Commit 0513237f authored by Georg Richter's avatar Georg Richter

MDEV-14101: Provide option to specify tls_version for client tools

parent 3728b11f
......@@ -98,6 +98,7 @@ enum options_client
OPT_REPORT_PROGRESS,
OPT_SKIP_ANNOTATE_ROWS_EVENTS,
OPT_SSL_CRL, OPT_SSL_CRLPATH,
OPT_TLS_VERSION,
OPT_MAX_CLIENT_OPTION /* should be always the last */
};
......
......@@ -1369,6 +1369,7 @@ static bool do_connect(MYSQL *mysql, const char *host, const char *user,
opt_ssl_capath, opt_ssl_cipher);
mysql_options(mysql, MYSQL_OPT_SSL_CRL, opt_ssl_crl);
mysql_options(mysql, MYSQL_OPT_SSL_CRLPATH, opt_ssl_crlpath);
mysql_options(mysql, MARIADB_OPT_TLS_VERSION, (void *)opt_tls_version);
}
mysql_options(mysql,MYSQL_OPT_SSL_VERIFY_SERVER_CERT,
(char*)&opt_ssl_verify_server_cert);
......
......@@ -361,6 +361,7 @@ int main(int argc,char *argv[])
opt_ssl_capath, opt_ssl_cipher);
mysql_options(&mysql, MYSQL_OPT_SSL_CRL, opt_ssl_crl);
mysql_options(&mysql, MYSQL_OPT_SSL_CRLPATH, opt_ssl_crlpath);
mysql_options(&mysql, MARIADB_OPT_TLS_VERSION, (void *)opt_tls_version);
}
mysql_options(&mysql,MYSQL_OPT_SSL_VERIFY_SERVER_CERT,
(char*)&opt_ssl_verify_server_cert);
......
......@@ -2082,6 +2082,7 @@ static Exit_status safe_connect()
opt_ssl_capath, opt_ssl_cipher);
mysql_options(mysql, MYSQL_OPT_SSL_CRL, opt_ssl_crl);
mysql_options(mysql, MYSQL_OPT_SSL_CRLPATH, opt_ssl_crlpath);
mysql_options(mysql, MARIADB_OPT_TLS_VERSION, (void *)opt_tls_version);
}
mysql_options(mysql,MYSQL_OPT_SSL_VERIFY_SERVER_CERT,
(char*)&opt_ssl_verify_server_cert);
......
......@@ -1686,6 +1686,7 @@ static int connect_to_db(char *host, char *user,char *passwd)
opt_ssl_capath, opt_ssl_cipher);
mysql_options(&mysql_connection, MYSQL_OPT_SSL_CRL, opt_ssl_crl);
mysql_options(&mysql_connection, MYSQL_OPT_SSL_CRLPATH, opt_ssl_crlpath);
mysql_options(&mysql_connection, MARIADB_OPT_TLS_VERSION, (void *)opt_tls_version);
}
mysql_options(&mysql_connection,MYSQL_OPT_SSL_VERIFY_SERVER_CERT,
(char*)&opt_ssl_verify_server_cert);
......
......@@ -452,6 +452,7 @@ static MYSQL *db_connect(char *host, char *database,
opt_ssl_capath, opt_ssl_cipher);
mysql_options(mysql, MYSQL_OPT_SSL_CRL, opt_ssl_crl);
mysql_options(mysql, MYSQL_OPT_SSL_CRLPATH, opt_ssl_crlpath);
mysql_options(mysql, MARIADB_OPT_TLS_VERSION, (void *)opt_tls_version);
}
mysql_options(mysql,MYSQL_OPT_SSL_VERIFY_SERVER_CERT,
(char*)&opt_ssl_verify_server_cert);
......
......@@ -125,6 +125,7 @@ int main(int argc, char **argv)
opt_ssl_capath, opt_ssl_cipher);
mysql_options(&mysql, MYSQL_OPT_SSL_CRL, opt_ssl_crl);
mysql_options(&mysql, MYSQL_OPT_SSL_CRLPATH, opt_ssl_crlpath);
mysql_options(&mysql, MARIADB_OPT_TLS_VERSION, (void *)opt_tls_version);
}
mysql_options(&mysql,MYSQL_OPT_SSL_VERIFY_SERVER_CERT,
(char*)&opt_ssl_verify_server_cert);
......
