Description:
The server only supports TLSv1.0.

Support for SSLv2 and SSLv3 should not be enabled as those protocols are broken. However support for TLSv1.1 and TLSv1.2 would be nice.

How to repeat:
5.6.22 with YaSSL:

mysql> SHOW GLOBAL STATUS LIKE 'Ssl_version';
+---------------+-------+
| Variable_name | Value |
+---------------+-------+
| Ssl_version   | TLSv1 |
+---------------+-------+
1 row in set (0.01 sec)

Suggested fix:
Add support for newer SSL/TLS protocols.

Patch: not fully tested, but the basics work when using WITH_SSL=system

(*) I confirm the code being submitted is offered under the terms of the OCA, and that I am authorized to contribute it.

Contribution: 0001-Add-support-for-TLSv1.1-and-TLSv1.2.patch (text/x-diff), 1.79 KiB.

It looks like Ssl_cipher_list gets truncated.

mysql> SHOW GLOBAL STATUS LIKE 'Ssl_version'\G
*************************** 1. row ***************************
Variable_name: Ssl_version
        Value: TLSv1.2
1 row in set (0.00 sec)

mysql> SHOW GLOBAL STATUS LIKE 'Ssl_cipher_list'\G
*************************** 1. row ***************************
Variable_name: Ssl_cipher_list
        Value: ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:SRP-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-
1 row in set (0.00 sec)

Eventually it might be nice to have a variable to enable/disable TLSv1.0 and TLSv1.1

Hello Daniël,

Thank you for the feature request and contribution.

Thanks,
Umesh

It looks like this bug also limits programs which libmysqlclient (e.g. Workbench) to only use TLSv1.0

May I ask what are you waiting for, dear MySQL team? TLSv1.0 is already scheduled to be banned by PCI DSS v3.1: https://www.pcisecuritystandards.org/documents/Migrating_from_SSL_Early_TLS_Information%20... - so how about moving forward and adding support for 9-years old TLSv1.1 (RFC 4346) and 7-years old TLSv1.2 (RFC 5246)?

Just don't forget about ECC (RFC 4492), and stuff like ECDH curve selection (some people may prefer P-521). Also option for picking DH param would be needed (some of us want 4096).

Can we please get an update on when TLS 1.2 will be supported for MySQL?

This patch fully works with MySQL compiled with OpenSSL (tested with 5.7.8)

With MySQL compiled with YaSSL the server uses TLSv1.0, but the client can connect to a server with OpenSSL and use TLSv1.1.

Note that YaSSL doesn't support TLSv1.2 yet
https://www.wolfssl.com/wolfSSL/Products-yassl.html

WolfSSL (formerly CYaSSL) does support TLSv1.2 (and CRL, etc)

The patch against 5.7.8:
https://github.com/dveeden/mysql-server/commit/9ef832a64e46e4ec999a3d9a2e8b8b49873a7e4b.pa...

http://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-10.html:

"Previously, MySQL supported only the TLSv1 protocol for encrypting secure connections. TLS support has been extended to enable a higher level of encrypted connection security:

When compiled using OpenSSL 1.0.1 or higher, MySQL supports the TLSv1, TLSv1.1, and TLSv1.2 protocols.

When compiled using the bundled version of yaSSL, MySQL supports the TLSv1 and TLSv1.1 protocols."

I consider this fixed