[#MDEV-19542] Disable SSLv3 and TLSv1.0

[MDEV-19542] Disable SSLv3 and TLSv1.0 Created: 2019-05-21 Updated: 2019-12-23 Resolved: 2019-09-14
Status:	Closed
Project:	MariaDB Server
Component/s:	SSL
Fix Version/s:	10.4.6

Type:

Task

Priority:

Major

Reporter:

Geoff Montee (Inactive)

Assignee:

Sergei Golubchik

Resolution:

Fixed

Votes:

Labels:

None

Issue Links:

Blocks
is blocked by	~~MDEV-14101~~	Provide option to select TLS protocol...	Closed
is blocked by	~~MDEV-18531~~	Use WolfSSL instead of YaSSL as "bund...	Closed
Relates
relates to	CONC-403	Disable TLS v1.0	Open
relates to	~~MDEV-6975~~	Implement TLS protocol	Closed
relates to	~~MDEV-8970~~	Add support for for TLSv1.1 and TLSv...	Closed

Description

The latest PCI DSS Requirements recommend only using TLSv1.1 and above.

MariaDB does not follow these recommendations. It looks like MariaDB can still use SSLv3 and TLSv1.0 if the server is linked with yaSSL, and MariaDB still use TLSv1.0 if the server is linked with OpenSSL.

Should we disable support for SSLv3 and TLSv1.0?

yaSSL only supports up to TLSv1.1, so we would probably need to replace yaSSL before we can do this. See ~~MDEV-18531~~ about that.

If we make this change, then we should also update the documentation:

https://mariadb.com/kb/en/library/secure-connections-overview/#tls-protocol-version-support

Comments

Comment by Geoff Montee (Inactive) [ 2019-09-12 ]

The default value of tls_version in 10.4.6 and later is "TLSv1.1,TLSv1.2,TLSv1.3". This was implemented in ~~MDEV-14101~~.

https://mariadb.com/kb/en/library/ssltls-system-variables/#tls_version

Should this Jira be closed with "Fix Version/s" set to 10.4.6?

Comment by Sergei Golubchik [ 2019-09-14 ]

Yes, thanks!

Generated at Thu Feb 08 08:52:29 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.

[MDEV-19542] Disable SSLv3 and TLSv1.0 Created: 2019-05-21 Updated: 2019-12-23 Resolved: 2019-09-14