......@@ -6102,6 +6102,7 @@ void do_connect(struct st_command *command)
opt_ssl_capath, ssl_cipher ? ssl_cipher : opt_ssl_cipher);
mysql_options(con_slot->mysql, MYSQL_OPT_SSL_CRL, opt_ssl_crl);
mysql_options(con_slot->mysql, MYSQL_OPT_SSL_CRLPATH, opt_ssl_crlpath);
mysql_options(con_slot->mysql, MARIADB_OPT_TLS_VERSION, (void *)opt_tls_version);
#if MYSQL_VERSION_ID >= 50000
/* Turn on ssl_verify_server_cert only if host is "localhost" */
opt_ssl_verify_server_cert= !strcmp(ds_host.str, "localhost");
......
......@@ -199,6 +199,7 @@ static char* log_ignored_opt;
extern my_bool opt_use_ssl;
extern const char *opt_tls_version;
my_bool opt_ssl_verify_server_cert;
/* === metadata of backup === */
......@@ -838,6 +839,7 @@ enum options_xtrabackup
OPT_BACKUP_ROCKSDB
};
struct my_option xb_client_options[] =
{
{"verbose", 'V', "display verbose output",
......
......@@ -46,6 +46,11 @@
"Certificate revocation list path (implies --ssl).",
&opt_ssl_crlpath, &opt_ssl_crlpath, 0, GET_STR, REQUIRED_ARG,
0, 0, 0, 0, 0, 0},
{"tls-version", OPT_TLS_VERSION,
"TLS protocol version for secure connection.",
&opt_tls_version, &opt_tls_version, 0, GET_STR, REQUIRED_ARG,
0, 0, 0, 0, 0, 0},
#ifdef MYSQL_CLIENT
{"ssl-verify-server-cert", OPT_SSL_VERIFY_SERVER_CERT,
"Verify server's \"Common Name\" in its cert against hostname used "
......
......@@ -30,6 +30,7 @@ SSL_STATIC char *opt_ssl_cipher = 0;
SSL_STATIC char *opt_ssl_key = 0;
SSL_STATIC char *opt_ssl_crl = 0;
SSL_STATIC char *opt_ssl_crlpath = 0;
SSL_STATIC char *opt_tls_version = 0;
#ifdef MYSQL_CLIENT
SSL_STATIC my_bool opt_ssl_verify_server_cert= 0;
#endif
......
......@@ -51,6 +51,11 @@ enum enum_vio_io_event
VIO_IO_EVENT_CONNECT
};
#define VIO_TLSv1_0 1
#define VIO_TLSv1_1 2
#define VIO_TLSv1_2 4
#define VIO_TLSv1_3 8
#define VIO_LOCALHOST 1U /* a localhost connection */
#define VIO_BUFFERED_READ 2U /* use buffered read */
#define VIO_READ_BUFFER_SIZE 16384U /* size of read buffer */
......@@ -143,7 +148,8 @@ enum enum_ssl_init_error
{
SSL_INITERR_NOERROR= 0, SSL_INITERR_CERT, SSL_INITERR_KEY,
SSL_INITERR_NOMATCH, SSL_INITERR_BAD_PATHS, SSL_INITERR_CIPHERS,
SSL_INITERR_MEMFAIL, SSL_INITERR_DH, SSL_INITERR_LASTERR
SSL_INITERR_MEMFAIL, SSL_INITERR_DH, SSL_INITERR_PROTOCOL,
SSL_INITERR_LASTERR
};
const char* sslGetErrString(enum enum_ssl_init_error err);
......@@ -164,7 +170,8 @@ struct st_VioSSLFd
*new_VioSSLAcceptorFd(const char *key_file, const char *cert_file,
const char *ca_file,const char *ca_path,
const char *cipher, enum enum_ssl_init_error *error,
const char *crl_file, const char *crl_path);
const char *crl_file, const char *crl_path,
long tls_version);
void free_vio_ssl_acceptor_fd(struct st_VioSSLFd *fd);
#endif /* HAVE_OPENSSL */
......
