mirror of
https://github.com/MariaDB/server.git
synced 2025-10-26 16:38:11 +01:00
be164fc401
SSL_CTX_set_ciphersuites() sets the TLSv1.3 cipher suites. SSL_CTX_set_cipher_list() sets the ciphers for TLSv1.2 and below. The current TLS configuration logic will not perform SSL_CTX_set_cipher_list() to configure TLSv1.2 ciphers if the call to SSL_CTX_set_ciphersuites() was successful. The call to SSL_CTX_set_ciphersuites() is successful if any TLSv1.3 cipher suite is passed into `--ssl-cipher`. This is a potential security vulnerability because users trying to restrict specific secure ciphers for TLSv1.3 and TLSv1.2, would unknowingly still have the database support insecure TLSv1.2 ciphers. For example: If setting `--ssl_cipher=TLS_AES_128_GCM_SHA256:ECDHE-RSA-AES128-GCM-SHA256`, the database would still support all possible TLSv1.2 ciphers rather than only ECDHE-RSA-AES128-GCM-SHA256. The solution is to execute both SSL_CTX_set_ciphersuites() and SSL_CTX_set_cipher_list() even if the first call succeeds. This allows the configuration of exactly which TLSv1.3 and TLSv1.2 ciphers to support. Note that there is 1 behavior change with this. When specifying only TLSv1.3 ciphers to `--ssl-cipher`, the database will not support any TLSv1.2 cipher. However, this does not impose a security risk and considering TLSv1.3 is the modern protocol, this behavior should be fine. All TLSv1.3 ciphers are still supported if only TLSv1.2 ciphers are specified through `--ssl-cipher`. All new code of the whole pull request, including one or several files that are either new files or modified ones, are contributed under the BSD-new license. I am contributing on behalf of my employer Amazon Web Services, Inc.
43 lines
2.5 KiB
Text
43 lines
2.5 KiB
Text
--source include/have_ssl_communication.inc
|
|
--source include/require_openssl_client.inc
|
|
--source include/have_tlsv13.inc
|
|
|
|
#
|
|
# BUG - SSL_CIPHER SYSTEM VARIABLE CANNOT CONFIGURE TLSV1.3 AND TLSV1.2 CIPHERS AT THE SAME TIME
|
|
#
|
|
# If users specify TLSv1.3 and TLSv1.2 ciphers, it will only configure the
|
|
# TLSv1.3 ciphers correctly but then it will keep all TLSv1.2 ciphers enabled.
|
|
#
|
|
# This is a potential security vulnerability because users trying to restrict
|
|
# secure TLSv1.3 and TLSv1.2 ciphers will unintentionally have insecure TLSv1.2
|
|
# ciphers enabled on the database.
|
|
#
|
|
let $restart_parameters=--ssl-cipher=TLS_AES_128_GCM_SHA256:ECDHE-RSA-AES256-GCM-SHA384;
|
|
source include/restart_mysqld.inc;
|
|
|
|
--exec $MYSQL --host=localhost --ssl-cipher=TLS_AES_128_GCM_SHA256 --tls-version=TLSv1.3 -e "SHOW STATUS LIKE 'Ssl_cipher%';"
|
|
--exec $MYSQL --host=localhost --ssl-cipher=ECDHE-RSA-AES256-GCM-SHA384 --tls-version=TLSv1.2 -e "SHOW STATUS LIKE 'Ssl_cipher%';"
|
|
|
|
# Check that other ciphers are correctly not supported by the server
|
|
--replace_regex /sslv3 alert handshake failure/ssl\/tls alert handshake failure/
|
|
--error 1
|
|
--exec $MYSQL --host=localhost --ssl-cipher=TLS_AES_256_GCM_SHA384 --tls-version=TLSv1.3 -e "SHOW STATUS LIKE 'Ssl_cipher';" 2>&1
|
|
|
|
--replace_regex /sslv3 alert handshake failure/ssl\/tls alert handshake failure/
|
|
--error 1
|
|
--exec $MYSQL --host=localhost --ssl-cipher=ECDHE-RSA-AES128-GCM-SHA256 --tls-version=TLSv1.2 -e "SHOW STATUS LIKE 'Ssl_cipher';" 2>&1
|
|
|
|
# TLSv1.3 ciphers are still supported if only TLSv1.2 ciphers are passed to --ssl-cipher
|
|
let $restart_parameters=--ssl-cipher=ECDHE-RSA-AES256-GCM-SHA384;
|
|
source include/restart_mysqld.inc;
|
|
--exec $MYSQL --host=localhost --ssl-cipher=TLS_AES_128_GCM_SHA256 --tls-version=TLSv1.3 -e "SHOW STATUS LIKE 'Ssl_cipher';"
|
|
--exec $MYSQL --host=localhost --ssl-cipher=ECDHE-RSA-AES256-GCM-SHA384 --tls-version=TLSv1.2 -e "SHOW STATUS LIKE 'Ssl_cipher';"
|
|
--error 1
|
|
--exec $MYSQL --host=localhost --ssl-cipher=ECDHE-RSA-AES128-GCM-SHA256 --tls-version=TLSv1.2 -e "SHOW STATUS LIKE 'Ssl_cipher';"
|
|
|
|
# TLSv1.2 ciphers are not supported if only TLSv1.3 ciphers are passed to --ssl-cipher
|
|
let $restart_parameters=--ssl-cipher=TLS_AES_128_GCM_SHA256;
|
|
source include/restart_mysqld.inc;
|
|
--exec $MYSQL --host=localhost --ssl-cipher=TLS_AES_128_GCM_SHA256 --tls-version=TLSv1.3 -e "SHOW STATUS LIKE 'Ssl_cipher%';"
|
|
--error 1
|
|
--exec $MYSQL --host=localhost --ssl-cipher=ECDHE-RSA-AES128-GCM-SHA256 --tls-version=TLSv1.2 -e "SHOW STATUS LIKE 'Ssl_cipher';"
|