Bug #103479 tls_ciphersuites ignored in 8.0.23, works in 8.0.22
Submitted: 26 Apr 2021 8:56 Modified: 31 May 2021 12:15
Reporter: Pete French Email Updates:
Status: Can't repeat Impact on me:
Category:MySQL Server Severity:S3 (Non-critical)
Version:8.0.23 OS:FreeBSD (12.2-STABLE)
Assigned to: CPU Architecture:x86

[26 Apr 2021 8:56] Pete French
I restrict the available ciphers down to one using these settings in my.cnf

ssl-cipher=                     AES128-SHA
tls-ciphersuites=               TLS_AES_128_GCM_SHA256

On 8.0.22 and previous this works fine, but after upgrading the server to 8.0.23 my connections are now using cipher TLS_AES_256_GCM_SHA384 and the restrictions are being ignored. Nothing has changed in the  configuration, and I have checked that the variables are being set correctly in the server.

Its worth noting that I also try and restrict the ciphers using this code on the client side using these options:

                unsigned int ssl_mode = SSL_MODE_REQUIRED;
                mysql_options(&_the_db, MYSQL_OPT_SSL_CIPHER,
                mysql_options(&_the_db, MYSQL_OPT_TLS_CIPHERSUITES,
                mysql_options(&_the_db, MYSQL_OPT_TLS_VERSION,
                mysql_options(&_the_db, MYSQL_OPT_SSL_MODE,

The client code hasn't changed - and the effect of having the specified cipher ignored is the same using either 8.0.22 or 8.0.23 libraries.

How to repeat:
This is easy to demonstrate by switching between 8.0.22 and 8.0.23

Suggested fix:
I dont have one. It puzzles me as to why this has suddenly stopped working.
[28 Apr 2021 12:39] MySQL Verification Team
Hi Mr. French,

We have analysed your report and discovered that we require the complete, comprehensive and very detailed set of steps in order to be able to repeat it.

We can not proceed without a detailed test case.
[29 May 2021 1:00] Bugs System
No feedback was provided for this bug for over a month, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".