MDEV-14101 Provide an option to select TLS protocol versionbb-10.4-MDEV-14101

Server and command line tools now support option --tls_version to specify the TLS version between client and server. Valid values are TLSv1.0, TLSv1.1, TLSv1.2, TLSv1.3 or a combination of them. E.g. --tls_version=TLSv1.3 --tls_version=TLSv1.2,TLSv1.3 In case there is a gap between versions, the lowest version will be used: --tls_version=TLSv1.1,TLSv1.3 -> Only TLSv1.1 will be available. If the used TLS library doesn't support the specified TLS version, it will use the default configuration. Limitations: SSLv3 is not supported. The default configuration doesn't support TLSv1.0 anymore. TLSv1.3 protocol currently is only supported by OpenSSL 1.1.0 (client and server) and GnuTLS 3.6.5 (client only). Overview of TLS implementations and protocols Server: +-----------+-----------------------------------------+ | Library | Supported TLS versions | +-----------+-----------------------------------------+ | WolfSSL | TLSv1.1, TLSv1,2 | +-----------+-----------------------------------------+ | OpenSSL | (TLSv1.0), TLSv1.1, TLSv1,2, TLSv1.3 | +-----------+-----------------------------------------+ | LibreSSL | (TLSv1.0), TLSv1.1, TLSv1,2, TLSv1.3 | +-----------+-----------------------------------------+ Client (MariaDB Connector/C) +-----------+-----------------------------------------+ | Library | Supported TLS versions | +-----------+-----------------------------------------+ | GnuTLS | (TLSv1.0), TLSv1.1, TLSv1.2, TLSv1.3 | +-----------+-----------------------------------------+ | Schannel | (TLSv1.0), TLSv1.1, TLSv1.2 | +-----------+-----------------------------------------+ | OpenSSL | (TLSv1.0), TLSv1.1, TLSv1,2, TLSv1.3 | +-----------+-----------------------------------------+ | LibreSSL | (TLSv1.0), TLSv1.1, TLSv1,2, TLSv1.3 | +-----------+-----------------------------------------+
author: Georg Richter <georg@mariadb.com> 2019-06-11 12:44:16 +0200
committer: Sergei Golubchik <serg@mariadb.org> 2019-06-11 21:54:45 +0200
commit: f3a28eed1a049069df0daa67e4978cd25c43d186 (patch)
tree: 5ae565a2378b804edb51acc4e02fc3bd02006295 /mysql-test
parent: 27fcdb161c8bb1fd21d2706ba17a3326f8221b9c (diff)
download: mariadb-git-bb-10.4-MDEV-14101.tar.gz
9 files changed, 70 insertions, 13 deletions
diff --git a/mysql-test/main/mysqld--help.result b/mysql-test/main/mysqld--help.result
index 402d64445e6..c5630770eff 100644
--- a/mysql-test/main/mysqld--help.result
+++ b/mysql-test/main/mysqld--help.result
@@ -1352,6 +1352,8 @@ The following specify which files/extra groups are read (specified before remain
  --time-format=name  The TIME format (ignored)
  --timed-mutexes     Specify whether to time mutexes. Deprecated, has no
  effect.
+ --tls-version=name  TLS protocol version for secure connections.. Any
+ combination of: TLSv1.0, TLSv1.1, TLSv1.2, TLSv1.3
  --tmp-disk-table-size=# 
  Max size for data for an internal temporary on-disk
  MyISAM or Aria table.
diff --git a/mysql-test/main/mysqld--help.test b/mysql-test/main/mysqld--help.test
index c2b6424599a..9e67764d765 100644
--- a/mysql-test/main/mysqld--help.test
+++ b/mysql-test/main/mysqld--help.test
@@ -23,7 +23,7 @@ perl;
                log-slow-queries pid-file slow-query-log-file log-basename
                datadir slave-load-tmpdir tmpdir socket thread-pool-size
                large-files-support lower-case-file-system system-time-zone
-               collation-server character-set-server log-tc-size version.*/;
+               collation-server character-set-server log-tc-size tls-version version.*/;
 
   # Plugins which may or may not be there:
   @plugins=qw/innodb archive blackhole federated partition
diff --git a/mysql-test/main/openssl_6975.test b/mysql-test/main/openssl_6975.test
index 6a82d013fb6..bfcb0d56681 100644
--- a/mysql-test/main/openssl_6975.test
+++ b/mysql-test/main/openssl_6975.test
@@ -18,25 +18,25 @@ let $mysql=$MYSQL --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$
 
