Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-19542

Disable SSLv3 and TLSv1.0 by default

Details

    • Task
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Fixed
    • 10.4.6
    • SSL
    • None

    Description

      The latest PCI DSS Requirements recommend only using TLSv1.1 and above.

      MariaDB does not follow these recommendations. It looks like MariaDB can still use SSLv3 and TLSv1.0 if the server is linked with yaSSL, and MariaDB still use TLSv1.0 if the server is linked with OpenSSL.

      Should we disable support for SSLv3 and TLSv1.0?

      yaSSL only supports up to TLSv1.1, so we would probably need to replace yaSSL before we can do this. See MDEV-18531 about that.

      If we make this change, then we should also update the documentation:

      https://mariadb.com/kb/en/library/secure-connections-overview/#tls-protocol-version-support

      Attachments

        Issue Links

          is blocked by

          Task - A task that needs to be done. MDEV-14101 Provide option to select TLS protocol version

          • Blocker - Blocks development and/or testing work, production could not run.
          • Closed

          Task - A task that needs to be done. MDEV-18531 Use WolfSSL instead of YaSSL as "bundled" SSL

          • Major - Major loss of function.
          • Closed
          relates to

          Task - A task that needs to be done. CONC-403 Disable TLS v1.0

          • Major - Major loss of function.
          • Open

          Task - A task that needs to be done. MDEV-6975 Implement TLS protocol

          • Major - Major loss of function.
          • Closed

          Task - A task that needs to be done. MDEV-8970 Add support for for TLSv1.1 and TLSv1.2

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Activity

            Ascending order - Click to sort in descending order
            GeoffMontee Geoff Montee (Inactive) added a comment -

            The default value of tls_version in 10.4.6 and later is "TLSv1.1,TLSv1.2,TLSv1.3". This was implemented in MDEV-14101.

            https://mariadb.com/kb/en/library/ssltls-system-variables/#tls_version

            Should this Jira be closed with "Fix Version/s" set to 10.4.6?

            GeoffMontee Geoff Montee (Inactive) added a comment - The default value of tls_version in 10.4.6 and later is "TLSv1.1,TLSv1.2,TLSv1.3". This was implemented in MDEV-14101 . https://mariadb.com/kb/en/library/ssltls-system-variables/#tls_version Should this Jira be closed with "Fix Version/s" set to 10.4.6?
            serg Sergei Golubchik added a comment -

            Yes, thanks!

            serg Sergei Golubchik added a comment - Yes, thanks!

            People

              serg Sergei Golubchik
              GeoffMontee Geoff Montee (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.