MDEV-14101: Provide option to specify tls_version for client tools

client/client_priv.h

@@ -98,6 +98,7 @@ enum options_client
   OPT_REPORT_PROGRESS,
   OPT_SKIP_ANNOTATE_ROWS_EVENTS,
   OPT_SSL_CRL, OPT_SSL_CRLPATH,
+  OPT_TLS_VERSION,
   OPT_MAX_CLIENT_OPTION /* should be always the last */
 };
 

client/mysql.cc

@@ -1369,6 +1369,7 @@ static bool do_connect(MYSQL *mysql, const char *host, const char *user,
 		  opt_ssl_capath, opt_ssl_cipher);
     mysql_options(mysql, MYSQL_OPT_SSL_CRL, opt_ssl_crl);
     mysql_options(mysql, MYSQL_OPT_SSL_CRLPATH, opt_ssl_crlpath);
+    mysql_options(mysql, MARIADB_OPT_TLS_VERSION, (void *)opt_tls_version);
   }
   mysql_options(mysql,MYSQL_OPT_SSL_VERIFY_SERVER_CERT,
                 (char*)&opt_ssl_verify_server_cert);

client/mysqladmin.cc

@@ -361,6 +361,7 @@ int main(int argc,char *argv[])
 		  opt_ssl_capath, opt_ssl_cipher);
     mysql_options(&mysql, MYSQL_OPT_SSL_CRL, opt_ssl_crl);
     mysql_options(&mysql, MYSQL_OPT_SSL_CRLPATH, opt_ssl_crlpath);
+    mysql_options(&mysql, MARIADB_OPT_TLS_VERSION, (void *)opt_tls_version);
   }
   mysql_options(&mysql,MYSQL_OPT_SSL_VERIFY_SERVER_CERT,
                 (char*)&opt_ssl_verify_server_cert);

client/mysqlbinlog.cc

@@ -2082,6 +2082,7 @@ static Exit_status safe_connect()
                   opt_ssl_capath, opt_ssl_cipher);
     mysql_options(mysql, MYSQL_OPT_SSL_CRL, opt_ssl_crl);
     mysql_options(mysql, MYSQL_OPT_SSL_CRLPATH, opt_ssl_crlpath);
+    mysql_options(mysql, MARIADB_OPT_TLS_VERSION, (void *)opt_tls_version);
   }
   mysql_options(mysql,MYSQL_OPT_SSL_VERIFY_SERVER_CERT,
                 (char*)&opt_ssl_verify_server_cert);

client/mysqldump.c

@@ -1686,6 +1686,7 @@ static int connect_to_db(char *host, char *user,char *passwd)
                   opt_ssl_capath, opt_ssl_cipher);
     mysql_options(&mysql_connection, MYSQL_OPT_SSL_CRL, opt_ssl_crl);
     mysql_options(&mysql_connection, MYSQL_OPT_SSL_CRLPATH, opt_ssl_crlpath);
+    mysql_options(&mysql_connection, MARIADB_OPT_TLS_VERSION, (void *)opt_tls_version);
   }
   mysql_options(&mysql_connection,MYSQL_OPT_SSL_VERIFY_SERVER_CERT,
                 (char*)&opt_ssl_verify_server_cert);

client/mysqlimport.c

@@ -452,6 +452,7 @@ static MYSQL *db_connect(char *host, char *database,
 		  opt_ssl_capath, opt_ssl_cipher);
     mysql_options(mysql, MYSQL_OPT_SSL_CRL, opt_ssl_crl);
     mysql_options(mysql, MYSQL_OPT_SSL_CRLPATH, opt_ssl_crlpath);
+    mysql_options(mysql, MARIADB_OPT_TLS_VERSION, (void *)opt_tls_version);
   }
   mysql_options(mysql,MYSQL_OPT_SSL_VERIFY_SERVER_CERT,
                 (char*)&opt_ssl_verify_server_cert);

