tls/active/ndb-mgm-server-private-key
new file mode 100644
index 000000000000..bde1c80be99f
--- /dev/null
+++ b/mysql-test/std_data/ndb-tls/active/ndb-mgm-server-private-key
@@ -0,0 +1,5 @@
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgA/Q1pd10WI3oLjR5
+flzbpFS2Rg+8NIgEZTXb94McjpihRANCAATmsuHpwU+xx8o7AV9Pn2TZ3HNvr9p3
+11Ix4lJjc68d2jZHEQnh/U9ymVB4aDCxbFpTG5c4xPEz6JdonHrsonsk
+-----END PRIVATE KEY-----
diff --git a/mysql-test/suite/ndb_tls/my.cnf b/mysql-test/suite/ndb_tls/my.cnf
index 94e262b926d5..cb320746509b 100644
--- a/mysql-test/suite/ndb_tls/my.cnf
+++ b/mysql-test/suite/ndb_tls/my.cnf
@@ -24,6 +24,7 @@ ndbcluster
 ndb-wait-connected=30
 ndb-wait-setup=120
 ndb-extra-logging=99
+ndb-tls-search-path=$MYSQLTEST_VARDIR/mysql_cluster.1
 
 [cluster_config.mysqld.1.1]
 NodeId=51
diff --git a/mysql-test/suite/ndb_tls/no_path.cnf b/mysql-test/suite/ndb_tls/no_path.cnf
new file mode 100644
index 000000000000..be59862d8c9d
--- /dev/null
+++ b/mysql-test/suite/ndb_tls/no_path.cnf
@@ -0,0 +1,14 @@
+!include suite/ndb_tls/my.cnf
+
+[ndb_mgmd.1.1]
+ndb-tls-search-path=
+
+[ndbd.1.1]
+ndb-tls-search-path=
+
+[ndbd.2.1]
+ndb-tls-search-path=
+
+[mysqld]
+ndb-tls-search-path=
+
diff --git a/mysql-test/suite/ndb_tls/no_path.result b/mysql-test/suite/ndb_tls/no_path.result
new file mode 100644
index 000000000000..0bd68aad3d9d
--- /dev/null
+++ b/mysql-test/suite/ndb_tls/no_path.result
@@ -0,0 +1,5 @@
+SHOW VARIABLES LIKE 'ndb_tls_search_path';
+Variable_name	Value
+ndb_tls_search_path	
+SELECT * FROM ndbinfo.certificates;
+Node_id	Name	Expires	Serial
diff --git a/mysql-test/suite/ndb_tls/no_path.test b/mysql-test/suite/ndb_tls/no_path.test
new file mode 100644
index 000000000000..a30801cc96d8
--- /dev/null
+++ b/mysql-test/suite/ndb_tls/no_path.test
@@ -0,0 +1,11 @@
+--source include/have_ndb.inc
+--source suite/ndb_tls/include/check_openssl.inc
+
+# Test with TLS search path set to an empty string
+
+# The MySQL server is up
+SHOW VARIABLES LIKE 'ndb_tls_search_path';
+
+# The certificates table is empty.
+SELECT * FROM ndbinfo.certificates;
+
diff --git a/mysql-test/suite/ndb_tls/tls_off_certs.cnf b/mysql-test/suite/ndb_tls/tls_off_certs.cnf
new file mode 100644
index 000000000000..94f79e1f09f1
--- /dev/null
+++ b/mysql-test/suite/ndb_tls/tls_off_certs.cnf
@@ -0,0 +1,16 @@
+!include suite/ndb_tls/my.cnf
+
+[ndbd.1.1]
+ndb-tls-search-path=$MYSQLTEST_VARDIR/std_data/ndb-tls/active
+
+[ndbd.2.1]
+ndb-tls-search-path=$MYSQLTEST_VARDIR/std_data/ndb-tls/active
+
+[ndb_mgmd.1.1]
+ndb-tls-search-path=$MYSQLTEST_VARDIR/std_data/ndb-tls/active
+
+[mysqld.1.1]
+ndb-tls-search-path=$MYSQLTEST_VARDIR/std_data/ndb-tls/active
+
+
+
diff --git a/mysql-test/suite/ndb_tls/tls_off_certs.result b/mysql-test/suite/ndb_tls/tls_off_certs.result
new file mode 100644
index 000000000000..e83f767f2ba2
--- /dev/null
+++ b/mysql-test/suite/ndb_tls/tls_off_certs.result
@@ -0,0 +1,13 @@
+SELECT * FROM ndbinfo.certificates order by Node_id;
+Node_id	Name	Expires	Serial
+1	NDB Data Node Mar 2023	19-Apr-2024	B7:15:32:D5:AE:FF:C7:E1:E2
+2	NDB Data Node Mar 2023	19-Apr-2024	B7:15:32:D5:AE:FF:C7:E1:E2
+SELECT node_id, remote_node_id, encrypted from ndbinfo.transporters
+WHERE status = 'CONNECTED' ORDER BY node_id, remote_node_id;
+node_id	remote_node_id	encrypted
+1	2	0
+1	3	0
+1	51	0
+2	1	0
+2	3	0
+2	51	0
diff --git a/mysql-test/suite/ndb_tls/tls_off_certs.test b/mysql-test/suite/ndb_tls/tls_off_certs.test
new file mode 100644
index 000000000000..893b6fc470ef
--- /dev/null
+++ b/mysql-test/suite/ndb_tls/tls_off_certs.test
@@ -0,0 +1,15 @@
+--source include/have_ndb.inc
+--source suite/ndb_tls/include/check_openssl.inc
+
+# Data node certs exist and are visible in ndbinfo
+
+# Expect 2 node certificates.