......@@ -1169,6 +1169,8 @@ The following specify which files/extra groups are read (specified before remain
--time-format=name The TIME format (ignored)
--timed-mutexes Specify whether to time mutexes. Deprecated, has no
effect.
--tls-version=name TLS protocol version for secure connections.. Any
combination of: TLSv1.0, TLSv1.1
--tmp-disk-table-size=#
Max size for data for an internal temporary on-disk
MyISAM or Aria table.
......
......@@ -2,11 +2,15 @@
# BUG#11760210 - SSL_CIPHER_LIST NOT SET OR RETURNED FOR "SHOW STATUS LIKE 'SSL_CIPHER_LIST'"
#
connect ssl_con,localhost,root,,,,,SSL;
SHOW STATUS LIKE 'Ssl_cipher';
Variable_name Value
Ssl_cipher AES128-SHA
SHOW STATUS LIKE 'Ssl_cipher_list';
Variable_name Value
Ssl_cipher_list AES128-SHA
select variable_value into @a from information_schema.session_status where variable_name like 'SSL_CIPHER';
select length(@a) > 0;
length(@a) > 0
1
select length(VARIABLE_VALUE) > 0 from information_schema.session_status where variable_name like 'SSL_CIPHER_LIST';
length(VARIABLE_VALUE) > 0
1
select position(@a in VARIABLE_VALUE) > 0 from information_schema.session_status where variable_name like 'SSL_CIPHER_LIST';
position(@a in VARIABLE_VALUE) > 0
1
connection default;
disconnect ssl_con;
......@@ -23,7 +23,7 @@ perl;
log-slow-queries pid-file slow-query-log-file log-basename
datadir slave-load-tmpdir tmpdir socket thread-pool-size
large-files-support lower-case-file-system system-time-zone
collation-server character-set-server log-tc-size version.*/;
collation-server character-set-server log-tc-size tls-version version.*/;
# Plugins which may or may not be there:
@plugins=qw/innodb archive blackhole federated partition
......@@ -54,6 +54,9 @@ perl;
$skip=1 if / --($re2)\b/;
y!\\!/!;
s/[ ]+/ /; # squeeze spaces to remove table formatting
# fix tls_version
s/, TLSv1.2//;
s/, TLSv1.3//;
# fixes for 32-bit
s/\b4294967295\b/18446744073709551615/;
s/\b2146435072\b/9223372036853727232/;
......
......@@ -18,25 +18,25 @@ let $mysql=$MYSQL --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$
disable_abort_on_error;
echo TLS1.2 ciphers: user is ok with any cipher;
exec $mysql --ssl-cipher=AES128-SHA256;
exec $mysql --tls-version=TLSv1.2 --ssl-cipher=AES128-SHA256;
--replace_result DHE-RSA-CHACHA20-POLY1305 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384
exec $mysql --ssl-cipher=TLSv1.2;
exec $mysql --tls-version=TLSv1.2 --ssl-cipher=TLSv1.2;
echo TLS1.2 ciphers: user requires SSLv3 cipher AES128-SHA;
exec $mysql --user ssl_sslv3 --ssl-cipher=AES128-SHA256;
exec $mysql --user ssl_sslv3 --ssl-cipher=TLSv1.2;
exec $mysql --user ssl_sslv3 --tls-version=TLSv1.2 --ssl-cipher=AES128-SHA256;
exec $mysql --user ssl_sslv3 --tls-version=TLSv1.2 --ssl-cipher=TLSv1.2;
echo TLS1.2 ciphers: user requires TLSv1.2 cipher AES128-SHA256;
exec $mysql --user ssl_tls12 --ssl-cipher=AES128-SHA256;
