From ad4aa2843bb628c1ceec2fd9121b5c2ffc0c9898 Mon Sep 17 00:00:00 2001
From: Tony Chen <ochenton@amazon.com>
Date: Tue, 10 Feb 2026 17:17:46 +0000
Subject: [PATCH] Fix pre-check for allowed ciphers

The current cipher pre-checks for upgrading to MySQL 8.4 will check the entire
string for parameters like `ssl_cipher` and `tls_ciphersuites` against a list
of individual allowed ciphers.

If the parameters are configured to be a colon-separated list of ciphers, then
this check will always fail.

Update the check such that each cipher in the colon-separated list will be
checked separately and an error will be raised if the list contains a cipher
that is no longer allowed.

This contribution is under the OCA signed by Amazon and covering
submissions to the MySQL project.
---
 modules/util/upgrade_checker/upgrade_check.cc | 25 +++++++++++++++++--
 1 file changed, 23 insertions(+), 2 deletions(-)

diff --git a/modules/util/upgrade_checker/upgrade_check.cc b/modules/util/upgrade_checker/upgrade_check.cc
index df1468a42..97598847d 100644
--- a/modules/util/upgrade_checker/upgrade_check.cc
+++ b/modules/util/upgrade_checker/upgrade_check.cc
@@ -214,14 +214,35 @@ std::vector<Upgrade_issue> Sys_var_allowed_values_check::run(
 
   std::vector<Upgrade_issue> issues;
 
+  const std::unordered_set<std::string> cipher_params = {
+      "ssl_cipher", "admin_ssl_cipher", "tls_ciphersuites",
+      "admin_tls_ciphersuites"};
+
   for (const auto &variable : m_sys_vars) {
     // Tests for the definition to be enabled
 
     const auto *cached_var = cache->get_sysvar(variable.first);
 
     if (cached_var && cached_var->source != "COMPILED") {
-      if (std::find(variable.second.begin(), variable.second.end(),
-                    cached_var->value) == std::end(variable.second)) {
+      std::vector<std::string> configured_values;
+
+      if (cipher_params.count(variable.first)) {
+        // Cipher params are colon-separated lists; validate each cipher
+        configured_values = shcore::str_split(cached_var->value, ":");
+      } else {
+        configured_values = {cached_var->value};
+      }
+
+      bool invalid_value = false;
+      for (const auto &value : configured_values) {
+        if (std::find(variable.second.begin(), variable.second.end(),
+                      value) == variable.second.end()) {
+          invalid_value = true;
+          break;
+        }
+      }
+
+      if (invalid_value) {
         auto allowed = shcore::str_join(variable.second, ", ");
 
         auto description =