Bug #87379 | Perform actual TLS capabilities check when restricting TLSv1.2 | ||
---|---|---|---|
Submitted: | 10 Aug 2017 17:13 | Modified: | 26 Aug 2017 2:12 |
Reporter: | Todd Farmer (OCA) | Email Updates: | |
Status: | Closed | Impact on me: | |
Category: | Connector / J | Severity: | S2 (Serious) |
Version: | 5.1.43 | OS: | Any |
Assigned to: | Alexander Soklakov | CPU Architecture: | Any |
Tags: | tls |
[10 Aug 2017 17:13]
Todd Farmer
[17 Aug 2017 15:38]
Todd Farmer
Just FYI, will be providing a patch to address this and add a new configuration option, "enabled TLSProtocols" to allow client-side restrictions to specific TLS versions.
[17 Aug 2017 22:10]
Todd Farmer
Created pull request with patch: https://github.com/mysql/mysql-connector-j/pull/20/files A few notes: 1. Based on testing, it appears the existing code restricting TLSv1.2 to MySQL Enterprise 5.7+ builds protects against SSLExceptions when connecting from a client supporting/preferring TLSv1.2 to a server which does not support it. The resulting SSLException occurs when executing SSLSocket.startHanshake(), and is not recoverable. It may be possible to create a new SSLSocket and retry the entire transformSocketToSSLSocket() method with a more restrictive list of supported TLS protocols, but this is not implemented here. 2. The introduced configuration option, enabledTLSProtocols, supports a comma-separated list of value: TLSv1,TLSv1.1,TLSv1.2. This allows users to bypass the existing TLS version restrictions and manually identify allowed TLS versions. The same caveat applies here: If set to include TLSv1.2 support on the client side, and connecting to a MySQL Server not supporting TLSv1.2, the connection attempt will fail. 3. The enabledTLSProtocols option allows users to restrict TLS versions allowed by the client to an approved list. This is useful when seeking to prevent connections from negotiating older TLS versions such as TLSv1.
[17 Aug 2017 22:21]
Todd Farmer
Implementing enabledTLSProtocols configuration option (*) I confirm the code being submitted is offered under the terms of the OCA, and that I am authorized to contribute it.
Contribution: enabledTLSProtocols.patch (text/x-patch), 14.90 KiB.
[18 Aug 2017 6:18]
Chiranjeevi Battula
Hello Todd Farmer, Thank you for the report and contribution. Thanks, Chiranjeevi.
[21 Aug 2017 8:55]
Alexander Soklakov
Todd, Thank you very much for this contribution! It seems to be the only way to override the yaSSL problem.
[26 Aug 2017 2:12]
Daniel So
Posted by developer: Added the following entry to the Connector/J 5.1.44 changelog: "A new connection property, enabledTLSProtocols, can now be used to override the default restrictions on the TLS versions to be used for connections, which are determined by the version of the MySQL Server that is being connected to. By providing a comma-separated list of values to this option (for example, “TLSv1,TLSv1.1,TLSv1.2”) users can, for example, prevent connections from using older TLS version, or allow connections to use TLS versions only supported by a user-compiled MySQL Server. See the entry for the new property in Driver/Datasource Class Names, URL Syntax and Configuration Properties for Connector/J for details. Thanks to Todd Farmer for contributing the code."
[29 Aug 2017 19:40]
Daniel So
Posted by developer: Added changelog entry to the Connector/J 8.0.8 changelog.