exec $mysql --user ssl_tls12 --ssl-cipher=TLSv1.2;
exec $mysql --user ssl_tls12 --tls-version=TLSv1.2 --ssl-cipher=AES128-SHA256;
exec $mysql --user ssl_tls12 --tls-version=TLSv1.2 --ssl-cipher=TLSv1.2;
echo SSLv3 ciphers: user is ok with any cipher;
exec $mysql --ssl-cipher=AES256-SHA;
exec $mysql --ssl-cipher=SSLv3;
exec $mysql --tls-version=TLSv1.0,TLSv1.1,TLSv1.2 --ssl-cipher=AES256-SHA;
exec $mysql --tls-version=TLSv1.0,TLSv1.1,TLSv1.2 --ssl-cipher=SSLv3;
echo SSLv3 ciphers: user requires SSLv3 cipher AES128-SHA;
exec $mysql --user ssl_sslv3 --ssl-cipher=AES128-SHA;
exec $mysql --user ssl_sslv3 --ssl-cipher=SSLv3;
exec $mysql --user ssl_sslv3 --tls-version=TLSv1.0,TLSv1.1,TLSv1.2 --ssl-cipher=AES128-SHA;
exec $mysql --user ssl_sslv3 --tls-version=TLSv1.0,TLSv1.1,TLSv1.2 --ssl-cipher=SSLv3;
echo SSLv3 ciphers: user requires TLSv1.2 cipher AES128-SHA256;
exec $mysql --user ssl_tls12 --ssl-cipher=AES128-SHA;
exec $mysql --user ssl_tls12 --ssl-cipher=SSLv3;
exec $mysql --user ssl_tls12 --tls-version=TLSv1.0,TLSv1.1,TLSv1.2 --ssl-cipher=AES128-SHA;
exec $mysql --user ssl_tls12 --tls-version=TLSv1.0,TLSv1.1,TLSv1.2 --ssl-cipher=SSLv3;
drop user ssl_sslv3@localhost;
drop user ssl_tls12@localhost;
......
......@@ -34,7 +34,7 @@ disconnect ssl_con;
create user mysqltest_1@localhost;
grant usage on mysqltest.* to mysqltest_1@localhost require cipher "AES256-SHA";
--exec $MYSQL -umysqltest_1 --ssl-cipher=AES256-SHA -e "show status like 'ssl_cipher'" 2>&1
--exec $MYSQL -umysqltest_1 --tls_version=TLSv1.2 --ssl-cipher=AES256-SHA -e "show status like 'ssl_cipher'" 2>&1
drop user mysqltest_1@localhost;
# Wait till all disconnects are completed
......
......@@ -30,7 +30,7 @@ let $ssl_verify_pass_path = --ssl --ssl-ca=$MYSQL_TEST_DIR/std_data/ca-cert-veri
--enable_reconnect
--source include/wait_until_connected_again.inc
--replace_result TLSv1.2 TLS_VERSION TLSv1.1 TLS_VERSION TLSv1 TLS_VERSION
--replace_result TLSv1.3 TLS_VERSION TLSv1.2 TLS_VERSION TLSv1.1 TLS_VERSION TLSv1 TLS_VERSION
--exec $MYSQL --protocol=tcp --ssl-ca=$MYSQL_TEST_DIR/std_data/ca-cert-verify.pem --ssl-verify-server-cert -e "SHOW STATUS like 'Ssl_version'"
--echo # restart server using restart
......
......@@ -13,8 +13,13 @@
connect (ssl_con,localhost,root,,,,,SSL);
# Check Cipher Name and Cipher List
SHOW STATUS LIKE 'Ssl_cipher';
SHOW STATUS LIKE 'Ssl_cipher_list';
select variable_value into @a from information_schema.session_status where variable_name like 'SSL_CIPHER';
# Check if cipher is empty
select length(@a) > 0;
# check if cipher list is empty
select length(VARIABLE_VALUE) > 0 from information_schema.session_status where variable_name like 'SSL_CIPHER_LIST';
# check if cipher is in list
select position(@a in VARIABLE_VALUE) > 0 from information_schema.session_status where variable_name like 'SSL_CIPHER_LIST';
connection default;
disconnect ssl_con;
......
