ssl_cipher parameter cannot configure TLSv1.3 and TLSv1.2 ciphers at the same time

mirror of https://github.com/MariaDB/server.git synced 2025-07-30 16:24:05 +03:00

SSL_CTX_set_ciphersuites() sets the TLSv1.3 cipher suites.

SSL_CTX_set_cipher_list() sets the ciphers for TLSv1.2 and below.

The current TLS configuration logic will not perform SSL_CTX_set_cipher_list()
to configure TLSv1.2 ciphers if the call to SSL_CTX_set_ciphersuites() was
successful. The call to SSL_CTX_set_ciphersuites() is successful if any TLSv1.3
cipher suite is passed into `--ssl-cipher`.

This is a potential security vulnerability because users trying to restrict
specific secure ciphers for TLSv1.3 and TLSv1.2, would unknowingly still have
the database support insecure TLSv1.2 ciphers.

For example:
If setting `--ssl_cipher=TLS_AES_128_GCM_SHA256:ECDHE-RSA-AES128-GCM-SHA256`,
the database would still support all possible TLSv1.2 ciphers rather than only
ECDHE-RSA-AES128-GCM-SHA256.

The solution is to execute both SSL_CTX_set_ciphersuites() and
SSL_CTX_set_cipher_list() even if the first call succeeds.

This allows the configuration of exactly which TLSv1.3 and TLSv1.2 ciphers to
support.

Note that there is 1 behavior change with this. When specifying only TLSv1.3
ciphers to `--ssl-cipher`, the database will not support any TLSv1.2 cipher.
However, this does not impose a security risk and considering TLSv1.3 is the
modern protocol, this behavior should be fine.

All TLSv1.3 ciphers are still supported if only TLSv1.2 ciphers are specified
through `--ssl-cipher`.

All new code of the whole pull request, including one or several files that are
either new files or modified ones, are contributed under the BSD-new license. I
am contributing on behalf of my employer Amazon Web Services, Inc.

This commit is contained in:

Tony Chen

2024-09-04 00:58:59 +00:00

committed by

Vladislav Vaintroub

parent 9f61aa4f8a

commit be164fc401

5 changed files with 87 additions and 7 deletions

									
										10

mysql-test/include/have_tlsv13.inc
									
										Normal file
									
												View File
												
				@ -0,0 +1,10 @@

				--disable_query_log

				connect (ssl_connection,localhost,root,,,,,SSL);

				if (`SELECT VARIABLE_VALUE NOT LIKE 'TLSv1.3' FROM information_schema.SESSION_STATUS WHERE VARIABLE_NAME = 'ssl_version'`) {

				  skip Needs TLSv1.3;

				}

				disconnect ssl_connection;

				connection default;

				--enable_query_log

ssl_cipher parameter cannot configure TLSv1.3 and TLSv1.2 ciphers at the same time

10 mysql-test/include/have_tlsv13.inc Normal file Unescape Escape View File

10

mysql-test/include/have_tlsv13.inc Normal file

View File