Bug #93299 TLS cipher selection for X Protocol
Submitted: 22 Nov 2018 19:02 Modified: 21 Nov 2019 2:21
Reporter: Daniël van Eeden (OCA) Email Updates:
Status: Closed Impact on me:
None 
Category:Connector / C++ Severity:S3 (Non-critical)
Version:8.0.13 OS:Any
Assigned to: CPU Architecture:Any
Tags: tls

[22 Nov 2018 19:02] Daniël van Eeden 
Description:
For Classic Protocol (libmysqlclient):
mysql_options(mysql, MYSQL_OPT_SSL_CIPHER, cipher)

It looks to me that there is nothing similar for X Protocol with X DevAPI.

I want to use this to connect with specific ciphers to do performance testing.

How to repeat:
Try to restrict which TLS ciphersuites are used from X DevAPI client (Connector/C++)
[22 Nov 2018 19:36] Daniël van Eeden 
added tag
[23 Nov 2018 9:30] MySQL Verification Team 
Hello Daniël,

Thank you for the report.

regards,
Umesh
[20 Nov 2019 18:37] Rafal Somla 
Posted by developer:
 
New connection options `tls-versions` and `tls-ciphersuites` were added (WL#12755).
[21 Nov 2019 2:21] Paul DuBois 
Posted by developer:
 
Fixed in 8.0.19.

Connector/C++ now provides options that enable specifying the permitted TLS protocols and ciphersuites for TLS connection negotiation:

* TLS protocols must be chosen from this list: TLSv1, TLSv1.1, TLSv1.2, TLSv1.3. (TLSv1.3 requires that both the server and Connector/C++ be compiled with OpenSSL 1.1.1 or higher.)

* Ciphersuite values must be IANA ciphersuite names.

TLS protocols and ciphersuites now may be specified in these contexts:

* Connection strings permit tls-versions and tls-ciphersuites options. The tls-versions value is a list of one or more comma-separated TLS protocol versions. The tls-ciphersuites value is a list of one or more comma-separated ciphersuite names. Examples:

...?tls-versions=[TLSv1.3]&...
...?tls-versions=[TLSv1.2,TLSv1.3]&...
...?tls-ciphersuites=[
     TLS_DHE_PSK_WITH_AES_128_GCM_SHA256,
     TLS_CHACHA20_POLY1305_SHA256
   ]&...

* SessionSettings objects permit TLS_VERSIONS and TLS_CIPHERSUITES options. Each value is either a string containing one or more comma-separated items or a container with strings (that is, any type that can be iterated with a loop that yields string values).

Example of single string values:

Session s(...,
  TLS_VERSIONS, "TLSv1.2,TLSv1.3",
  TLS_CIPHERSUITES,
    "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256,TLS_CHACHA20_POLY1305_SHA256",
...);
Example of string container values:

std::list<std::string> tls_versions = {
  "TLSv1.2",
  "TLSv1.3"
};

std::list<std::string> ciphers = {
  "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256",
  "TLS_CHACHA20_POLY1305_SHA256"
};

Session s(...,
  TLS_VERSIONS, tls_versions
  TLS_CIPHERSUITES, ciphers,
...);

Session s(...,
  TLS_VERSIONS, std::vector{"TLSv1.2","TLSv1.3"},
  TLS_CIPHERSUITES, std::vector{"TLS_DHE_PSK_WITH_AES_128_GCM_SHA256", "TLS_CHACHA20_POLY1305_SHA256"},
...);

* mysqlx_session_option_set() and friends permit MYSQLX_OPT_TLS_VERSIONS and MYSQLX_OPT_TLS_CIPHERSUITES session option constants, together with the corresponding OPT_TLS_VERSIONS() and OPT_TLS_CIPHERSUITES() macros. MYSQLX_OPT_TLS_VERSIONS and MYSQLX_OPT_TLS_CIPHERSUITES accept a string containing one or more comma-separated items. Examples:

mysqlx_session_option_set(opts, ...,
  OPT_TLS_VERSIONS("TLSv1.2,TLSv1.3"),
  OPT_TLS_CIPHERSUITES(
    "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256,TLS_CHACHA20_POLY1305_SHA256"
  ),
...)