client/mysqlshow.c

@@ -125,6 +125,7 @@ int main(int argc, char **argv)
 		  opt_ssl_capath, opt_ssl_cipher);
     mysql_options(&mysql, MYSQL_OPT_SSL_CRL, opt_ssl_crl);
     mysql_options(&mysql, MYSQL_OPT_SSL_CRLPATH, opt_ssl_crlpath);
+    mysql_options(&mysql, MARIADB_OPT_TLS_VERSION, (void *)opt_tls_version);
   }
   mysql_options(&mysql,MYSQL_OPT_SSL_VERIFY_SERVER_CERT,
                 (char*)&opt_ssl_verify_server_cert);

client/mysqltest.cc

@@ -6102,6 +6102,7 @@ void do_connect(struct st_command *command)
 		  opt_ssl_capath, ssl_cipher ? ssl_cipher : opt_ssl_cipher);
     mysql_options(con_slot->mysql, MYSQL_OPT_SSL_CRL, opt_ssl_crl);
     mysql_options(con_slot->mysql, MYSQL_OPT_SSL_CRLPATH, opt_ssl_crlpath);
+    mysql_options(con_slot->mysql, MARIADB_OPT_TLS_VERSION, (void *)opt_tls_version);
 #if MYSQL_VERSION_ID >= 50000
     /* Turn on ssl_verify_server_cert only if host is "localhost" */
     opt_ssl_verify_server_cert= !strcmp(ds_host.str, "localhost");

extra/mariabackup/xtrabackup.cc

@@ -199,6 +199,7 @@ static char*	log_ignored_opt;
 
 
 extern my_bool opt_use_ssl;
+extern const char *opt_tls_version;
 my_bool opt_ssl_verify_server_cert;
 
 /* === metadata of backup === */
@@ -838,6 +839,7 @@ enum options_xtrabackup
   OPT_BACKUP_ROCKSDB
 };
 
+
 struct my_option xb_client_options[] =
 {
   {"verbose", 'V', "display verbose output",

include/sslopt-longopts.h

@@ -46,6 +46,11 @@
     "Certificate revocation list path (implies --ssl).",
    &opt_ssl_crlpath, &opt_ssl_crlpath, 0, GET_STR, REQUIRED_ARG,
    0, 0, 0, 0, 0, 0},
+  {"tls-version", OPT_TLS_VERSION,
+    "TLS protocol version for secure connection.",
+   &opt_tls_version, &opt_tls_version, 0, GET_STR, REQUIRED_ARG,
+   0, 0, 0, 0, 0, 0}, 
+
 #ifdef MYSQL_CLIENT
   {"ssl-verify-server-cert", OPT_SSL_VERIFY_SERVER_CERT,
    "Verify server's \"Common Name\" in its cert against hostname used "

include/sslopt-vars.h

@@ -30,6 +30,7 @@ SSL_STATIC char *opt_ssl_cipher  = 0;
 SSL_STATIC char *opt_ssl_key     = 0;
 SSL_STATIC char *opt_ssl_crl     = 0;
 SSL_STATIC char *opt_ssl_crlpath = 0;
+SSL_STATIC char *opt_tls_version = 0;
 #ifdef MYSQL_CLIENT
 SSL_STATIC my_bool opt_ssl_verify_server_cert= 0;
 #endif

include/violite.h

@@ -51,6 +51,11 @@ enum enum_vio_io_event
   VIO_IO_EVENT_CONNECT
 };
 
+#define VIO_TLSv1_0   1
+#define VIO_TLSv1_1   2
+#define VIO_TLSv1_2   4
+#define VIO_TLSv1_3   8
+
 #define VIO_LOCALHOST 1U                        /* a localhost connection */
 #define VIO_BUFFERED_READ 2U                    /* use buffered read */
 #define VIO_READ_BUFFER_SIZE 16384U             /* size of read buffer */
@@ -143,7 +148,8 @@ enum enum_ssl_init_error
 {
   SSL_INITERR_NOERROR= 0, SSL_INITERR_CERT, SSL_INITERR_KEY,
   SSL_INITERR_NOMATCH, SSL_INITERR_BAD_PATHS, SSL_INITERR_CIPHERS,
-  SSL_INITERR_MEMFAIL, SSL_INITERR_DH, SSL_INITERR_LASTERR
+  SSL_INITERR_MEMFAIL, SSL_INITERR_DH, SSL_INITERR_PROTOCOL,
+  SSL_INITERR_LASTERR
 };
 const char* sslGetErrString(enum enum_ssl_init_error err);
 
