Bug #79509 Bad tls_version values are not rejected
Submitted: 3 Dec 2015 14:33 Modified: 3 Dec 2015 17:51
Reporter: Paul DuBois Email Updates:
Status: Verified Impact on me:
None 
Category:MySQL Server: Options Severity:S3 (Non-critical)
Version:5.7.10, 5.7.18, 5.7.20 OS:Any
Assigned to: CPU Architecture:Any

[3 Dec 2015 14:33] Paul DuBois
Description:
5.7.10 introduced the tls_system variable, which is supposed to be a comma-separated list containing one (zero?) or more of the following values:

TLSv1
TLSv1.1
TLSv1.2

Problem: The server does not reject (or even warn about) invalid values.

How to repeat:
Start the server like this:

[mysqld]
tls_version=x

Check the resulting tls_version value:

mysql> show variables like 'tls%';
+---------------+-------+
| Variable_name | Value |
+---------------+-------+
| tls_version   | x     |
+---------------+-------+

Check the error log for any indication that the value is invalid. There are none, although there does appear to be a warning that is a "side-effect" of the invalid value:

[Warning] Failed to set up SSL because of the following SSL library error: TLS version is invalid

That, however, is hard to understand the meaning of without knowing that tls_version has been set correctly.

Suggested fix:
My preference: The server should fail to start if tls_version contains bad values. This way the user must check the cause of the failure and fix it immediately.

Or at least it should warn about them and perhaps fall back to a reasonable default.
[3 Dec 2015 17:51] MySQL Verification Team
Thank you for the bug report.

C:\dbs>net start mysqld57
The MySQLD57 service is starting.
The MySQLD57 service was started successfully.

C:\dbs>57

C:\dbs>c:\dbs\5.7\bin\mysql -uroot -p --port=3570 --prompt="mysql 5.7 > "
Enter password: ******
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 2
Server version: 5.7.11 Source distribution PULL: 2015-NOV-25

Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql 5.7 > show variables like 'tls%';
+---------------+-------+
| Variable_name | Value |
+---------------+-------+
| tls_version   | x     |
+---------------+-------+
1 row in set (0.00 sec)

mysql 5.7 > exit
Bye

C:\dbs>net stop mysqld57
The MySQLD57 service is stopping.
The MySQLD57 service was stopped successfully.

C:\dbs>net start mysqld57
The MySQLD57 service is starting.
The MySQLD57 service was started successfully.

C:\dbs>57

C:\dbs>c:\dbs\5.7\bin\mysql -uroot -p --port=3570 --prompt="mysql 5.7 > "
Enter password: ******
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 2
Server version: 5.7.11 Source distribution PULL: 2015-NOV-25

Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql 5.7 > show variables like 'tls%';
+---------------+-------+
| Variable_name | Value |
+---------------+-------+
| tls_version   | 1     |
+---------------+-------+
1 row in set (0.00 sec)
[15 Jul 2016 6:05] Laurynas Biveinis
Bug 79558 is duplicate?
[3 Jan 2018 13:53] Daniƫl van Eeden
Seems like 5.7.18 and 5.7.20 are still affected.

mysql> show global variables like 'tls_version';
+---------------+--------------------+
| Variable_name | Value              |
+---------------+--------------------+
| tls_version   | TLSv1.1,FOOBARv1.1 |
+---------------+--------------------+
1 row in set (0.01 sec)

Note that it doesn't even report in the error log that the value is invalid.

Note that on a community build (YaSSL) it allows 'TLSv1.1,TLSv1.2' which seems to indicate that TLSv1.2 works while it doesn't. This gives a false sense of security. (same for TLSv1.3 with current OpenSSL builds).