 disable_abort_on_error;
 echo TLS1.2 ciphers: user is ok with any cipher;
-exec $mysql                  --ssl-cipher=AES128-SHA256;
+exec $mysql --tls-version=TLSv1.2 --ssl-cipher=AES128-SHA256;
 --replace_result DHE-RSA-CHACHA20-POLY1305 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384
-exec $mysql                  --ssl-cipher=TLSv1.2;
+exec $mysql --tls-version=TLSv1.2 --ssl-cipher=TLSv1.2;
 echo TLS1.2 ciphers: user requires SSLv3 cipher AES128-SHA;
-exec $mysql --user ssl_sslv3 --ssl-cipher=AES128-SHA256;
-exec $mysql --user ssl_sslv3 --ssl-cipher=TLSv1.2;
+exec $mysql --user ssl_sslv3 --tls-version=TLSv1.2 --ssl-cipher=AES128-SHA256;
+exec $mysql --user ssl_sslv3 --tls-version=TLSv1.2 --ssl-cipher=TLSv1.2;
 echo TLS1.2 ciphers: user requires TLSv1.2 cipher AES128-SHA256;
-exec $mysql --user ssl_tls12 --ssl-cipher=AES128-SHA256;
-exec $mysql --user ssl_tls12 --ssl-cipher=TLSv1.2;
+exec $mysql --user ssl_tls12 --tls-version=TLSv1.2 --ssl-cipher=AES128-SHA256;
+exec $mysql --user ssl_tls12 --tls-version=TLSv1.2 --ssl-cipher=TLSv1.2;
 
 echo SSLv3 ciphers: user is ok with any cipher;
-exec $mysql                  --ssl-cipher=AES256-SHA;
-exec $mysql                  --ssl-cipher=SSLv3;
+exec $mysql --tls-version=TLSv1.0,TLSv1.1,TLSv1.2 --ssl-cipher=AES256-SHA;
+exec $mysql --tls-version=TLSv1.0,TLSv1.1,TLSv1.2 --ssl-cipher=SSLv3;
 echo SSLv3 ciphers: user requires SSLv3 cipher AES128-SHA;
-exec $mysql --user ssl_sslv3 --ssl-cipher=AES128-SHA;
-exec $mysql --user ssl_sslv3 --ssl-cipher=SSLv3;
+exec $mysql --user ssl_sslv3 --tls-version=TLSv1.0,TLSv1.1,TLSv1.2 --ssl-cipher=AES128-SHA;
+exec $mysql --user ssl_sslv3 --tls-version=TLSv1.0,TLSv1.1,TLSv1.2 --ssl-cipher=SSLv3;
 echo SSLv3 ciphers: user requires TLSv1.2 cipher AES128-SHA256;
-exec $mysql --user ssl_tls12 --ssl-cipher=AES128-SHA;
-exec $mysql --user ssl_tls12 --ssl-cipher=SSLv3;
+exec $mysql --user ssl_tls12 --tls-version=TLSv1.0,TLSv1.1,TLSv1.2 --ssl-cipher=AES128-SHA;
+exec $mysql --user ssl_tls12 --tls-version=TLSv1.0,TLSv1.1,TLSv1.2 --ssl-cipher=SSLv3;
 
