Bug #89676 Support for TLSv1.3
Submitted: 15 Feb 2018 7:26 Modified: 8 Jul 2020 9:27
Reporter: Daniël van Eeden (OCA) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Security: Encryption Severity:S4 (Feature request)
Version:8.0 OS:Any
Assigned to: CPU Architecture:Any
Tags: SSL, tls

[15 Feb 2018 7:26] Daniël van Eeden 
Description:
OpenSSL announced experimental support for TLSv1.3
https://mta.openssl.org/pipermail/openssl-announce/2018-February/000113.html

It would be great if MySQL was ready to use that when it is ready for prime-time.

I would at least expect to find SSL_OP_NO_TLSv1_3 in the code.

Related:
Bug #75239 Support for TLSv1.1 and TLSv1.2

How to repeat:
On the mysql-8.0.4 tag of the git repo:

$ git grep 'TLSv1.2' | egrep -v '^(rapid|mysql-test)'
include/sslopt-longopts.h:    "permitted values are: TLSv1, TLSv1.1, TLSv1.2",
sql/sys_vars.cc:       "TLS version, permitted values are TLSv1, TLSv1.1, TLSv1.2(Only for openssl)",
sql/sys_vars.cc:       IN_FS_CHARSET, "TLSv1,TLSv1.1,TLSv1.2");
vio/viosslfactories.cc:  const char *tls_version_name_list[3]= {"TLSv1", "TLSv1.1", "TLSv1.2"};
vio/viosslfactories.cc:  const char ctx_flag_default[]= "TLSv1,TLSv1.1,TLSv1.2";
vio/viosslfactories.cc:  const long tls_ctx_list[3]= {SSL_OP_NO_TLSv1, SSL_OP_NO_TLSv1_1, SSL_OP_NO_TLSv1_2};
vio/viosslfactories.cc:  long tls_ctx_flag= SSL_OP_NO_TLSv1|SSL_OP_NO_TLSv1_1|SSL_OP_NO_TLSv1_2;
vio/viosslfactories.cc:                    | SSL_OP_NO_TLSv1_2
$ git grep 'TLSv1.3' | egrep -v '^(rapid|mysql-test)'
$

Suggested fix:
Add SSL_OP_NO_TLSv1_3 option and update docs hand help text etc.
[16 Feb 2018 10:32] MySQL Verification Team 
Hello Daniël,

Thank you for the feature request.

Thanks,
Umesh
[13 Sep 2018 6:46] Daniël van Eeden 
OpenSSL and WolfSSL now both have TLSv1.3 support.
https://www.openssl.org/blog/blog/2018/09/11/release111/
[8 Jul 2020 9:27] Daniël van Eeden 
This works with MySQL 8.0 on CentOS 8.2