diff --git a/client/client_priv.h b/client/client_priv.h index fb0ab0f..1cc2d8d 100644 --- a/client/client_priv.h +++ b/client/client_priv.h @@ -100,6 +100,7 @@ enum options_client OPT_SSL_CRL, OPT_SSL_CRLPATH, OPT_SSL_FP, OPT_SSL_FP_LIST, OPT_SSL_PASSPHRASE, + OPT_TLS_VERSION, OPT_MAX_CLIENT_OPTION /* should be always the last */ }; diff --git a/client/mysql.cc b/client/mysql.cc index e612fcb..6370e39 100644 --- a/client/mysql.cc +++ b/client/mysql.cc @@ -1372,6 +1372,8 @@ static bool do_connect(MYSQL *mysql, const char *host, const char *user, (void*)opt_ssl_fp); mysql_options(mysql, MARIADB_OPT_SSL_FP_LIST, (void*)opt_ssl_fp_list); + mysql_options(mysql, MARIADB_OPT_TLS_VERSION, + (void*)opt_tls_version); } mysql_options(mysql,MYSQL_OPT_SSL_VERIFY_SERVER_CERT, (char*)&opt_ssl_verify_server_cert); diff --git a/client/mysqladmin.cc b/client/mysqladmin.cc index 3febc96..20416ac 100644 --- a/client/mysqladmin.cc +++ b/client/mysqladmin.cc @@ -362,6 +362,8 @@ int main(int argc,char *argv[]) (void*)opt_ssl_fp); mysql_options(&mysql, MARIADB_OPT_SSL_FP_LIST, (void*)opt_ssl_fp_list); + mysql_options(&mysql, MARIADB_OPT_TLS_VERSION, + (void*)opt_tls_version); } mysql_options(&mysql,MYSQL_OPT_SSL_VERIFY_SERVER_CERT, (char*)&opt_ssl_verify_server_cert); diff --git a/client/mysqlbinlog.cc b/client/mysqlbinlog.cc index fd92a39..2f68e21 100644 --- a/client/mysqlbinlog.cc +++ b/client/mysqlbinlog.cc @@ -2078,6 +2078,8 @@ static Exit_status safe_connect() (void*)opt_ssl_fp); mysql_options(mysql, MARIADB_OPT_SSL_FP_LIST, (void*)opt_ssl_fp_list); + mysql_options(mysql, MARIADB_OPT_TLS_VERSION, + (void*)opt_tls_version); } mysql_options(mysql,MYSQL_OPT_SSL_VERIFY_SERVER_CERT, (char*)&opt_ssl_verify_server_cert); diff --git a/client/mysqldump.c b/client/mysqldump.c index c591114..a5d66bb 100644 --- a/client/mysqldump.c +++ b/client/mysqldump.c @@ -1687,6 +1687,8 @@ static int connect_to_db(char *host, char *user,char *passwd) (char*)&opt_ssl_fp); mysql_options(&mysql_connection, MARIADB_OPT_SSL_FP_LIST, (char*)&opt_ssl_fp_list); + mysql_options(&mysql_connection, MARIADB_OPT_TLS_VERSION, + (void*)opt_tls_version); } mysql_options(&mysql_connection,MYSQL_OPT_SSL_VERIFY_SERVER_CERT, (char*)&opt_ssl_verify_server_cert); diff --git a/client/mysqlimport.c b/client/mysqlimport.c index 9af6980..9b3cd65 100644 --- a/client/mysqlimport.c +++ b/client/mysqlimport.c @@ -452,6 +452,8 @@ static MYSQL *db_connect(char *host, char *database, (void*)opt_ssl_fp); mysql_options(mysql, MARIADB_OPT_SSL_FP_LIST, (void*)opt_ssl_fp_list); + mysql_options(mysql, MARIADB_OPT_TLS_VERSION, + (void*)opt_tls_version); } mysql_options(mysql,MYSQL_OPT_SSL_VERIFY_SERVER_CERT, (char*)&opt_ssl_verify_server_cert); diff --git a/client/mysqlshow.c b/client/mysqlshow.c index 374749d..ae9b8a2 100644 --- a/client/mysqlshow.c +++ b/client/mysqlshow.c @@ -130,6 +130,8 @@ int main(int argc, char **argv) (void*)opt_ssl_fp); mysql_options(&mysql, MARIADB_OPT_SSL_FP_LIST, (void*)opt_ssl_fp_list); + mysql_options(&mysql, MARIADB_OPT_TLS_VERSION, + (void*)opt_tls_version); } mysql_options(&mysql,MYSQL_OPT_SSL_VERIFY_SERVER_CERT, (char*)&opt_ssl_verify_server_cert); diff --git a/client/mysqltest.cc b/client/mysqltest.cc index 7d7709f..ade9bf2 100644 --- a/client/mysqltest.cc +++ b/client/mysqltest.cc @@ -6138,6 +6138,8 @@ void do_connect(struct st_command *command) (void*)opt_ssl_fp); mysql_options(con_slot->mysql, MARIADB_OPT_SSL_FP_LIST, (void*)opt_ssl_fp_list); + mysql_options(con_slot->mysql, MARIADB_OPT_TLS_VERSION, + (void*)opt_tls_version); #if !defined(CC_HAVE_SCHANNEL) mysql_options(con_slot->mysql, MARIADB_OPT_TLS_PASSPHRASE, (void*)opt_ssl_passphrase); --- a/include/sslopt-longopts.h +++ b/include/sslopt-longopts.h @@ -41,10 +41,14 @@ {"ssl-crl", OPT_SSL_KEY, "Certificate revocation list (implies --ssl).", &opt_ssl_crl, &opt_ssl_crl, 0, GET_STR, REQUIRED_ARG, 0, 0, 0, 0, 0, 0}, - {"ssl-crlpath", OPT_SSL_KEY, + {"ssl-crlpath", OPT_SSL_KEY, "Certificate revocation list path (implies --ssl).", &opt_ssl_crlpath, &opt_ssl_crlpath, 0, GET_STR, REQUIRED_ARG, 0, 0, 0, 0, 0, 0}, + {"tls-version", OPT_TLS_VERSION, + "TLS protocol version for secure connection.", + &opt_tls_version, &opt_tls_version, 0, GET_STR, REQUIRED_ARG, + 0, 0, 0, 0, 0, 0}, #ifdef MYSQL_CLIENT {"ssl-verify-server-cert", OPT_SSL_VERIFY_SERVER_CERT, "Verify server's \"Common Name\" in its cert against hostname used " diff --git a/include/sslopt-vars.h b/include/sslopt-vars.h index e709bc7..51d84a4 100644 --- a/include/sslopt-vars.h +++ b/include/sslopt-vars.h @@ -30,6 +30,7 @@ SSL_STATIC char *opt_ssl_cipher = 0; SSL_STATIC char *opt_ssl_key = 0; SSL_STATIC char *opt_ssl_crl = 0; SSL_STATIC char *opt_ssl_crlpath = 0; +SSL_STATIC char *opt_tls_version = 0; #ifdef MYSQL_CLIENT SSL_STATIC my_bool opt_ssl_verify_server_cert= 0; SSL_STATIC char *opt_ssl_fp = 0; diff --git a/include/violite.h b/include/violite.h index efdcb65..d87ea30 100644 --- a/include/violite.h +++ b/include/violite.h @@ -145,7 +145,8 @@ enum enum_ssl_init_error { SSL_INITERR_NOERROR= 0, SSL_INITERR_CERT, SSL_INITERR_KEY, SSL_INITERR_NOMATCH, SSL_INITERR_BAD_PATHS, SSL_INITERR_CIPHERS, - SSL_INITERR_MEMFAIL, SSL_INITERR_DH, SSL_INITERR_LASTERR + SSL_INITERR_MEMFAIL, SSL_INITERR_DH, SSL_INITERR_PROTOCOL, + SSL_INITERR_LASTERR }; const char* sslGetErrString(enum enum_ssl_init_error err); @@ -166,7 +167,8 @@ struct st_VioSSLFd *new_VioSSLAcceptorFd(const char *key_file, const char *cert_file, const char *ca_file,const char *ca_path, const char *cipher, enum enum_ssl_init_error *error, - const char *crl_file, const char *crl_path); + const char *crl_file, const char *crl_path, + const char *tls_version); void free_vio_ssl_acceptor_fd(struct st_VioSSLFd *fd); #endif /* HAVE_OPENSSL */ diff --git a/libmariadb b/libmariadb index abf4bf8..b241f89 160000 --- a/libmariadb +++ b/libmariadb @@ -1 +1 @@ -Subproject commit abf4bf8024e9eb69583290a235b7aa1f6ef36550 +Subproject commit b241f8995fcd5dd6cfd0428e59171f47b7f757cc diff --git a/mysql-test/r/ssl_mdev14101.result b/mysql-test/r/ssl_mdev14101.result new file mode 100644 index 0000000..0d9e157 --- /dev/null +++ b/mysql-test/r/ssl_mdev14101.result @@ -0,0 +1,6 @@ +create user ssl_user1@localhost; +grant select on test.