@@ -162,9 +168,10 @@ struct st_VioSSLFd
                        const char *crl_file, const char *crl_path);
 struct st_VioSSLFd
 *new_VioSSLAcceptorFd(const char *key_file, const char *cert_file,
-		      const char *ca_file,const char *ca_path,
-		      const char *cipher, enum enum_ssl_init_error *error,
-                      const char *crl_file, const char *crl_path);
+                      const char *ca_file,const char *ca_path,
+                      const char *cipher, enum enum_ssl_init_error *error,
+                      const char *crl_file, const char *crl_path,
+		                  long tls_version);
 void free_vio_ssl_acceptor_fd(struct st_VioSSLFd *fd);
 #endif /* HAVE_OPENSSL */
 

mysql-test/r/mysqld--help.result

@@ -1169,6 +1169,8 @@ The following specify which files/extra groups are read (specified before remain
  --time-format=name  The TIME format (ignored)
  --timed-mutexes     Specify whether to time mutexes. Deprecated, has no
  effect.
+ --tls-version=name  TLS protocol version for secure connections.. Any
+ combination of: TLSv1.0, TLSv1.1
  --tmp-disk-table-size=# 
  Max size for data for an internal temporary on-disk
  MyISAM or Aria table.

mysql-test/r/ssl_cipher.result

@@ -2,11 +2,15 @@
 # BUG#11760210 - SSL_CIPHER_LIST NOT SET OR RETURNED FOR "SHOW STATUS LIKE 'SSL_CIPHER_LIST'"
 #
 connect  ssl_con,localhost,root,,,,,SSL;
-SHOW STATUS LIKE 'Ssl_cipher';
-Variable_name	Value
-Ssl_cipher	AES128-SHA
-SHOW STATUS LIKE 'Ssl_cipher_list';
-Variable_name	Value
-Ssl_cipher_list	AES128-SHA
+select variable_value into @a from information_schema.session_status where variable_name like 'SSL_CIPHER';
+select length(@a) > 0;
+length(@a) > 0
+1
+select length(VARIABLE_VALUE) > 0  from information_schema.session_status where variable_name like 'SSL_CIPHER_LIST';
+length(VARIABLE_VALUE) > 0
+1
+select position(@a in VARIABLE_VALUE) > 0  from information_schema.session_status where variable_name like 'SSL_CIPHER_LIST';
+position(@a in VARIABLE_VALUE) > 0
+1
 connection default;
 disconnect ssl_con;

mysql-test/t/mysqld--help.test

@@ -23,7 +23,7 @@ perl;
                log-slow-queries pid-file slow-query-log-file log-basename
                datadir slave-load-tmpdir tmpdir socket thread-pool-size
                large-files-support lower-case-file-system system-time-zone
-               collation-server character-set-server log-tc-size version.*/;
+               collation-server character-set-server log-tc-size tls-version version.*/;
 