 drop user ssl_sslv3@localhost;
 drop user ssl_tls12@localhost;
diff --git a/mysql-test/main/tls_version.opt b/mysql-test/main/tls_version.opt
new file mode 100644
index 00000000000..5f30e3749a4
--- /dev/null
+++ b/mysql-test/main/tls_version.opt
@@ -0,0 +1 @@
+--tls_version=TLSv1.1,TLSv1.2
diff --git a/mysql-test/main/tls_version.result b/mysql-test/main/tls_version.result
new file mode 100644
index 00000000000..d1b20a121fe
--- /dev/null
+++ b/mysql-test/main/tls_version.result
@@ -0,0 +1,14 @@
+Variable_name	Value
+Ssl_version	TLSv1.2
+Variable_name	Value
+Ssl_version	TLSv1.2
+Variable_name	Value
+Ssl_version	TLSv1.1
+Variable_name	Value
+Ssl_version	TLSv1.1
+Variable_name	Value
+Ssl_version	TLSv1.2
+Variable_name	Value
+Ssl_version	TLSv1.2
+@@tls_version
+TLSv1.1,TLSv1.2
diff --git a/mysql-test/main/tls_version.test b/mysql-test/main/tls_version.test
new file mode 100644
index 00000000000..875fed19821
--- /dev/null
+++ b/mysql-test/main/tls_version.test
@@ -0,0 +1,24 @@
+# Tests for SSL connections, only run if mysqld is compiled
+# with support for SSL.
+
+-- source include/have_ssl_communication.inc
+#default is highest available version: TLSv1.2
+--exec $MYSQL --host=localhost --ssl -e "show status like 'ssl_version';"
+# TLSv1.2
+--exec $MYSQL --host=localhost --ssl --tls_version=TLSv1.2 -e "show status like 'ssl_version';"
+# TLSv1.1
+--exec $MYSQL --host=localhost --ssl --tls_version=TLSv1.1 -e "show status like 'ssl_version';"
+# if a gap is between TLS versions, lowest version number should be used (TLS1.1)
+--exec $MYSQL --host=localhost --ssl --tls_version=TLSv1.1,TLSv1.3 -e "show status like 'ssl_version';"
+# TLSv1.3 is not enabled, so TLSv1.2 should be used
+--exec $MYSQL --host=localhost --ssl --tls_version=TLSv1.2,TLSv1.3 -e "show status like 'ssl_version';"
+# Highest TLS version number should be used (TLSv1.2)
+--exec $MYSQL --host=localhost --ssl --tls_version=TLSv1.1,TLSv1.2 -e "show status like 'ssl_version';"
+# Errors:
+# TLS v1.0 is disabled on server, so we should get an error
+--replace_regex /2026 SSL connection error.*/2026 SSL connection error: xxxx/
+--error 1
+--exec $MYSQL --host=localhost --ssl --tls_version=TLSv1.0 -e "show status like 'ssl_version';"
+# finally list available protocols
+--exec $MYSQL --host=localhost --ssl -e "select @@tls_version;"
+
diff --git a/mysql-test/suite/sys_vars/inc/sysvars_server.inc b/mysql-test/suite/sys_vars/inc/sysvars_server.inc
index af1b0ce4563..56053449bae 100644
--- a/mysql-test/suite/sys_vars/inc/sysvars_server.inc
+++ b/mysql-test/suite/sys_vars/inc/sysvars_server.inc
@@ -31,6 +31,7 @@ select * from information_schema.system_variables
           'rand_seed1',
           'rand_seed2',
           'system_time_zone',
+          'tls_version',
           'version_comment',
           'version_source_revision',
           'version_compile_machine', 'version_compile_os',
@@ -55,6 +56,7 @@ select VARIABLE_NAME, VARIABLE_SCOPE, VARIABLE_TYPE, VARIABLE_COMMENT,
           'rand_seed1',
           'rand_seed2',
           'system_time_zone',
+          'tls_version',
           'version_comment',
           'version_source_revision',
           'version_compile_machine', 'version_compile_os',
diff --git a/mysql-test/suite/sys_vars/r/sysvars_server_embedded.result b/mysql-test/suite/sys_vars/r/sysvars_server_embedded.result
index 509e098498d..671f7dfac3e 100644
--- a/mysql-test/suite/sys_vars/r/sysvars_server_embedded.result
+++ b/mysql-test/suite/sys_vars/r/sysvars_server_embedded.result
@@ -20,6 +20,7 @@ variable_name not in (
 'rand_seed1',
 'rand_seed2',
 'system_time_zone',
+'tls_version',
 'version_comment',
 'version_source_revision',
 'version_compile_machine', 'version_compile_os',
@@ -4661,6 +4662,7 @@ where variable_name in (
 'rand_seed1',
 'rand_seed2',
 'system_time_zone',
+'tls_version',
 'version_comment',
 'version_source_revision',
 'version_compile_machine', 'version_compile_os',
diff --git a/mysql-test/suite/sys_vars/r/sysvars_server_notembedded.result b/mysql-test/suite/sys_vars/r/sysvars_server_notembedded.result
index aa75bb6e2f1..134c457dd8d 100644
--- a/mysql-test/suite/sys_vars/r/sysvars_server_notembedded.result
+++ b/mysql-test/suite/sys_vars/r/sysvars_server_notembedded.result
@@ -20,6 +20,7 @@ variable_name not in (
 'rand_seed1',
 'rand_seed2',
 'system_time_zone',
+'tls_version',
 'version_comment',
 'version_source_revision',
 'version_compile_machine', 'version_compile_os',
@@ -5725,6 +5726,7 @@ where variable_name in (
 'rand_seed1',
 'rand_seed2',
 'system_time_zone',
+'tls_version',
 'version_comment',
 'version_source_revision',
 'version_compile_machine', 'version_compile_os',
@@ -5831,6 +5833,16 @@ NUMERIC_BLOCK_SIZE	NULL
 ENUM_VALUE_LIST	NULL
 READ_ONLY	YES
 COMMAND_LINE_ARGUMENT	NULL
+VARIABLE_NAME	TLS_VERSION
+VARIABLE_SCOPE	GLOBAL
+VARIABLE_TYPE	SET
+VARIABLE_COMMENT	TLS protocol version for secure connections.
+NUMERIC_MIN_VALUE	NULL
+NUMERIC_MAX_VALUE	NULL
+NUMERIC_BLOCK_SIZE	NULL
+ENUM_VALUE_LIST	TLSv1.0,TLSv1.1,TLSv1.2,TLSv1.3
+READ_ONLY	YES
+COMMAND_LINE_ARGUMENT	REQUIRED
 VARIABLE_NAME	VERSION
 VARIABLE_SCOPE	GLOBAL
 VARIABLE_TYPE	VARCHAR
author	Georg Richter <georg@mariadb.com>	2019-06-11 12:44:16 +0200
committer	Sergei Golubchik <serg@mariadb.org>	2019-06-11 21:54:45 +0200
commit	f3a28eed1a049069df0daa67e4978cd25c43d186 (patch)
tree	5ae565a2378b804edb51acc4e02fc3bd02006295 /mysql-test
parent	27fcdb161c8bb1fd21d2706ba17a3326f8221b9c (diff)
download	mariadb-git-bb-10.4-MDEV-14101.tar.gz