Server and command line tools now support option --tls_version to specify the
TLS version between client and server. Valid values are TLSv1.0, TLSv1.1, TLSv1.2, TLSv1.3
or a combination of them. E.g.
--tls_version=TLSv1.3
--tls_version=TLSv1.2,TLSv1.3
In case there is a gap between versions, the lowest version will be used:
--tls_version=TLSv1.1,TLSv1.3 -> Only TLSv1.1 will be available.
If the used TLS library doesn't support the specified TLS version, it will use
the default configuration.
Limitations:
SSLv3 is not supported. The default configuration doesn't support TLSv1.0 anymore.
TLSv1.3 protocol currently is only supported by OpenSSL 1.1.0 (client and server) and
GnuTLS 3.6.5 (client only).
Overview of TLS implementations and protocols
Server:
+-----------+-----------------------------------------+
| Library | Supported TLS versions |
+-----------+-----------------------------------------+
| WolfSSL | TLSv1.1, TLSv1,2 |
+-----------+-----------------------------------------+
| OpenSSL | (TLSv1.0), TLSv1.1, TLSv1,2, TLSv1.3 |
+-----------+-----------------------------------------+
| LibreSSL | (TLSv1.0), TLSv1.1, TLSv1,2, TLSv1.3 |
+-----------+-----------------------------------------+
Client (MariaDB Connector/C)
+-----------+-----------------------------------------+
| Library | Supported TLS versions |
+-----------+-----------------------------------------+
| GnuTLS | (TLSv1.0), TLSv1.1, TLSv1.2, TLSv1.3 |
+-----------+-----------------------------------------+
| Schannel | (TLSv1.0), TLSv1.1, TLSv1.2 |
+-----------+-----------------------------------------+
| OpenSSL | (TLSv1.0), TLSv1.1, TLSv1,2, TLSv1.3 |
+-----------+-----------------------------------------+
| LibreSSL | (TLSv1.0), TLSv1.1, TLSv1,2, TLSv1.3 |
+-----------+-----------------------------------------+
- --default-character-set can now be disabled in mysqldump
- --skip-resolve can be be disabled in mysqld
- mysql_client_test now resets global variables it changes
- mtr couldn't handle [mysqldump] in config files (wrong regexp used)
- Add new submodule for WolfSSL
- Build and use wolfssl and wolfcrypt instead of yassl/taocrypt
- Use HAVE_WOLFSSL instead of HAVE_YASSL
- Increase MY_AES_CTX_SIZE, to avoid compile time asserts in my_crypt.cc
(sizeof(EVP_CIPHER_CTX) is larger on WolfSSL)
Removed LOCK_connection_count.
Removed duplicate denied_connections and connection_errors_max_connection
increment from create_new_thread(). Another increment done by
CONNECT::close_with_error().
Simplified away CONNECT::thread_count_incremented. Now close_with_error()
is always called with connection_count incremented.
Part of MDEV-19515 - Improve connect speed
cached_thread_count can handle it alone.
Added "fast path": when thread is being added to the cache and there's
queued connection request, serve it immediately.
Part of MDEV-19515 - Improve connect speed
It mostly duplicates code of do_handle_one_connection(). Move it there,
so that it is easier to simplify it in future.
Moved PSI_CALL_delete_current_thread()/_db_pop_() out of mutex. Call them
consistently in all cases, unlike before:
- called for reused threads
- called for flushed threads
- called for threads that go down after 5 minutes timeout
- not called for threads attempting to cache themselves during flush
- not called for threads attempting to cache themselves when cache is full
Part of MDEV-19515 - Improve connect speed
Code properly integrated into callers instead.
do_handle_one_connection(): no need to reset thd and thd->thread_stack
as they're not updated by cache_thread().
Part of MDEV-19515 - Improve connect speed
It was wrong anyway, as it may not get updated by the time created thread
reads it. And it was 0 for cached threads.
Part of MDEV-19515 - Improve connect speed
It may be beneficial for slow-path, where new thread is to be created.
However it is harmful for fast-path, where thread cache can fulfil
request: it caused 2 extra loads of write-contended variables.
Also shrink variables scope.
Part of MDEV-19515 - Improve connect speed
Removed FD_CLOEXEC setting: already done by mysql_socket_accept().
Moved O_NONBLOCK setting out of accepting loop.
Removed blocking acceptance attempt, which was dead code. It was supposed
to be executed before the last iteration, however it was actually executed
during the last iteration. And it is not correct to block on one socket
leaving other sockets unattended anyway.
Gives ~5% throughput improvemet in sysbench connect benchmark.
Part of MDEV-19515 - Improve connect speed
abort_loop is intended to break accepting connections loop in main thread,
however it is being used for other purposes.
cache_thread() is governed by kill_cached_threads, no need to check
abort_loop here.
Check in create_new_thread() is redundant, abort_loop already checked
by caller.
Part of MDEV-19515 - Improve connect speed
SHOW STATUS LIKE 'Open_files' was showing 18446744073709551615
my_file_opened used statistic_increment/statistic_decrement,
so one-off errors were normal and expected. But they confused
monitoring tools, so let's move my_file_opened to use atomics.
Originally introduced by e972125f1 to avoid harmless wait for
LOCK_global_system_variables in a newly created thread, which creation was
initiated by system variable update.
At the same time it opens dangerous hole, when system variable update
thread already released LOCK_global_system_variables and ack_receiver
thread haven't yet completed new THD construction. In this case THD
constructor goes completely unprotected.
Since ack_receiver.stop() waits for the thread to go down, we have to
temporarily release LOCK_global_system_variables so that it doesn't
deadlock with ack_receiver.run(). Unfortunately it breaks atomicity
of rpl_semi_sync_master_enabled updates and makes them not serialized.
LOCK_rpl_semi_sync_master_enabled was introduced to workaround the above.
TODO: move ack_receiver start/stop into repl_semisync_master
enable_master/disable_master under LOCK_binlog protection?
Part of MDEV-14984 - regression in connect performance