   # Plugins which may or may not be there:
   @plugins=qw/innodb archive blackhole federated partition
@@ -54,6 +54,9 @@ perl;
     $skip=1 if / --($re2)\b/;
     y!\\!/!;
     s/[ ]+/ /; # squeeze spaces to remove table formatting
+    # fix tls_version
+    s/, TLSv1.2//;
+    s/, TLSv1.3//;
     # fixes for 32-bit
     s/\b4294967295\b/18446744073709551615/;
     s/\b2146435072\b/9223372036853727232/;

mysql-test/t/openssl_6975.test

@@ -18,25 +18,25 @@ let $mysql=$MYSQL --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$
 
 disable_abort_on_error;
 echo TLS1.2 ciphers: user is ok with any cipher;
-exec $mysql                  --ssl-cipher=AES128-SHA256;
+exec $mysql --tls-version=TLSv1.2 --ssl-cipher=AES128-SHA256;
 --replace_result DHE-RSA-CHACHA20-POLY1305 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384
-exec $mysql                  --ssl-cipher=TLSv1.2;
+exec $mysql --tls-version=TLSv1.2 --ssl-cipher=TLSv1.2;
 echo TLS1.2 ciphers: user requires SSLv3 cipher AES128-SHA;
-exec $mysql --user ssl_sslv3 --ssl-cipher=AES128-SHA256;
-exec $mysql --user ssl_sslv3 --ssl-cipher=TLSv1.2;
+exec $mysql --user ssl_sslv3 --tls-version=TLSv1.2 --ssl-cipher=AES128-SHA256;
+exec $mysql --user ssl_sslv3 --tls-version=TLSv1.2 --ssl-cipher=TLSv1.2;
 echo TLS1.2 ciphers: user requires TLSv1.2 cipher AES128-SHA256;
-exec $mysql --user ssl_tls12 --ssl-cipher=AES128-SHA256;
-exec $mysql --user ssl_tls12 --ssl-cipher=TLSv1.2;
+exec $mysql --user ssl_tls12 --tls-version=TLSv1.2 --ssl-cipher=AES128-SHA256;
+exec $mysql --user ssl_tls12 --tls-version=TLSv1.2 --ssl-cipher=TLSv1.2;
 
 echo SSLv3 ciphers: user is ok with any cipher;
-exec $mysql                  --ssl-cipher=AES256-SHA;
-exec $mysql                  --ssl-cipher=SSLv3;
+exec $mysql --tls-version=TLSv1.0,TLSv1.1,TLSv1.2 --ssl-cipher=AES256-SHA;
+exec $mysql --tls-version=TLSv1.0,TLSv1.1,TLSv1.2 --ssl-cipher=SSLv3;
 echo SSLv3 ciphers: user requires SSLv3 cipher AES128-SHA;
-exec $mysql --user ssl_sslv3 --ssl-cipher=AES128-SHA;
-exec $mysql --user ssl_sslv3 --ssl-cipher=SSLv3;
+exec $mysql --user ssl_sslv3 --tls-version=TLSv1.0,TLSv1.1,TLSv1.2 --ssl-cipher=AES128-SHA;
+exec $mysql --user ssl_sslv3 --tls-version=TLSv1.0,TLSv1.1,TLSv1.2 --ssl-cipher=SSLv3;
 echo SSLv3 ciphers: user requires TLSv1.2 cipher AES128-SHA256;
-exec $mysql --user ssl_tls12 --ssl-cipher=AES128-SHA;
-exec $mysql --user ssl_tls12 --ssl-cipher=SSLv3;
+exec $mysql --user ssl_tls12 --tls-version=TLSv1.0,TLSv1.1,TLSv1.2 --ssl-cipher=AES128-SHA;
+exec $mysql --user ssl_tls12 --tls-version=TLSv1.0,TLSv1.1,TLSv1.2 --ssl-cipher=SSLv3;
 
 drop user ssl_sslv3@localhost;
 drop user ssl_tls12@localhost;

mysql-test/t/ssl.test

@@ -34,7 +34,7 @@ disconnect ssl_con;
 
 create user mysqltest_1@localhost;
 grant usage on mysqltest.* to mysqltest_1@localhost require cipher "AES256-SHA";
---exec $MYSQL -umysqltest_1 --ssl-cipher=AES256-SHA -e "show status like 'ssl_cipher'" 2>&1
+--exec $MYSQL -umysqltest_1 --tls_version=TLSv1.2 --ssl-cipher=AES256-SHA -e "show status like 'ssl_cipher'" 2>&1
 drop user mysqltest_1@localhost;
 