* to ssl_user1@localhost; +flush privileges; +tls_version_ok +1 +drop user ssl_user1@localhost; diff --git a/mysql-test/t/ssl_mdev14101.combinations b/mysql-test/t/ssl_mdev14101.combinations new file mode 100644 index 0000000..4eda9e8 --- /dev/null +++ b/mysql-test/t/ssl_mdev14101.combinations @@ -0,0 +1,8 @@ +[TLSv1.0] +--loose-tls-version=TLSv1.0 + +[TLSv1.1] +--loose-tls-version=TLSv1.1 + +[TLSv1.2] +--loose-tls-version=TLSv1.2 + +[TLSv1.1,TLSv1.2] +--loose-tls-version=TLSv1.1,TLSv1.2 diff --git a/mysql-test/t/ssl_mdev14101.test b/mysql-test/t/ssl_mdev14101.test new file mode 100644 index 0000000..2452249 --- /dev/null +++ b/mysql-test/t/ssl_mdev14101.test @@ -0,0 +1,26 @@ +# Tests for SSL connections, only run if mysqld is compiled +# with support for SSL. +-- source include/have_ssl_communication.inc +source include/require_openssl_client.inc; + +--enable_warnings +create user ssl_user1@localhost; +grant select on test.* to ssl_user1@localhost; +flush privileges; + +let tls_config=`select @@tls_version`; + +--exec $MYSQL -ussl_user1 --ssl --tls-version=$tls_config -e"SELECT @@tls_version='$tls_config' as tls_version_ok;"; +let $tls_version= ""; +if ($tls_config == "TLSv1.0") +{ + --error 1 + --exec $MYSQL -ussl_user1 --ssl --tls-version=TLSv1.1 -e"SELECT @@tls_version='TLSv1.1' as tls_version_ok;"; +} +if ($tls_config != "TLSv1.0") +{ +--error 1 +--exec $MYSQL -ussl_user1 --ssl --tls-version=TLSv1.0 -e"SELECT @@tls_version='TLSv1.0' as tls_version_ok;"; +} + +drop user ssl_user1@localhost; diff --git a/sql/mysqld.cc b/sql/mysqld.cc index 8f9a62d..0869534 100644 --- a/sql/mysqld.cc +++ b/sql/mysqld.cc @@ -1497,7 +1497,7 @@ HANDLE smem_event_connect_request= 0; my_bool opt_use_ssl = 0; char *opt_ssl_ca= NULL, *opt_ssl_capath= NULL, *opt_ssl_cert= NULL, *opt_ssl_cipher= NULL, *opt_ssl_key= NULL, *opt_ssl_crl= NULL, - *opt_ssl_crlpath= NULL; + *opt_ssl_crlpath= NULL, *opt_tls_version= NULL; static scheduler_functions thread_scheduler_struct, extra_thread_scheduler_struct; @@ -4879,7 +4879,8 @@ static void init_ssl() ssl_acceptor_fd= new_VioSSLAcceptorFd(opt_ssl_key, opt_ssl_cert, opt_ssl_ca, opt_ssl_capath, opt_ssl_cipher, &error, - opt_ssl_crl, opt_ssl_crlpath); + opt_ssl_crl, opt_ssl_crlpath, + opt_tls_version); DBUG_PRINT("info",("ssl_acceptor_fd: %p", ssl_acceptor_fd)); if (!ssl_acceptor_fd) { @@ -8145,6 +8146,27 @@ static int show_ssl_get_version(THD *thd, SHOW_VAR *var, char *buff, return 0; } +static int show_tls_get_version(THD *thd, SHOW_VAR *var, char *buff, + enum enum_var_type scope) +{ +#if !defined(HAVE_YASSL) + const char *tls_default_versions= "TLSv1.0,TLSv1.1,TLSv1.2"; +#else + const char *tls_default_versions= "TLSv1.0,TLSv1.1"; +#endif + var->type= SHOW_CHAR; + if( thd->vio_ok() && thd->net.vio->ssl_arg) + { + if (opt_tls_version) + var->value= const_cast(opt_tls_version); + else + var->value= const_cast(tls_default_versions); + } + else + var->value= const_cast(""); + return 0; +} + static int show_ssl_session_reused(THD *thd, SHOW_VAR *var, char *buff, enum enum_var_type scope) { @@ -8608,6 +8630,7 @@ SHOW_VAR status_vars[]= { {"Ssl_verify_depth", (char*) &show_ssl_get_verify_depth, SHOW_SIMPLE_FUNC}, {"Ssl_verify_mode", (char*) &show_ssl_get_verify_mode, SHOW_SIMPLE_FUNC}, {"Ssl_version", (char*) &show_ssl_get_version, SHOW_SIMPLE_FUNC}, + {"Tls_version", (char*) &show_tls_get_version, SHOW_SIMPLE_FUNC}, #endif #endif /* HAVE_OPENSSL */ {"Syncs", (char*) &my_sync_count, SHOW_LONG_NOFLUSH}, diff --git a/sql/mysqld.h b/sql/mysqld.h index 15208d4..7a16f48 100644 --- a/sql/mysqld.h +++ b/sql/mysqld.h @@ -590,7 +590,7 @@ extern int32 thread_running; extern int32 thread_count, service_thread_count; extern char *opt_ssl_ca, *opt_ssl_capath, *opt_ssl_cert, *opt_ssl_cipher, - *opt_ssl_key, *opt_ssl_crl, *opt_ssl_crlpath; + *opt_ssl_key, *opt_ssl_crl, *opt_ssl_crlpath, *opt_tls_version; extern MYSQL_PLUGIN_IMPORT pthread_key(THD*, THR_THD); @@ -653,6 +653,7 @@ enum options_mysqld OPT_WSREP_SYNC_WAIT, #endif /* WITH_WSREP */ OPT_MYSQL_COMPATIBILITY, + OPT_TLS_VERSION, OPT_MYSQL_TO_BE_IMPLEMENTED, OPT_which_is_always_the_last }; diff --git a/sql/sys_vars.cc b/sql/sys_vars.cc index daf13ee..d465b2f 100644 --- a/sql/sys_vars.cc +++ b/sql/sys_vars.cc @@ -3223,6 +3223,12 @@ static Sys_var_charptr Sys_ssl_crlpath( READ_ONLY GLOBAL_VAR(opt_ssl_crlpath), SSL_OPT(OPT_SSL_CRLPATH), IN_FS_CHARSET, DEFAULT(0)); +static Sys_var_charptr Sys_tls_version( + "tls_version", + "TLS protocol version for secure connections.", + READ_ONLY GLOBAL_VAR(opt_tls_version), SSL_OPT(OPT_TLS_VERSION), + IN_FS_CHARSET, DEFAULT(0)); + static Sys_var_mybool Sys_standard_compliant_cte( "standard_compliant_cte", "Allow only CTEs compliant to SQL standard", diff --git a/vio/viosslfactories.c b/vio/viosslfactories.c index 6358b97..740bcb1 100644 --- a/vio/viosslfactories.c +++ b/vio/viosslfactories.c @@ -85,7 +85,8 @@ ssl_error_string[] = "SSL_CTX_set_default_verify_paths failed", "Failed to set ciphers to use", "SSL_CTX_new failed", - "SSL_CTX_set_tmp_dh failed" + "SSL_CTX_set_tmp_dh failed", + "Unknown TLS version" }; const char* @@ -166,35 +167,65 @@ static void check_ssl_init() } } +static long vio_tls_protocol_options(const char *tls_version) +{ + long tls_protocol_flags= +#if !defined(HAVE_YASSL) + SSL_OP_NO_TLSv1_2 | SSL_OP_NO_TLSv1_1 | +#endif + SSL_OP_NO_TLSv1, + disabled_tls_protocols= tls_protocol_flags; + long disabled_ssl_protocols= SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3; + + if (!tls_version) + return disabled_ssl_protocols; + + if (strstr(tls_version, "TLSv1.0")) + disabled_tls_protocols&= ~SSL_OP_NO_TLSv1; +#if !defined(HAVE_YASSL) + if (strstr(tls_version, "TLSv1.1")) + disabled_tls_protocols&= ~SSL_OP_NO_TLSv1_1; + if (strstr(tls_version, "TLSv1.2")) + disabled_tls_protocols&= ~SSL_OP_NO_TLSv1_2; +#endif + + /* some garbage was specified in tls_version option */ + if (tls_protocol_flags == disabled_tls_protocols) + return -1; + return (disabled_tls_protocols | disabled_ssl_protocols); +} + /************************ VioSSLFd **********************************/ static struct st_VioSSLFd * new_VioSSLFd(const char *key_file, const char *cert_file, const char *ca_file, const char *ca_path, const char *cipher, my_bool is_client_method, enum enum_ssl_init_error *error, - const char *crl_file, const char *crl_path) + const char *crl_file, const char *crl_path, + const char *tls_version __attribute__((unused))) { DH *dh; struct st_VioSSLFd *ssl_fd; - long ssl_ctx_options= SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3; + long ssl_ctx_options; DBUG_ENTER("new_VioSSLFd"); DBUG_PRINT("enter", ("key_file: '%s' cert_file: '%s' ca_file: '%s' ca_path: '%s' " - "cipher: '%s' crl_file: '%s' crl_path: '%s' ", + "cipher: '%s' crl_file: '%s' crl_path: '%s' tls_version: '%s'", key_file ? key_file : "NULL", cert_file ? cert_file : "NULL", ca_file ? ca_file : "NULL", ca_path ? ca_path : "NULL", cipher ? cipher : "NULL", crl_file ? crl_file : "NULL", - crl_path ? crl_path : "NULL")); + crl_path ? crl_path : "NULL", + tls_version ? tls_version : "NULL")); check_ssl_init(); if (!(ssl_fd= ((struct st_VioSSLFd*) my_malloc(sizeof(struct st_VioSSLFd),MYF(0))))) goto err0; - if (!(ssl_fd->ssl_context= SSL_CTX_new(is_client_method ? + if (!(ssl_fd->ssl_context= SSL_CTX_new(is_client_method ? SSLv23_client_method() : SSLv23_server_method()))) { @@ -202,9 +233,14 @@ new_VioSSLFd(const char *key_file, const char *cert_file, DBUG_PRINT("error", ("%s", sslGetErrString(*error))); goto err1; } - + ssl_ctx_options= vio_tls_protocol_options(tls_version); + if (ssl_ctx_options == -1) + { + *error= SSL_INITERR_PROTOCOL; + DBUG_PRINT("error", ("%s", sslGetErrString(*error))); + goto err1; + } SSL_CTX_set_options(ssl_fd->ssl_context, ssl_ctx_options); - /* Set the ciphers that can be used NOTE: SSL_CTX_set_cipher_list will return 0 if @@ -316,7 +352,7 @@ new_VioSSLConnectorFd(const char *key_file, const char *cert_file, if (!(ssl_fd= new_VioSSLFd(key_file, cert_file, ca_file, ca_path, cipher, TRUE, error, - crl_file, crl_path))) + crl_file, crl_path, NULL))) { return 0; } @@ -334,13 +370,14 @@ struct st_VioSSLFd * new_VioSSLAcceptorFd(const char *key_file, const char *cert_file, const char *ca_file, const char *ca_path, const char *cipher, enum enum_ssl_init_error* error, - const char *crl_file, const char *crl_path) + const char *crl_file, const char *crl_path, + const char *tls_version) { struct st_VioSSLFd *ssl_fd; int verify= SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE; if (!(ssl_fd= new_VioSSLFd(key_file, cert_file, ca_file, ca_path, cipher, FALSE, error, - crl_file, crl_path))) + crl_file, crl_path, tls_version))) { return 0; }