[MDEV-21881] Feedback plugin still uses a lot of TLS 1.0/1.1 Created: 2020-03-06  Updated: 2020-09-28

Status: Open
Project: MariaDB Server
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Major
Reporter: Otto Kekäläinen Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: None


 Description   

The feedback plugin site https://mariadb.com/kb/en/feedback-plugin/ still gets a lot of TLS 1.0 and TLS 1.1 traffic, even though those protocols are soon to be deprecated globally.

Are the clients just really old or is MariaDB still shipping TLS 1.0/1.1 in new installations?

We should ensure that at least all new MariaDB installations use TLS 1.2+ for submission of feedback data.

mariadb@mariadb_bd25b5:/data/slog$ tail -n 1 mariadb_*_access.log
 
mariadb.org 189.207.44.170 - - [06/Mar/2020:00:21:11 +0100] "POST /feedback_plugin/post HTTP/1.0" 302 11 "-" "MariaDB User Feedback Plugin" - "Seravo;sid:1f4a77a2419b1e0b9fc40e03e56db445;sslproto:TLSv1.1;" 0.377



 Comments   
Comment by Daniel Black [ 2020-06-19 ]

related: MDEV-22658

10.1, 10.2,10.3 with bundled SSL is limited to TLS-1.1

10.1 cannot build with newer system ssl versions so is limited to bundled
10.2 can compile with newer openssl which defaults to TLS-1.3

10.4+ bundled ssl (wolfssl defaults to TLS-1.2) and TLS-1.3 once I finish MDEV-22221

Comment by Otto Kekäläinen [ 2020-09-28 ]

MariaDB 10.5 as installed form MariaDB.org can do TLSv1.3:

# mariadb --version
 
mariadb  Ver 15.1 Distrib 10.5.6-MariaDB, for debian-linux-gnu (x86_64) using readline 5.2
 
 
 
# # mariadb -Bse 'SHOW SESSION STATUS' | grep -i -e Ssl_cipher -e Ssl_version
 
Ssl_cipher	TLS_AES_256_GCM_SHA384
 
Ssl_cipher_list	TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:RSA-PSK-AES256-GCM-SHA384:DHE-PSK-AES256-GCM-SHA384:RSA-PSK-CHACHA20-POLY1305:DHE-PSK-CHACHA20-POLY1305:ECDHE-PSK-CHACHA20-POLY1305:AES256-GCM-SHA384:PSK-AES256-GCM-SHA384:PSK-CHACHA20-POLY1305:RSA-PSK-AES128-GCM-SHA256:DHE-PSK-AES128-GCM-SHA256:AES128-GCM-SHA256:PSK-AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:ECDHE-PSK-AES256-CBC-SHA384:ECDHE-PSK-AES256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:RSA-PSK-AES256-CBC-SHA384:DHE-PSK-AES256-CBC-SHA384:RSA-PSK-AES256-CBC-SHA:DHE-PSK-AES256-CBC-SHA:AES256-SHA:PSK-AES256-CBC-SHA384:PSK-AES256-CBC-SHA:ECDHE-PSK-AES128-CBC-SHA256:ECDHE-PSK-AES128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:RSA-PSK-AES128-CBC-SHA256:DHE-PSK-AES128-CBC-SHA256:RSA-PSK-AES128-CBC-SHA:DHE-PSK-AES128-CBC-SHA:AES128-SHA:PSK-AES128-CBC-SHA256:PSK-AES128-CBC-SHA
 
Ssl_version	TLSv1.3

Generated at Thu Feb 08 09:10:33 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.