 # Wait till all disconnects are completed

mysql-test/t/ssl_cert_verify.test

@@ -30,7 +30,7 @@ let $ssl_verify_pass_path = --ssl --ssl-ca=$MYSQL_TEST_DIR/std_data/ca-cert-veri
 --enable_reconnect
 --source include/wait_until_connected_again.inc
 
---replace_result TLSv1.2 TLS_VERSION TLSv1.1 TLS_VERSION TLSv1 TLS_VERSION
+--replace_result TLSv1.3 TLS_VERSION TLSv1.2 TLS_VERSION TLSv1.1 TLS_VERSION TLSv1 TLS_VERSION
 --exec $MYSQL --protocol=tcp --ssl-ca=$MYSQL_TEST_DIR/std_data/ca-cert-verify.pem --ssl-verify-server-cert -e "SHOW STATUS like 'Ssl_version'"
 
 --echo # restart server using restart

mysql-test/t/ssl_cipher.test

@@ -13,8 +13,13 @@
 connect (ssl_con,localhost,root,,,,,SSL);
 
 # Check Cipher Name and Cipher List
-SHOW STATUS LIKE 'Ssl_cipher';
-SHOW STATUS LIKE 'Ssl_cipher_list';
+select variable_value into @a from information_schema.session_status where variable_name like 'SSL_CIPHER';
+# Check if cipher is empty
+select length(@a) > 0;
+# check if cipher list is empty
+select length(VARIABLE_VALUE) > 0  from information_schema.session_status where variable_name like 'SSL_CIPHER_LIST';
+# check if cipher is in list
+select position(@a in VARIABLE_VALUE) > 0  from information_schema.session_status where variable_name like 'SSL_CIPHER_LIST';
 
 connection default;
 disconnect ssl_con;

sql/mysqld.cc

@@ -1504,8 +1504,8 @@ HANDLE smem_event_connect_request= 0;
 my_bool opt_use_ssl  = 0;
 char *opt_ssl_ca= NULL, *opt_ssl_capath= NULL, *opt_ssl_cert= NULL,
   *opt_ssl_cipher= NULL, *opt_ssl_key= NULL, *opt_ssl_crl= NULL,
-  *opt_ssl_crlpath= NULL;
-
+  *opt_ssl_crlpath= NULL, *opt_tls_version= NULL;
+long tls_version= 0;
 
 static scheduler_functions thread_scheduler_struct, extra_thread_scheduler_struct;
 scheduler_functions *thread_scheduler= &thread_scheduler_struct,
@@ -4865,7 +4865,8 @@ static void init_ssl()
     ssl_acceptor_fd= new_VioSSLAcceptorFd(opt_ssl_key, opt_ssl_cert,
 					  opt_ssl_ca, opt_ssl_capath,
 					  opt_ssl_cipher, &error,
-                                          opt_ssl_crl, opt_ssl_crlpath);
+            opt_ssl_crl, opt_ssl_crlpath,
+					  tls_version);
     DBUG_PRINT("info",("ssl_acceptor_fd: %p", ssl_acceptor_fd));
     if (!ssl_acceptor_fd)
     {
@@ -7922,16 +7923,6 @@ static int show_ssl_ctx_sess_accept_good(THD *thd, SHOW_VAR *var, char *buff,
   return 0;
 }
 
-static int show_ssl_ctx_sess_connect_good(THD *thd, SHOW_VAR *var, char *buff,
-                                          enum enum_var_type scope)
-{
-  var->type= SHOW_LONG;
-  var->value= buff;
-  *((long *)buff)= (!ssl_acceptor_fd ? 0 :
-                     SSL_CTX_sess_connect_good(ssl_acceptor_fd->ssl_context));
-  return 0;
-}
-
 static int show_ssl_ctx_sess_accept_renegotiate(THD *thd, SHOW_VAR *var,
                                                 char *buff,
                                                 enum enum_var_type scope)
@@ -7943,17 +7934,6 @@ static int show_ssl_ctx_sess_accept_renegotiate(THD *thd, SHOW_VAR *var,
   return 0;
 }
 
