diff --git a/libmariadb/secure/gnutls.c b/libmariadb/secure/gnutls.c index 34341baf..9a83a682 100644 --- a/libmariadb/secure/gnutls.c +++ b/libmariadb/secure/gnutls.c @@ -995,9 +995,6 @@ static size_t ma_gnutls_get_protocol_version(const char *tls_version_option, if (!tls_version_option || !tls_version_option[0]) goto end; - - if (strstr(tls_version_option, "TLSv1.0")) - strcat(tls_versions, ":+VERS-TLS1.0"); if (strstr(tls_version_option, "TLSv1.1")) strcat(tls_versions, ":+VERS-TLS1.1"); if (strstr(tls_version_option, "TLSv1.2")) @@ -1010,7 +1007,7 @@ end: if (tls_versions[0]) snprintf(priority_string, prio_len - 1, "-VERS-TLS-ALL%s:NORMAL", tls_versions); else - strncpy(priority_string, "NORMAL:+VERS-ALL", prio_len - 1); + strncpy(priority_string, "NORMAL:+VERS-ALL+!VERS-TLS1.0", prio_len - 1); return strlen(priority_string); } diff --git a/libmariadb/secure/openssl.c b/libmariadb/secure/openssl.c index 0fdb040c..2347d90d 100644 --- a/libmariadb/secure/openssl.c +++ b/libmariadb/secure/openssl.c @@ -104,8 +104,6 @@ static long ma_tls_version_options(const char *version) if (!version) return 0; - if (strstr(version, "TLSv1.0")) - protocol_options&= ~SSL_OP_NO_TLSv1; if (strstr(version, "TLSv1.1")) protocol_options&= ~SSL_OP_NO_TLSv1_1; if (strstr(version, "TLSv1.2")) @@ -421,7 +419,8 @@ void *ma_tls_init(MYSQL *mysql) SSL_CTX *ctx= NULL; long default_options= SSL_OP_ALL | SSL_OP_NO_SSLv2 | - SSL_OP_NO_SSLv3; + SSL_OP_NO_SSLv3 | + SSL_OP_NO_TLSv1; long options= 0; pthread_mutex_lock(&LOCK_openssl_config); diff --git a/libmariadb/secure/schannel.c b/libmariadb/secure/schannel.c index 7fa564fb..a0f94903 100644 --- a/libmariadb/secure/schannel.c +++ b/libmariadb/secure/schannel.c @@ -421,15 +421,13 @@ my_bool ma_tls_connect(MARIADB_TLS *ctls) if (mysql->options.extension && mysql->options.extension->tls_version) { - if (strstr(mysql->options.extension->tls_version, "TLSv1.0")) - Cred.grbitEnabledProtocols|= SP_PROT_TLS1_0_CLIENT; if (strstr(mysql->options.extension->tls_version, "TLSv1.1")) Cred.grbitEnabledProtocols|= SP_PROT_TLS1_1_CLIENT; if (strstr(mysql->options.extension->tls_version, "TLSv1.2")) Cred.grbitEnabledProtocols|= SP_PROT_TLS1_2_CLIENT; } if (!Cred.grbitEnabledProtocols) - Cred.grbitEnabledProtocols = SP_PROT_TLS1_0_CLIENT | SP_PROT_TLS1_1_CLIENT | SP_PROT_TLS1_2_CLIENT; + Cred.grbitEnabledProtocols = SP_PROT_TLS1_1_CLIENT | SP_PROT_TLS1_2_CLIENT; if (ma_tls_set_client_certs(ctls, &cert_context)) diff --git a/unittest/libmariadb/misc.c b/unittest/libmariadb/misc.c index f67d1366..801c108e 100644 --- a/unittest/libmariadb/misc.c +++ b/unittest/libmariadb/misc.c @@ -1628,7 +1628,37 @@ static int test_ext_field_attr(MYSQL *mysql) return OK; } +static int test_disable_tls1_0(MYSQL *my) +{ + MYSQL *mysql= mysql_init(NULL); + const char *disabled_version= "TLSv1.0"; + MYSQL_RES *result; + MYSQL_ROW row; + int rc; + + mysql_ssl_set(mysql, NULL, NULL, NULL, NULL, NULL); + mysql_optionsv(mysql, MARIADB_OPT_TLS_VERSION, disabled_version); + + FAIL_IF(!mysql_real_connect(mysql, hostname, username, password, schema, + port, socketname, 0), mysql_error(mysql)); + + rc= mysql_query(mysql, "SHOW STATUS LIKE 'ssl_version'"); + check_mysql_rc(rc, mysql); + + result = mysql_store_result(mysql); + row= mysql_fetch_row(result); + + FAIL_IF(!strcmp(row[1], "TLSv1.0"), "TLS 1.0 should be disabled!"); + + mysql_free_result(result); + + mysql_close(mysql); + return OK; +} + + struct my_tests_st my_tests[] = { + {"test_disable_tls1_0", test_disable_tls1_0, TEST_CONNECTION_DEFAULT, 0, NULL, NULL}, {"test_ext_field_attr", test_ext_field_attr, TEST_CONNECTION_DEFAULT, 0, NULL, NULL}, {"test_conc533", test_conc533, TEST_CONNECTION_NEW, 0, NULL, NULL}, {"test_conc458", test_conc458, TEST_CONNECTION_NONE, 0, NULL, NULL},