+# ndbinfo is aware of DB certs that belong to each data node, but it
+# is not aware of any API or MGM certs because no data node has a TLS
+# connection to an MGM or API node.
+#
+SELECT * FROM ndbinfo.certificates order by Node_id;
+
+# Expect all connections unencrypted 
+SELECT node_id, remote_node_id, encrypted from ndbinfo.transporters
+WHERE status = 'CONNECTED' ORDER BY node_id, remote_node_id;
diff --git a/mysql-test/suite/ndb_tls/tls_required.cnf b/mysql-test/suite/ndb_tls/tls_required.cnf
new file mode 100644
index 000000000000..a6c5d9aaf2b1
--- /dev/null
+++ b/mysql-test/suite/ndb_tls/tls_required.cnf
@@ -0,0 +1,22 @@
+!include suite/ndb_tls/my.cnf
+
+[cluster_config.ndbd.1.1]
+RequireTls=true
+
+[cluster_config.ndbd.2.1]
+RequireTls=true
+
+[ndbd.1.1]
+ndb-tls-search-path=$MYSQLTEST_VARDIR/std_data/ndb-tls/active
+
+[ndbd.2.1]
+ndb-tls-search-path=$MYSQLTEST_VARDIR/std_data/ndb-tls/active
+
+[ndb_mgmd.1.1]
+ndb-tls-search-path=$MYSQLTEST_VARDIR/std_data/ndb-tls/active
+
+[mysqld.1.1]
+ndb-tls-search-path=$MYSQLTEST_VARDIR/std_data/ndb-tls/active
+ndb-cluster-connection-pool=2
+ndb-cluster-connection-pool-nodeids=51,52
+
diff --git a/mysql-test/suite/ndb_tls/tls_required.result b/mysql-test/suite/ndb_tls/tls_required.result
new file mode 100644
index 000000000000..e857d661c31a
--- /dev/null
+++ b/mysql-test/suite/ndb_tls/tls_required.result
@@ -0,0 +1,24 @@
+SELECT * FROM ndbinfo.certificates order by Node_id;
+Node_id	Name	Expires	Serial
+1	NDB Data Node Mar 2023	19-Apr-2024	B7:15:32:D5:AE:FF:C7:E1:E2
+2	NDB Data Node Mar 2023	19-Apr-2024	B7:15:32:D5:AE:FF:C7:E1:E2
+51	NDB Node Mar 2023	19-Apr-2024	7B:A8:13:FB:D8:42:8E:A3:C9
+52	NDB Node Mar 2023	19-Apr-2024	7B:A8:13:FB:D8:42:8E:A3:C9
+SELECT node_id, remote_node_id, encrypted from ndbinfo.transporters
+WHERE status = 'CONNECTED' ORDER BY node_id, remote_node_id;
+node_id	remote_node_id	encrypted
+1	2	1
+1	3	0
+1	51	1
+1	52	1
+2	1	1
+2	3	0
+2	51	1
+2	52	1
+Use test;
+CREATE TABLE t (i int primary key not null, j int) engine = ndb;
+INSERT INTO t VALUES(1, 1);
+SELECT * FROM t;
+i	j
+1	1
+DROP TABLE t;
diff --git a/mysql-test/suite/ndb_tls/tls_required.test b/mysql-test/suite/ndb_tls/tls_required.test
new file mode 100644
index 000000000000..db943acb4835
--- /dev/null
+++ b/mysql-test/suite/ndb_tls/tls_required.test
@@ -0,0 +1,39 @@
+--source include/have_ndb.inc
+--source suite/ndb_tls/include/check_openssl.inc
+
+# Test with RequireTls=true.
+
+# This test uses two NDB cluster connections from the mysql server
+
+# At startup, all nodes have active certificates in std_data/
+#
+# To refresh these:
+#
+# mtr --start ndb_tls.tls_required    (TO START MGMD)
+# Then, in the source tree:
+#
+#   cd mysql-test/std_data/ndb-tls
+#   ndb_sign_keys -C CA-cert.pem -K CA-key.pem -c localhost:13000 \
+#    --CA-search-path=. --ndb-tls-search-path=active \
+#    --schedule=400,0,400,0,400,0
+#
+# Then enter the CA passphrase, which is "Stockholm".
+#
+# Commit the three new cert files, and discard the retired files.
+
+
+# Expect 3 keys and 3 certificates for 7 nodes
+#
+SELECT * FROM ndbinfo.certificates order by Node_id;
+
+## Expect 6 encrypted links, plus two unencrypted links to node 3
+#
+SELECT node_id, remote_node_id, encrypted from ndbinfo.transporters
+WHERE status = 'CONNECTED' ORDER BY node_id, remote_node_id;
+
+# Manage some data
+Use test;
+CREATE TABLE t (i int primary key not null, j int) engine = ndb;
+INSERT INTO t VALUES(1, 1);
+SELECT * FROM t;
+DROP TABLE t;