-static int show_ssl_ctx_sess_connect_renegotiate(THD *thd, SHOW_VAR *var,
-                                                 char *buff,
-                                                 enum enum_var_type scope)
-{
-  var->type= SHOW_LONG;
-  var->value= buff;
-  *((long *)buff)= (!ssl_acceptor_fd ? 0 :
-                     SSL_CTX_sess_connect_renegotiate(ssl_acceptor_fd->ssl_context));
-  return 0;
-}
-
 static int show_ssl_ctx_sess_cb_hits(THD *thd, SHOW_VAR *var, char *buff,
                                      enum enum_var_type scope)
 {
@@ -8014,16 +7994,6 @@ static int show_ssl_ctx_sess_number(THD *thd, SHOW_VAR *var, char *buff,
   return 0;
 }
 
-static int show_ssl_ctx_sess_connect(THD *thd, SHOW_VAR *var, char *buff,
-                                     enum enum_var_type scope)
-{
-  var->type= SHOW_LONG;
-  var->value= buff;
-  *((long *)buff)= (!ssl_acceptor_fd ? 0 :
-                     SSL_CTX_sess_connect(ssl_acceptor_fd->ssl_context));
-  return 0;
-}
-
 static int show_ssl_ctx_sess_get_cache_size(THD *thd, SHOW_VAR *var,
                                             char *buff,
                                             enum enum_var_type scope)
@@ -8035,26 +8005,6 @@ static int show_ssl_ctx_sess_get_cache_size(THD *thd, SHOW_VAR *var,
   return 0;
 }
 
-static int show_ssl_ctx_get_verify_mode(THD *thd, SHOW_VAR *var, char *buff,
-                                        enum enum_var_type scope)
-{
-  var->type= SHOW_LONG;
-  var->value= buff;
-  *((long *)buff)= (!ssl_acceptor_fd ? 0 :
-                     SSL_CTX_get_verify_mode(ssl_acceptor_fd->ssl_context));
-  return 0;
-}
-
-static int show_ssl_ctx_get_verify_depth(THD *thd, SHOW_VAR *var, char *buff,
-                                         enum enum_var_type scope)
-{
-  var->type= SHOW_LONG;
-  var->value= buff;
-  *((long *)buff)= (!ssl_acceptor_fd ? 0 :
-                     SSL_CTX_get_verify_depth(ssl_acceptor_fd->ssl_context));
-  return 0;
-}
-
 static int show_ssl_ctx_get_session_cache_mode(THD *thd, SHOW_VAR *var,
                                                char *buff,
                                                enum enum_var_type scope)
@@ -8542,13 +8492,8 @@ SHOW_VAR status_vars[]= {
   {"Ssl_callback_cache_hits",  (char*) &show_ssl_ctx_sess_cb_hits, SHOW_SIMPLE_FUNC},
   {"Ssl_cipher",               (char*) &show_ssl_get_cipher, SHOW_SIMPLE_FUNC},
   {"Ssl_cipher_list",          (char*) &show_ssl_get_cipher_list, SHOW_SIMPLE_FUNC},
-  {"Ssl_client_connects",      (char*) &show_ssl_ctx_sess_connect, SHOW_SIMPLE_FUNC},
-  {"Ssl_connect_renegotiates", (char*) &show_ssl_ctx_sess_connect_renegotiate, SHOW_SIMPLE_FUNC},
-  {"Ssl_ctx_verify_depth",     (char*) &show_ssl_ctx_get_verify_depth, SHOW_SIMPLE_FUNC},
-  {"Ssl_ctx_verify_mode",      (char*) &show_ssl_ctx_get_verify_mode, SHOW_SIMPLE_FUNC},
   {"Ssl_default_timeout",      (char*) &show_ssl_get_default_timeout, SHOW_SIMPLE_FUNC},
   {"Ssl_finished_accepts",     (char*) &show_ssl_ctx_sess_accept_good, SHOW_SIMPLE_FUNC},
-  {"Ssl_finished_connects",    (char*) &show_ssl_ctx_sess_connect_good, SHOW_SIMPLE_FUNC},
   {"Ssl_server_not_after",     (char*) &show_ssl_get_server_not_after, SHOW_SIMPLE_FUNC},
   {"Ssl_server_not_before",    (char*) &show_ssl_get_server_not_before, SHOW_SIMPLE_FUNC},
   {"Ssl_session_cache_hits",   (char*) &show_ssl_ctx_sess_hits, SHOW_SIMPLE_FUNC},