......@@ -1504,8 +1504,8 @@ HANDLE smem_event_connect_request= 0;
my_bool opt_use_ssl = 0;
char *opt_ssl_ca= NULL, *opt_ssl_capath= NULL, *opt_ssl_cert= NULL,
*opt_ssl_cipher= NULL, *opt_ssl_key= NULL, *opt_ssl_crl= NULL,
*opt_ssl_crlpath= NULL;
*opt_ssl_crlpath= NULL, *opt_tls_version= NULL;
long tls_version= 0;
static scheduler_functions thread_scheduler_struct, extra_thread_scheduler_struct;
scheduler_functions *thread_scheduler= &thread_scheduler_struct,
......@@ -4865,7 +4865,8 @@ static void init_ssl()
ssl_acceptor_fd= new_VioSSLAcceptorFd(opt_ssl_key, opt_ssl_cert,
opt_ssl_ca, opt_ssl_capath,
opt_ssl_cipher, &error,
opt_ssl_crl, opt_ssl_crlpath);
opt_ssl_crl, opt_ssl_crlpath,
tls_version);
DBUG_PRINT("info",("ssl_acceptor_fd: %p", ssl_acceptor_fd));
if (!ssl_acceptor_fd)
{
......@@ -7922,16 +7923,6 @@ static int show_ssl_ctx_sess_accept_good(THD *thd, SHOW_VAR *var, char *buff,
return 0;
}
static int show_ssl_ctx_sess_connect_good(THD *thd, SHOW_VAR *var, char *buff,
enum enum_var_type scope)
{
var->type= SHOW_LONG;
var->value= buff;
*((long *)buff)= (!ssl_acceptor_fd ? 0 :
SSL_CTX_sess_connect_good(ssl_acceptor_fd->ssl_context));
return 0;
}
static int show_ssl_ctx_sess_accept_renegotiate(THD *thd, SHOW_VAR *var,
char *buff,
enum enum_var_type scope)
......@@ -7943,17 +7934,6 @@ static int show_ssl_ctx_sess_accept_renegotiate(THD *thd, SHOW_VAR *var,
return 0;
}
static int show_ssl_ctx_sess_connect_renegotiate(THD *thd, SHOW_VAR *var,
char *buff,
enum enum_var_type scope)
{
var->type= SHOW_LONG;
var->value= buff;
*((long *)buff)= (!ssl_acceptor_fd ? 0 :
SSL_CTX_sess_connect_renegotiate(ssl_acceptor_fd->ssl_context));
return 0;
}
static int show_ssl_ctx_sess_cb_hits(THD *thd, SHOW_VAR *var, char *buff,
enum enum_var_type scope)
{
......@@ -8014,16 +7994,6 @@ static int show_ssl_ctx_sess_number(THD *thd, SHOW_VAR *var, char *buff,
return 0;
}
static int show_ssl_ctx_sess_connect(THD *thd, SHOW_VAR *var, char *buff,
enum enum_var_type scope)
{
var->type= SHOW_LONG;
var->value= buff;
*((long *)buff)= (!ssl_acceptor_fd ? 0 :
SSL_CTX_sess_connect(ssl_acceptor_fd->ssl_context));
return 0;
}
static int show_ssl_ctx_sess_get_cache_size(THD *thd, SHOW_VAR *var,
char *buff,
enum enum_var_type scope)
......@@ -8035,26 +8005,6 @@ static int show_ssl_ctx_sess_get_cache_size(THD *thd, SHOW_VAR *var,
return 0;
}
static int show_ssl_ctx_get_verify_mode(THD *thd, SHOW_VAR *var, char *buff,
enum enum_var_type scope)
{
var->type= SHOW_LONG;
var->value= buff;
*((long *)buff)= (!ssl_acceptor_fd ? 0 :
SSL_CTX_get_verify_mode(ssl_acceptor_fd->ssl_context));
return 0;
}
static int show_ssl_ctx_get_verify_depth(THD *thd, SHOW_VAR *var, char *buff,
enum enum_var_type scope)
{
var->type= SHOW_LONG;
var->value= buff;
