mirror of
https://github.com/MariaDB/server.git
synced 2025-01-27 09:14:17 +01:00
d13080133f
Server and command line tools now support option --tls_version to specify the TLS version between client and server. Valid values are TLSv1.0, TLSv1.1, TLSv1.2, TLSv1.3 or a combination of them. E.g. --tls_version=TLSv1.3 --tls_version=TLSv1.2,TLSv1.3 In case there is a gap between versions, the lowest version will be used: --tls_version=TLSv1.1,TLSv1.3 -> Only TLSv1.1 will be available. If the used TLS library doesn't support the specified TLS version, it will use the default configuration. Limitations: SSLv3 is not supported. The default configuration doesn't support TLSv1.0 anymore. TLSv1.3 protocol currently is only supported by OpenSSL 1.1.0 (client and server) and GnuTLS 3.6.5 (client only). Overview of TLS implementations and protocols Server: +-----------+-----------------------------------------+ | Library | Supported TLS versions | +-----------+-----------------------------------------+ | WolfSSL | TLSv1.1, TLSv1,2 | +-----------+-----------------------------------------+ | OpenSSL | (TLSv1.0), TLSv1.1, TLSv1,2, TLSv1.3 | +-----------+-----------------------------------------+ | LibreSSL | (TLSv1.0), TLSv1.1, TLSv1,2, TLSv1.3 | +-----------+-----------------------------------------+ Client (MariaDB Connector/C) +-----------+-----------------------------------------+ | Library | Supported TLS versions | +-----------+-----------------------------------------+ | GnuTLS | (TLSv1.0), TLSv1.1, TLSv1.2, TLSv1.3 | +-----------+-----------------------------------------+ | Schannel | (TLSv1.0), TLSv1.1, TLSv1.2 | +-----------+-----------------------------------------+ | OpenSSL | (TLSv1.0), TLSv1.1, TLSv1,2, TLSv1.3 | +-----------+-----------------------------------------+ | LibreSSL | (TLSv1.0), TLSv1.1, TLSv1,2, TLSv1.3 | +-----------+-----------------------------------------+
43 lines
2.1 KiB
Text
43 lines
2.1 KiB
Text
#
|
|
# MDEV-6975 Implement TLS protocol
|
|
#
|
|
# test SSLv3 and TLSv1.2 ciphers when OpenSSL is restricted to SSLv3 or TLSv1.2
|
|
#
|
|
source include/have_ssl_communication.inc;
|
|
source include/require_openssl_client.inc;
|
|
|
|
# this is OpenSSL test.
|
|
|
|
create user ssl_sslv3@localhost;
|
|
# grant select on test.* to ssl_sslv3@localhost require cipher "AES128-SHA";
|
|
grant select on test.* to ssl_sslv3@localhost require cipher "AES128-SHA";
|
|
create user ssl_tls12@localhost;
|
|
grant select on test.* to ssl_tls12@localhost require cipher "AES128-SHA256";
|
|
|
|
let $mysql=$MYSQL --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem -e "SHOW STATUS LIKE 'ssl_Cipher'" 2>&1;
|
|
|
|
disable_abort_on_error;
|
|
echo TLS1.2 ciphers: user is ok with any cipher;
|
|
exec $mysql --tls-version=TLSv1.2 --ssl-cipher=AES128-SHA256;
|
|
--replace_result DHE-RSA-CHACHA20-POLY1305 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384
|
|
exec $mysql --tls-version=TLSv1.2 --ssl-cipher=TLSv1.2;
|
|
echo TLS1.2 ciphers: user requires SSLv3 cipher AES128-SHA;
|
|
exec $mysql --user ssl_sslv3 --tls-version=TLSv1.2 --ssl-cipher=AES128-SHA256;
|
|
exec $mysql --user ssl_sslv3 --tls-version=TLSv1.2 --ssl-cipher=TLSv1.2;
|
|
echo TLS1.2 ciphers: user requires TLSv1.2 cipher AES128-SHA256;
|
|
exec $mysql --user ssl_tls12 --tls-version=TLSv1.2 --ssl-cipher=AES128-SHA256;
|
|
exec $mysql --user ssl_tls12 --tls-version=TLSv1.2 --ssl-cipher=TLSv1.2;
|
|
|
|
echo SSLv3 ciphers: user is ok with any cipher;
|
|
exec $mysql --tls-version=TLSv1.0,TLSv1.1,TLSv1.2 --ssl-cipher=AES256-SHA;
|
|
exec $mysql --tls-version=TLSv1.0,TLSv1.1,TLSv1.2 --ssl-cipher=SSLv3;
|
|
echo SSLv3 ciphers: user requires SSLv3 cipher AES128-SHA;
|
|
exec $mysql --user ssl_sslv3 --tls-version=TLSv1.0,TLSv1.1,TLSv1.2 --ssl-cipher=AES128-SHA;
|
|
exec $mysql --user ssl_sslv3 --tls-version=TLSv1.0,TLSv1.1,TLSv1.2 --ssl-cipher=SSLv3;
|
|
echo SSLv3 ciphers: user requires TLSv1.2 cipher AES128-SHA256;
|
|
exec $mysql --user ssl_tls12 --tls-version=TLSv1.0,TLSv1.1,TLSv1.2 --ssl-cipher=AES128-SHA;
|
|
exec $mysql --user ssl_tls12 --tls-version=TLSv1.0,TLSv1.1,TLSv1.2 --ssl-cipher=SSLv3;
|
|
|
|
drop user ssl_sslv3@localhost;
|
|
drop user ssl_tls12@localhost;
|
|
|