sql/mysqld.h

@@ -588,6 +588,7 @@ extern int32 thread_count, service_thread_count;
 
 extern char *opt_ssl_ca, *opt_ssl_capath, *opt_ssl_cert, *opt_ssl_cipher,
   *opt_ssl_key, *opt_ssl_crl, *opt_ssl_crlpath;
+extern long tls_version;
 
 extern MYSQL_PLUGIN_IMPORT pthread_key(THD*, THR_THD);
 
@@ -650,6 +651,7 @@ enum options_mysqld
   OPT_WSREP_SYNC_WAIT,
 #endif /* WITH_WSREP */
   OPT_MYSQL_COMPATIBILITY,
+  OPT_TLS_VERSION,
   OPT_MYSQL_TO_BE_IMPLEMENTED,
   OPT_which_is_always_the_last
 };

sql/sys_vars.cc

@@ -3198,6 +3198,39 @@ static Sys_var_charptr Sys_ssl_crlpath(
        READ_ONLY GLOBAL_VAR(opt_ssl_crlpath), SSL_OPT(OPT_SSL_CRLPATH),
        IN_FS_CHARSET, DEFAULT(0));
 
+static const char *tls_version_names[]=
+{
+  "TLSv1.0", "TLSv1.1",
+#ifdef TLS1_2_VERSION
+  "TLSv1.2",
+#endif
+#ifdef TLS1_3_VERSION
+  "TLSv1.3",
+#endif
+  0
+};
+
+export bool tls_version_string_representation(THD *thd, sql_mode_t sql_mode,
+                                              LEX_STRING *ls)
+{
+  set_to_string(thd, ls, tls_version, tls_version_names);
+  return ls->str == 0;
+}
+
+static Sys_var_set Sys_tls_version(
+       "tls_version",
+       "TLS protocol version for secure connections.",
+       READ_ONLY GLOBAL_VAR(tls_version), CMD_LINE(REQUIRED_ARG),
+       tls_version_names,
+       DEFAULT(VIO_TLSv1_0 | VIO_TLSv1_1
+#ifdef TLS1_2_VERSION
+               | VIO_TLSv1_2
+#endif
+#ifdef TLS1_3_VERSION
+               | VIO_TLSv1_3
+#endif
+       ));
+
 static Sys_var_mybool Sys_standard_compliant_cte(
        "standard_compliant_cte",
        "Allow only CTEs compliant to SQL standard",

vio/viosslfactories.c

@@ -85,7 +85,8 @@ ssl_error_string[] =
   "SSL_CTX_set_default_verify_paths failed",
   "Failed to set ciphers to use",
   "SSL_CTX_new failed",
-  "SSL_CTX_set_tmp_dh failed"
+  "SSL_CTX_set_tmp_dh failed",
+  "Unknown TLS version"
 };
 