*((long *)buff)= (!ssl_acceptor_fd ? 0 :
SSL_CTX_get_verify_depth(ssl_acceptor_fd->ssl_context));
return 0;
}
static int show_ssl_ctx_get_session_cache_mode(THD *thd, SHOW_VAR *var,
char *buff,
enum enum_var_type scope)
......@@ -8542,13 +8492,8 @@ SHOW_VAR status_vars[]= {
{"Ssl_callback_cache_hits", (char*) &show_ssl_ctx_sess_cb_hits, SHOW_SIMPLE_FUNC},
{"Ssl_cipher", (char*) &show_ssl_get_cipher, SHOW_SIMPLE_FUNC},
{"Ssl_cipher_list", (char*) &show_ssl_get_cipher_list, SHOW_SIMPLE_FUNC},
{"Ssl_client_connects", (char*) &show_ssl_ctx_sess_connect, SHOW_SIMPLE_FUNC},
{"Ssl_connect_renegotiates", (char*) &show_ssl_ctx_sess_connect_renegotiate, SHOW_SIMPLE_FUNC},
{"Ssl_ctx_verify_depth", (char*) &show_ssl_ctx_get_verify_depth, SHOW_SIMPLE_FUNC},
{"Ssl_ctx_verify_mode", (char*) &show_ssl_ctx_get_verify_mode, SHOW_SIMPLE_FUNC},
{"Ssl_default_timeout", (char*) &show_ssl_get_default_timeout, SHOW_SIMPLE_FUNC},
{"Ssl_finished_accepts", (char*) &show_ssl_ctx_sess_accept_good, SHOW_SIMPLE_FUNC},
{"Ssl_finished_connects", (char*) &show_ssl_ctx_sess_connect_good, SHOW_SIMPLE_FUNC},
{"Ssl_server_not_after", (char*) &show_ssl_get_server_not_after, SHOW_SIMPLE_FUNC},
{"Ssl_server_not_before", (char*) &show_ssl_get_server_not_before, SHOW_SIMPLE_FUNC},
{"Ssl_session_cache_hits", (char*) &show_ssl_ctx_sess_hits, SHOW_SIMPLE_FUNC},
......
......@@ -588,6 +588,7 @@ extern int32 thread_count, service_thread_count;
extern char *opt_ssl_ca, *opt_ssl_capath, *opt_ssl_cert, *opt_ssl_cipher,
*opt_ssl_key, *opt_ssl_crl, *opt_ssl_crlpath;
extern long tls_version;
extern MYSQL_PLUGIN_IMPORT pthread_key(THD*, THR_THD);
......@@ -650,6 +651,7 @@ enum options_mysqld
OPT_WSREP_SYNC_WAIT,
#endif /* WITH_WSREP */
OPT_MYSQL_COMPATIBILITY,
OPT_TLS_VERSION,
OPT_MYSQL_TO_BE_IMPLEMENTED,
OPT_which_is_always_the_last
};
......
......@@ -3198,6 +3198,39 @@ static Sys_var_charptr Sys_ssl_crlpath(
READ_ONLY GLOBAL_VAR(opt_ssl_crlpath), SSL_OPT(OPT_SSL_CRLPATH),
IN_FS_CHARSET, DEFAULT(0));
static const char *tls_version_names[]=
{
"TLSv1.0", "TLSv1.1",
#ifdef TLS1_2_VERSION
"TLSv1.2",
#endif
#ifdef TLS1_3_VERSION
"TLSv1.3",
#endif
0
};
export bool tls_version_string_representation(THD *thd, sql_mode_t sql_mode,
LEX_STRING *ls)
{
set_to_string(thd, ls, tls_version, tls_version_names);
return ls->str == 0;
}
static Sys_var_set Sys_tls_version(
"tls_version",
"TLS protocol version for secure connections.",
READ_ONLY GLOBAL_VAR(tls_version), CMD_LINE(REQUIRED_ARG),
tls_version_names,
DEFAULT(VIO_TLSv1_0 | VIO_TLSv1_1
#ifdef TLS1_2_VERSION
| VIO_TLSv1_2
#endif
#ifdef TLS1_3_VERSION
| VIO_TLSv1_3
#endif
));
static Sys_var_mybool Sys_standard_compliant_cte(
"standard_compliant_cte",
"Allow only CTEs compliant to SQL standard",
......
