diff --git a/mysql-test/main/ssl_cipher.result b/mysql-test/main/ssl_cipher.result index bd5b34347fe..9308f0f9833 100644 --- a/mysql-test/main/ssl_cipher.result +++ b/mysql-test/main/ssl_cipher.result @@ -66,3 +66,5 @@ Variable_name Value Ssl_cipher_list AES128-SHA disconnect ssl_con; connection default; +call mtr.add_suppression("TLSv1.0 and TLSv1.1 are insecure"); +FOUND 2 /TLSv1.0 and TLSv1.1 are insecure/ in mysqld.1.err diff --git a/mysql-test/main/ssl_cipher.test b/mysql-test/main/ssl_cipher.test index 2ca18df1f20..3a54aca5145 100644 --- a/mysql-test/main/ssl_cipher.test +++ b/mysql-test/main/ssl_cipher.test @@ -101,3 +101,9 @@ SHOW STATUS LIKE 'Ssl_cipher'; SHOW STATUS LIKE 'Ssl_cipher_list'; disconnect ssl_con; connection default; + +# MDEV-31369 Disable TLS v1.0 and 1.1 for MariaDB +call mtr.add_suppression("TLSv1.0 and TLSv1.1 are insecure"); +--let SEARCH_FILE=$MYSQLTEST_VARDIR/log/mysqld.1.err +--let SEARCH_PATTERN= TLSv1.0 and TLSv1.1 are insecure +--source include/search_pattern_in_file.inc diff --git a/mysql-test/main/tls_version.result b/mysql-test/main/tls_version.result index d1b20a121fe..3d9565983e8 100644 --- a/mysql-test/main/tls_version.result +++ b/mysql-test/main/tls_version.result @@ -12,3 +12,5 @@ Variable_name Value Ssl_version TLSv1.2 @@tls_version TLSv1.1,TLSv1.2 +call mtr.add_suppression("TLSv1.0 and TLSv1.1 are insecure"); +FOUND 1 /TLSv1.0 and TLSv1.1 are insecure/ in mysqld.1.err diff --git a/mysql-test/main/tls_version.test b/mysql-test/main/tls_version.test index 875fed19821..50448f898e9 100644 --- a/mysql-test/main/tls_version.test +++ b/mysql-test/main/tls_version.test @@ -22,3 +22,8 @@ # finally list available protocols --exec $MYSQL --host=localhost --ssl -e "select @@tls_version;" +call mtr.add_suppression("TLSv1.0 and TLSv1.1 are insecure"); +--let SEARCH_FILE=$MYSQLTEST_VARDIR/log/mysqld.1.err +--let SEARCH_PATTERN= TLSv1.0 and TLSv1.1 are insecure +--source include/search_pattern_in_file.inc + diff --git a/mysql-test/main/tls_version1.result b/mysql-test/main/tls_version1.result index 8333bfec159..caabed832cb 100644 --- a/mysql-test/main/tls_version1.result +++ b/mysql-test/main/tls_version1.result @@ -4,3 +4,5 @@ Variable_name Value Ssl_version TLSv1 @@tls_version TLSv1.0 +call mtr.add_suppression("TLSv1.0 and TLSv1.1 are insecure"); +FOUND 1 /TLSv1.0 and TLSv1.1 are insecure/ in mysqld.1.err diff --git a/mysql-test/main/tls_version1.test b/mysql-test/main/tls_version1.test index d38de876ba3..788284c36df 100644 --- a/mysql-test/main/tls_version1.test +++ b/mysql-test/main/tls_version1.test @@ -10,3 +10,8 @@ --exec $MYSQL --host=localhost --ssl --tls_version=TLSv1.0 -e "show status like 'ssl_version';" --exec $MYSQL --host=localhost --ssl -e "select @@tls_version;" +call mtr.add_suppression("TLSv1.0 and TLSv1.1 are insecure"); +--let SEARCH_FILE=$MYSQLTEST_VARDIR/log/mysqld.1.err +--let SEARCH_PATTERN= TLSv1.0 and TLSv1.1 are insecure +--source include/search_pattern_in_file.inc + diff --git a/sql/mysqld.cc b/sql/mysqld.cc index 2a8e4b4c16b..93e9ac54550 100644 --- a/sql/mysqld.cc +++ b/sql/mysqld.cc @@ -4500,6 +4500,8 @@ static int init_common_variables() return 1; } + if (tls_version & (VIO_TLSv1_0 + VIO_TLSv1_1)) + sql_print_warning("TLSv1.0 and TLSv1.1 are insecure and should not be used for tls_version"); #ifdef WITH_WSREP /* diff --git a/sql/sys_vars.cc b/sql/sys_vars.cc index 47ffe467a8c..a2101b94a24 100644 --- a/sql/sys_vars.cc +++ b/sql/sys_vars.cc @@ -3623,7 +3623,7 @@ static Sys_var_set Sys_tls_version( "TLS protocol version for secure connections.", READ_ONLY GLOBAL_VAR(tls_version), CMD_LINE(REQUIRED_ARG), tls_version_names, - DEFAULT(VIO_TLSv1_1 | VIO_TLSv1_2 | VIO_TLSv1_3)); + DEFAULT(VIO_TLSv1_2 | VIO_TLSv1_3)); static Sys_var_mybool Sys_standard_compliant_cte( "standard_compliant_cte",