 const char*
@@ -166,21 +167,58 @@ static void check_ssl_init()
   }
 }
 
+static long vio_tls_protocol_options(long tls_version)
+{
+   long tls_protocol_flags=
+#ifdef TLS1_3_VERSION
+    SSL_OP_NO_TLSv1_3 |
+#endif
+#ifdef TLS1_2_VERSION
+    SSL_OP_NO_TLSv1_2 |
+#endif
+    SSL_OP_NO_TLSv1_1 |
+    SSL_OP_NO_TLSv1;
+   long disabled_tls_protocols= tls_protocol_flags,
+        disabled_ssl_protocols= SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
+
+  if (!tls_version)
+    return disabled_ssl_protocols;
+
+  if (tls_version & VIO_TLSv1_0)
+    disabled_tls_protocols&= ~SSL_OP_NO_TLSv1;
+  if (tls_version & VIO_TLSv1_1)
+    disabled_tls_protocols&= ~SSL_OP_NO_TLSv1_1;
+#ifdef TLS1_2_VERSION
+  if (tls_version & VIO_TLSv1_2)
+    disabled_tls_protocols&= ~SSL_OP_NO_TLSv1_2;
+#endif
+#ifdef TLS1_3_VERSION
+  if (tls_version & VIO_TLSv1_3)
+    disabled_tls_protocols&= ~SSL_OP_NO_TLSv1_3;
+#endif
+
+  /* some garbage was specified in tls_version option */
+  if (tls_protocol_flags == disabled_tls_protocols)
+    return -1;
+  return (disabled_tls_protocols | disabled_ssl_protocols);
+}
+
 /************************ VioSSLFd **********************************/
 static struct st_VioSSLFd *
 new_VioSSLFd(const char *key_file, const char *cert_file,
              const char *ca_file, const char *ca_path,
              const char *cipher, my_bool is_client_method,
              enum enum_ssl_init_error *error,
-             const char *crl_file, const char *crl_path)
+             const char *crl_file, const char *crl_path,
+	           long tls_version)
 {
   DH *dh;
   struct st_VioSSLFd *ssl_fd;
-  long ssl_ctx_options= SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
+  long ssl_ctx_options;
   DBUG_ENTER("new_VioSSLFd");
   DBUG_PRINT("enter",
              ("key_file: '%s'  cert_file: '%s'  ca_file: '%s'  ca_path: '%s'  "
-              "cipher: '%s' crl_file: '%s' crl_path: '%s' ",
+              "cipher: '%s' crl_file: '%s' crl_path: '%s'",
               key_file ? key_file : "NULL",
               cert_file ? cert_file : "NULL",
               ca_file ? ca_file : "NULL",
@@ -203,6 +241,14 @@ new_VioSSLFd(const char *key_file, const char *cert_file,
     goto err1;
   }
 
+  ssl_ctx_options= vio_tls_protocol_options(tls_version);
+  if (ssl_ctx_options == -1)
+  {
+    *error= SSL_INITERR_PROTOCOL;
+    DBUG_PRINT("error", ("%s", sslGetErrString(*error)));
+    goto err1;
+  }
+
   SSL_CTX_set_options(ssl_fd->ssl_context, ssl_ctx_options);
 
   /*
@@ -317,7 +363,7 @@ new_VioSSLConnectorFd(const char *key_file, const char *cert_file,
 
   if (!(ssl_fd= new_VioSSLFd(key_file, cert_file, ca_file,
                              ca_path, cipher, TRUE, error,
-                             crl_file, crl_path)))
+                             crl_file, crl_path, 0)))
   {
     return 0;
   }
@@ -335,13 +381,14 @@ struct st_VioSSLFd *
 new_VioSSLAcceptorFd(const char *key_file, const char *cert_file,
 		     const char *ca_file, const char *ca_path,
 		     const char *cipher, enum enum_ssl_init_error* error,
-                     const char *crl_file, const char *crl_path)
+                     const char *crl_file, const char *crl_path,
+		     long tls_version)
 {
   struct st_VioSSLFd *ssl_fd;
   int verify= SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE;
   if (!(ssl_fd= new_VioSSLFd(key_file, cert_file, ca_file,
                              ca_path, cipher, FALSE, error,
-                             crl_file, crl_path)))
+                             crl_file, crl_path, tls_version)))
   {
     return 0;
   }