[MDEV-14101] Provide option to select TLS protocol version Created: 2017-10-22  Updated: 2023-05-16  Resolved: 2019-06-17

Status: Closed
Project: MariaDB Server
Component/s: SSL
Fix Version/s: 10.4.6

Type: Task Priority: Blocker
Reporter: Georg Richter Assignee: Georg Richter
Resolution: Fixed Votes: 2
Labels: None

Attachments: File MDEV-14101.patch     File MDEV14101.patch_new     File MDEV_14101_10_2.patch    
Issue Links:
Blocks
blocks MDEV-15596 10.2 doesn't work with openssl 1.1.1 Closed
blocks MDEV-17184 main.ssl* and main.openssl* tests are... Closed
blocks MDEV-19542 Disable SSLv3 and TLSv1.0 Closed
Relates
relates to MDEV-19475 Add support for OpenSSL configuration... Closed
relates to ODBC-228 Add parameter that corresponds to MAR... Closed
relates to CONC-403 Disable TLS v1.0 Open
relates to MDEV-19847 Update mysqladmin man page Closed

 Description   

Currently it's not possible to run MariaDB with a specific TLS protocol, option --ssl_cipher=:TLSv1.2 excludes cipher suites < TLSv1.2, but doesn't set the protocol to TLSv1.2 only.

Suggestion:

--tls-version=versions

Valid values are TLSv1, TLSv1.1, TLSv1.2, TLSv1.3 (OpenSSL only) or a combination (separated by comma) of them.
If not specified default=TLSv1,TLSv1.1,TLSv1.2, TLSv1.3 will be used for OpenSSL, TLSv1,TLSv1.1 for Yassl.

 Comments   
Comment by Sergei Golubchik [ 2018-08-20 ]

georg, I don't seem to be able to find the patch. Where can I see it?

may be it can go into an earlier version, but I need to see the patch first

Comment by Oleksandr Byelkin [ 2018-11-20 ]

Please reassign it when my review will be needed, just for now you can put your time here.

Comment by Georg Richter [ 2018-11-30 ]

Sanja,

latest attachment is for 10.2 - it includes also fixes for MDEV-17184

Comment by Oleksandr Byelkin [ 2018-12-03 ]

OK to push after testing on buildbot

Comment by Geoff Montee (Inactive) [ 2019-03-07 ]

I see that MariaDB Connector/C already supports this.

It looks like the patch for the server was approved too. Is it ready to push, or does more work still need to be done?

Generated at Thu Feb 08 08:10:56 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.