[MDEV-19542] Disable SSLv3 and TLSv1.0 by default - Jira

XML

Word

Printable

Details

Type: Task
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Fix Version/s: 10.4.6
Component/s: SSL
Labels:
None

Description

The latest PCI DSS Requirements recommend only using TLSv1.1 and above.

MariaDB does not follow these recommendations. It looks like MariaDB can still use SSLv3 and TLSv1.0 if the server is linked with yaSSL, and MariaDB still use TLSv1.0 if the server is linked with OpenSSL.

Should we disable support for SSLv3 and TLSv1.0?

yaSSL only supports up to TLSv1.1, so we would probably need to replace yaSSL before we can do this. See ~~MDEV-18531~~ about that.

If we make this change, then we should also update the documentation:

https://mariadb.com/kb/en/library/secure-connections-overview/#tls-protocol-version-support

Attachments

Issue Links

is blocked by

MDEV-14101 Provide option to select TLS protocol version

Closed

MDEV-18531 Use WolfSSL instead of YaSSL as "bundled" SSL

Closed

relates to

CONC-403 Disable TLS v1.0

Open

MDEV-6975 Implement TLS protocol

Closed

MDEV-8970 Add support for for TLSv1.1 and TLSv1.2

Closed

Activity

People

Assignee:: Sergei Golubchik

Reporter:: Geoff Montee (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2019-05-21 22:55

Updated:: 2024-02-19 14:04

Resolved:: 2019-09-14 13:20

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.