Please add support for for TLSv1.1 and TLSv1.2

Bug #1501089 reported by Sveta Smirnova on 2015-09-29
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
MySQL Server
Unknown
Unknown
Percona Server moved to https://jira.percona.com/projects/PS
Status tracked in 5.7
5.5
Fix Released
High
Laurynas Biveinis
5.6
Fix Released
High
Laurynas Biveinis
5.7
Fix Released
High
Unassigned

Bug Description

Originally reported at https://bugs.mysql.com/bug.php?id=75239

Currently MySQL only supports TLSv1 protocol and does not support TLSv1.1 and TLSv1.2 which are recommended to use. There is upstream bug with patch provided.

Please implement this patch for Percona Server with small difference: use TLS_method instead of deprecated SSLv23_method (https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_new.html)

diff --git a/vio/viosslfactories.c b/vio/viosslfactories.c
index 4ca8c74..35edd33 100644
--- a/vio/viosslfactories.c
+++ b/vio/viosslfactories.c
@@ -193,8 +193,8 @@ new_VioSSLFd(const char *key_file, const char *cert_file,
     DBUG_RETURN(0);

   if (!(ssl_fd->ssl_context= SSL_CTX_new(is_client ?
- TLSv1_client_method() :
- TLSv1_server_method())))
+ TLS_client_method() :
+ TLS_server_method())))
   {
     *error= SSL_INITERR_MEMFAIL;
     DBUG_PRINT("error", ("%s", sslGetErrString(*error)));
--
2.1.0

David Busby (d-busby) wrote :

Per notes here: https://www.pcisecuritystandards.org/documents/Migrating_from_SSL_Early_TLS_Information%20Supplement_v1.pdf TLS1.0 from June 30th 2016 will no longer be viable for PCI

tags: added: pci ssl tls

http://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-10.html:

"Previously, MySQL supported only the TLSv1 protocol for encrypting secure connections. TLS support has been extended to enable a higher level of encrypted connection security:

When compiled using OpenSSL 1.0.1 or higher, MySQL supports the TLSv1, TLSv1.1, and TLSv1.2 protocols.

When compiled using the bundled version of yaSSL, MySQL supports the TLSv1 and TLSv1.1 protocols."

Percona now uses JIRA for bug reports so this bug report is migrated to: https://jira.percona.com/browse/PS-926

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.