[MDEV-31369] Disable TLS v1.0 and 1.1 for MariaDB Created: 2023-05-30 Updated: 2023-09-14 Resolved: 2023-09-13 |
|
| Status: | Closed |
| Project: | MariaDB Server |
| Component/s: | SSL |
| Affects Version/s: | None |
| Fix Version/s: | 10.4.32, 10.5.23, 10.6.16, 10.10.7, 10.11.6, 11.0.4, 11.1.3 |
| Type: | Bug | Priority: | Minor |
| Reporter: | Tingyao Nian | Assignee: | Daniel Black |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | Papercut, beginner-friendly | ||
| Description |
|
The TLS versions 1.0 (defined in 1999) and 1.1 (defined in 2006) are insecure and nobody should be using them anymore. Should MariaDB also start planning on deprecating and disabling these two protocols when connecting to server? Currently TLS1.0 and TLS1.1 are still allowed via server parameter https://mariadb.com/kb/en/ssltls-system-variables/#tls_version |
| Comments |
| Comment by Daniel Black [ 2023-05-31 ] |
|
Sure, do you want to do a 11.2 PR to take away TLSv1.1 from the default for a start. Additionally setting to the include TLSv1.[0,1] could generate a warning. |
| Comment by Tingyao Nian [ 2023-06-01 ] |
|
Hi Daniel. For sure, I'd like to do a PR for this. |
| Comment by Daniel Black [ 2023-07-06 ] |
|
Thanks for the offer to do a PR. I suspect you ran out of time so I did one - https://github.com/MariaDB/server/pull/2688 Hope you get time next time. |
| Comment by Sergei Golubchik [ 2023-07-21 ] |
|
There are two PRs, which one should be reviewed and which one should be closed? |
| Comment by Daniel Black [ 2023-07-21 ] |
|
I'm still preferring mine on 2688 as it:
If you like the tests in 2695 (targetting 10.4 I think is wrong) I could pick that for 11.1/11.2 also. |