Bug #79558 tls_version accepts invalid arguments
Submitted: 8 Dec 2015 16:29 Modified: 15 Jul 2016 14:34
Reporter: Todd Farmer (OCA) Email Updates:
Status: Verified Impact on me:
Category:MySQL Server: Options Severity:S2 (Serious)
Version:5.7.10 OS:Any
Assigned to: CPU Architecture:Any

[8 Dec 2015 16:29] Todd Farmer
The newly-added tls_version option is theoretically an enum - possible values are:

* TLSv1
* TLSv1.1
* TLSv1.2

However, arbitrary string values are accepted:

D:\mysql-advanced-5.7.10-winx64>start bin\mysqld --no-defaults --port=3310 --con
sole --tls-version=RANDOM_STRING

D:\mysql-advanced-5.7.10-winx64>bin\mysql -uroot -P3310
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 2
Server version: 5.7.10-enterprise-commercial-advanced MySQL Enterprise Server -
Advanced Edition (Commercial)

Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> SELECT @@global.tls_version
    -> ;
| @@global.tls_version |
| RANDOM_STRING        |
1 row in set (0.00 sec)

This is particularly problematic in that spelling errors (e.g., "TLSv12" instead of "TLSv1.2") will result in the server starting, an no TLS being configured.  The following warning is generated:

2015-12-08T16:25:51.690185Z 0 [Warning] Failed to set up SSL because of the foll
owing SSL library error: TLS version is invalid

How to repeat:
See above.

Suggested fix:
Invalid tls_version values should produce an error, and the server should not start.
[15 Jul 2016 6:04] Laurynas Biveinis
Duplicate of bug 79558?
[15 Jul 2016 14:31] Todd Farmer
I suspect you meant a different bug number, but I'm not sure which one.
[15 Jul 2016 14:32] Laurynas Biveinis
Sorry - bug 79509
[15 Jul 2016 14:34] Todd Farmer
Indeed it is!  Thanks for catching that.
[3 Jan 2018 13:50] Daniƫl van Eeden
This bug should be closed as duplicate.