Red Hat Bugzilla – Bug 1287048
MySQL is limited to using security protocols from last century
Last modified: 2016-05-10 21:34:25 EDT
Description of problem:
As described on https://access.redhat.com/articles/1471513 and https://access.redhat.com/articles/1472623 mysql clients and servers cannot be made to negotiate protocol versions higher than TLSv1.0.
This protocol version has had multiple weaknesses discovered since it was published last century. Both the general recommendation and our own is that implementations SHOULD NOT negotiate TLS version 1.0.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Try to enable support for TLS v1.2
No setting available
TLS v1.2 available by default and negotiated if supported by both sides.
1 - https://tools.ietf.org/html/bcp195#section-3.1
2 - https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Security_Guide/index.html#sec-Choosing_Algorithms_to_Enable
Jakub, how is it in mysql/mariadb 5.5 and 5.6/10.0 that we have shipped in Red Hat Software Collections?
There is a related discussion in PostgreSQL bug #1287053.
Also, there is already upstream bug, which is not resolved yet: https://bugs.mysql.com/bug.php?id=75239
Btw. it says MySQL 5.7 supports TLS 1.1 and 1.2.
Created attachment 1104085 [details]
Proposed patch from upstream bug which is not yet accepted in 5.6 and lower
In the bug https://bugs.mysql.com/bug.php?id=75239 there is also a proposed patch, so just attaching it here. However, since it is not back-ported to older, but still supported versions 5.5 and 5.6, I'm not much willing to back-port to 5.1 either.
5.7 also added tls_version variable:
There is a blog about TLS support in MySQL 5.7:
Also, based on:
..which resulted in commit:
..we can see that MariaDB supports TLS 1.2 since 5.5, so the recommendation for customers who require TLS 1.2 is to use MariaDB from Red Hat Software Collections.
This is a full patch that came to 5.7:
(In reply to Honza Horak from comment #5)
> Also, based on:
> ..which resulted in commit:
> ..we can see that MariaDB supports TLS 1.2 since 5.5,
Note that as discussed in MDEV-6975, rev 4369 should also be included if backporting the above change to ensure that SSLv3 and SSLv2 are not also enabled by the change.
(In reply to Tomas Hoger from comment #7)
This change was later replaced by an equivalent change merged from MySQL:
(In reply to Honza Horak from comment #1)
> Jakub, how is it in mysql/mariadb 5.5 and 5.6/10.0 that we have shipped in
> Red Hat Software Collections?
The current RHSCL versions:
- mariadb 5.5.44 and 10.0.20 - include fixes from comment 5, comment 6, and comment 7, so enables the highest protocol version supported by the underlying OpenSSL
- mysql 5.5.45 and 5.6.26 - only include the above commit fe4c4ab9, but still use TLSv1_*_method. Hence TLS 1.0 is the only version enabled, and the fe4c4ab9 change is redundant.
MDEV-6975 includes a testing program that should allow checking which protocol versions are supported by a MySQL / MariaDB server:
Created attachment 1112434 [details]
Program to test SSL/TLS versions supported by MySQL/MariaDB server
(Local copy of the https://mariadb.atlassian.net/secure/attachment/36210/mysql-tls-ver-test.c )
(In reply to Tomas Hoger from comment #8)
> - mariadb 5.5.44 and 10.0.20 - include fixes from comment 5, comment 6, and
> comment 7, so enables the highest protocol version supported by the
> underlying OpenSSL
Correction: the above should say comment 5 (rev 4365), comment 7 (rev 4369) and comment 8 (git fe4c4ab9).
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.