......@@ -85,7 +85,8 @@ ssl_error_string[] =
"SSL_CTX_set_default_verify_paths failed",
"Failed to set ciphers to use",
"SSL_CTX_new failed",
"SSL_CTX_set_tmp_dh failed"
"SSL_CTX_set_tmp_dh failed",
"Unknown TLS version"
};
const char*
......@@ -166,21 +167,58 @@ static void check_ssl_init()
}
}
static long vio_tls_protocol_options(long tls_version)
{
long tls_protocol_flags=
#ifdef TLS1_3_VERSION
SSL_OP_NO_TLSv1_3 |
#endif
#ifdef TLS1_2_VERSION
SSL_OP_NO_TLSv1_2 |
#endif
SSL_OP_NO_TLSv1_1 |
SSL_OP_NO_TLSv1;
long disabled_tls_protocols= tls_protocol_flags,
disabled_ssl_protocols= SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
if (!tls_version)
return disabled_ssl_protocols;
if (tls_version & VIO_TLSv1_0)
disabled_tls_protocols&= ~SSL_OP_NO_TLSv1;
if (tls_version & VIO_TLSv1_1)
disabled_tls_protocols&= ~SSL_OP_NO_TLSv1_1;
#ifdef TLS1_2_VERSION
if (tls_version & VIO_TLSv1_2)
disabled_tls_protocols&= ~SSL_OP_NO_TLSv1_2;
#endif
#ifdef TLS1_3_VERSION
if (tls_version & VIO_TLSv1_3)
disabled_tls_protocols&= ~SSL_OP_NO_TLSv1_3;
#endif
/* some garbage was specified in tls_version option */
if (tls_protocol_flags == disabled_tls_protocols)
return -1;
return (disabled_tls_protocols | disabled_ssl_protocols);
}
/************************ VioSSLFd **********************************/
static struct st_VioSSLFd *
new_VioSSLFd(const char *key_file, const char *cert_file,
const char *ca_file, const char *ca_path,
const char *cipher, my_bool is_client_method,
enum enum_ssl_init_error *error,
const char *crl_file, const char *crl_path)
const char *crl_file, const char *crl_path,
long tls_version)
{
DH *dh;
struct st_VioSSLFd *ssl_fd;
long ssl_ctx_options= SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
long ssl_ctx_options;
DBUG_ENTER("new_VioSSLFd");
DBUG_PRINT("enter",
("key_file: '%s' cert_file: '%s' ca_file: '%s' ca_path: '%s' "
"cipher: '%s' crl_file: '%s' crl_path: '%s' ",
"cipher: '%s' crl_file: '%s' crl_path: '%s'",
key_file ? key_file : "NULL",
cert_file ? cert_file : "NULL",
ca_file ? ca_file : "NULL",
......@@ -203,6 +241,14 @@ new_VioSSLFd(const char *key_file, const char *cert_file,
goto err1;
}
ssl_ctx_options= vio_tls_protocol_options(tls_version);
if (ssl_ctx_options == -1)
{
*error= SSL_INITERR_PROTOCOL;
DBUG_PRINT("error", ("%s", sslGetErrString(*error)));
goto err1;
}
SSL_CTX_set_options(ssl_fd->ssl_context, ssl_ctx_options);
/*
......@@ -317,7 +363,7 @@ new_VioSSLConnectorFd(const char *key_file, const char *cert_file,
if (!(ssl_fd= new_VioSSLFd(key_file, cert_file, ca_file,
ca_path, cipher, TRUE, error,
crl_file, crl_path)))
crl_file, crl_path, 0)))
{
return 0;
}
......@@ -335,13 +381,14 @@ struct st_VioSSLFd *
new_VioSSLAcceptorFd(const char *key_file, const char *cert_file,
const char *ca_file, const char *ca_path,
const char *cipher, enum enum_ssl_init_error* error,
const char *crl_file, const char *crl_path)
const char *crl_file, const char *crl_path,
long tls_version)
{
struct st_VioSSLFd *ssl_fd;
int verify= SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE;
if (!(ssl_fd= new_VioSSLFd(key_file, cert_file, ca_file,
ca_path, cipher, FALSE, error,
crl_file, crl_path)))
crl_file, crl_path, tls_version)))
{
return 0;
}
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment