Bug #79558 tls_version accepts invalid arguments
Submitted: 8 Dec 2015 16:29 Modified: 13 Oct 8:19
Reporter: Todd Farmer (OCA) Email Updates:
Status: Can't repeat Impact on me:
None 
Category:MySQL Server: Options Severity:S2 (Serious)
Version:5.7.10 OS:Any
Assigned to: CPU Architecture:Any

[8 Dec 2015 16:29] Todd Farmer 
Description:
The newly-added tls_version option is theoretically an enum - possible values are:

* TLSv1
* TLSv1.1
* TLSv1.2

However, arbitrary string values are accepted:

D:\mysql-advanced-5.7.10-winx64>start bin\mysqld --no-defaults --port=3310 --con
sole --tls-version=RANDOM_STRING

D:\mysql-advanced-5.7.10-winx64>bin\mysql -uroot -P3310
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 2
Server version: 5.7.10-enterprise-commercial-advanced MySQL Enterprise Server -
Advanced Edition (Commercial)

Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> SELECT @@global.tls_version
    -> ;
+----------------------+
| @@global.tls_version |
+----------------------+
| RANDOM_STRING        |
+----------------------+
1 row in set (0.00 sec)

This is particularly problematic in that spelling errors (e.g., "TLSv12" instead of "TLSv1.2") will result in the server starting, an no TLS being configured.  The following warning is generated:

2015-12-08T16:25:51.690185Z 0 [Warning] Failed to set up SSL because of the foll
owing SSL library error: TLS version is invalid

How to repeat:
See above.

Suggested fix:
Invalid tls_version values should produce an error, and the server should not start.
[8 Dec 2015 17:31] MySQL Verification Team 
Bug 22308051 - BAD TLS_VERSION VALUES ARE NOT REJECTED 
Bug 22140418 - WITH INVALID --TLS_VERSION VALUES SERVER STARTUP SUCCESSFUL WITHOUT ANY ERROR
[15 Jul 2016 6:04] Laurynas Biveinis 
Duplicate of bug 79558?
[15 Jul 2016 14:31] Todd Farmer 
I suspect you meant a different bug number, but I'm not sure which one.
[15 Jul 2016 14:32] Laurynas Biveinis 
Sorry - bug 79509
[15 Jul 2016 14:34] Todd Farmer 
Indeed it is!  Thanks for catching that.
[3 Jan 2018 13:50] Daniƫl van Eeden 
This bug should be closed as duplicate.
[13 Oct 8:19] Georgi Kodinov 
Posted by developer:
 
Can't reproduce on the latest trunk. Please re-open if still applicable with detailed steps to reproduce. 

[gkodinov@compile-el9-02 mysql-test]$ ../runtime_output_directory/mysql -u root --protocol=tcp --socket=20202 --ssl-cipher=ECDHE-RSA-AES128-GCM-SHA256 --port=20202 --tls-version=RANDOM_STRING
ERROR 2026 (HY000): SSL connection error: TLS version is invalid
[gkodinov@compile-el9-02 mysql-test]$ ../runtime_output_directory/mysql -u root --protocol=tcp --socket=20202 --ssl-cipher=ECDHE-RSA-AES128-GCM-SHA256 --port=20202 --version
../runtime_output_directory/mysql  Ver 9.6.0 for Linux on x86_64 (Source distribution)