MDEV-31369 Disable TLS v1.0 and 1.1 for MariaDB

Remove TLSv1.1 from the default tls_version system variable. Output a warning if TLSv1.0 or TLSv1.1 are selected. Thanks Tingyao Nian for the feature request.
2025-07-30 16:24:05 +03:00 · 2023-07-06 16:47:39 +10:00
parent 5fe8d0d559
commit 1831f8e4d7
8 changed files with 25 additions and 1 deletions
--- a/mysql-test/main/ssl_cipher.result
+++ b/mysql-test/main/ssl_cipher.result
@ -66,3 +66,5 @@ Variable_name	Value
 Ssl_cipher_list	AES128-SHA
 disconnect ssl_con;
 connection default;
+call mtr.add_suppression("TLSv1.0 and TLSv1.1 are insecure");
+FOUND 2 /TLSv1.0 and TLSv1.1 are insecure/ in mysqld.1.err
--- a/mysql-test/main/ssl_cipher.test
+++ b/mysql-test/main/ssl_cipher.test
@ -101,3 +101,9 @@ SHOW STATUS LIKE 'Ssl_cipher';
 SHOW STATUS LIKE 'Ssl_cipher_list';
 disconnect ssl_con;
 connection default;
+
+# MDEV-31369 Disable TLS v1.0 and 1.1 for MariaDB
+call mtr.add_suppression("TLSv1.0 and TLSv1.1 are insecure");
+--let SEARCH_FILE=$MYSQLTEST_VARDIR/log/mysqld.1.err
+--let SEARCH_PATTERN= TLSv1.0 and TLSv1.1 are insecure
+--source include/search_pattern_in_file.inc
--- a/mysql-test/main/tls_version.result
+++ b/mysql-test/main/tls_version.result
@ -12,3 +12,5 @@ Variable_name	Value
 Ssl_version	TLSv1.2
@@tls_version
 TLSv1.1,TLSv1.2
+call mtr.add_suppression("TLSv1.0 and TLSv1.1 are insecure");
+FOUND 1 /TLSv1.0 and TLSv1.1 are insecure/ in mysqld.1.err
--- a/mysql-test/main/tls_version.test
+++ b/mysql-test/main/tls_version.test
@ -22,3 +22,8 @@
 # finally list available protocols
 --exec $MYSQL --host=localhost --ssl -e "select @@tls_version;"

+call mtr.add_suppression("TLSv1.0 and TLSv1.1 are insecure");
+--let SEARCH_FILE=$MYSQLTEST_VARDIR/log/mysqld.1.err
+--let SEARCH_PATTERN= TLSv1.0 and TLSv1.1 are insecure
+--source include/search_pattern_in_file.inc
+
--- a/mysql-test/main/tls_version1.result
+++ b/mysql-test/main/tls_version1.result
@ -4,3 +4,5 @@ Variable_name	Value
 Ssl_version	TLSv1
@@tls_version
 TLSv1.0
+call mtr.add_suppression("TLSv1.0 and TLSv1.1 are insecure");
+FOUND 1 /TLSv1.0 and TLSv1.1 are insecure/ in mysqld.1.err
--- a/mysql-test/main/tls_version1.test
+++ b/mysql-test/main/tls_version1.test
@ -10,3 +10,8 @@
 --exec $MYSQL --host=localhost --ssl --tls_version=TLSv1.0 -e "show status like 'ssl_version';"
 --exec $MYSQL --host=localhost --ssl -e "select @@tls_version;"

+call mtr.add_suppression("TLSv1.0 and TLSv1.1 are insecure");
+--let SEARCH_FILE=$MYSQLTEST_VARDIR/log/mysqld.1.err
+--let SEARCH_PATTERN= TLSv1.0 and TLSv1.1 are insecure
+--source include/search_pattern_in_file.inc
+
--- a/sql/mysqld.cc
+++ b/sql/mysqld.cc
@ -4500,6 +4500,8 @@ static int init_common_variables()
    return 1;
  }

+  if (tls_version & (VIO_TLSv1_0 + VIO_TLSv1_1))
+      sql_print_warning("TLSv1.0 and TLSv1.1 are insecure and should not be used for tls_version");

 #ifdef WITH_WSREP
  /*
--- a/sql/sys_vars.cc
+++ b/sql/sys_vars.cc
@ -3623,7 +3623,7 @@ static Sys_var_set Sys_tls_version(
       "TLS protocol version for secure connections.",
       READ_ONLY GLOBAL_VAR(tls_version), CMD_LINE(REQUIRED_ARG),
       tls_version_names,
-       DEFAULT(VIO_TLSv1_1 | VIO_TLSv1_2 | VIO_TLSv1_3));
+       DEFAULT(VIO_TLSv1_2 | VIO_TLSv1_3));

 static Sys_var_mybool Sys_standard_compliant_cte(
       "standard_compliant_cte",