[MXS-2762] Add support for TLSv1.3 when built with OpenSSL 1.1.1 and later Created: 2019-11-11  Updated: 2019-11-29  Resolved: 2019-11-28

Status: Closed
Project: MariaDB MaxScale
Component/s: Core
Affects Version/s: 2.3.13, 2.4.2
Fix Version/s: 2.3.15

Type: Task Priority: Major
Reporter: Geoff Montee (Inactive) Assignee: markus makela
Resolution: Fixed Votes: 0
Labels: None

Issue Links:
Relates
relates to MXS-2760 ssl_version value conversion is wrong Closed

 Description   

OpenSSL 1.1.1 and later supports TLSv1.3. See here:

https://wiki.openssl.org/index.php/TLS1.3

This version of OpenSSL and its support for TLSv1.3 are included in RHEL 8 and Ubuntu 18.04. See here:

https://www.redhat.com/en/blog/transport-layer-security-version-13-red-hat-enterprise-linux-8

https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1797386

Based on the documentation and the source code, it appears that MaxScale only supports up to TLSv1.2 at the moment:

https://mariadb.com/kb/en/mariadb-maxscale-24-mariadb-maxscale-configuration-guide/#ssl_version

https://github.com/mariadb-corporation/MaxScale/blob/maxscale-2.4.3/server/core/ssl.cc#L41

We should make sure that MaxScale supports TLSv1.3 when it is built with OpenSSL 1.1.1 or later.

 Comments   
Comment by markus makela [ 2019-11-11 ]

With MXS-2760 fixed, the default should use the highest available version which should default to TLSv1.3. This is possible with ssl_version=MAX but explicitly requiring it is not yet possible. The OpenSSL manual also advises against forcing TLSv1.3-only connections.

Generated at Thu Feb 08 04:16:30 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.