MySQL 8.3.0
Source Code Documentation
tls_ciphers.h
Go to the documentation of this file.
1/*
2 Copyright (c) 2018, 2023, Oracle and/or its affiliates.
3
4 This program is free software; you can redistribute it and/or modify
5 it under the terms of the GNU General Public License, version 2.0,
6 as published by the Free Software Foundation.
7
8 This program is also distributed with certain software (including
9 but not limited to OpenSSL) that is licensed under separate terms,
10 as designated in a particular file or component or in included license
11 documentation. The authors of MySQL hereby grant you an additional
12 permission to link the program and your derivative works with the
13 separately licensed software that they have included with MySQL.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program; if not, write to the Free Software
22 Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
23*/
24
25#ifndef TLS_CIPHERS_INCLUDED
26#define TLS_CIPHERS_INCLUDED
27
28namespace {
29
30/**
31 Configuring list of ciphers
32
33 TLSv1.2
34 =======
35 Server: Specify in folllowing order:
36 1. Blocked ciphers
37 2. Approved ciphers
38
39 Client: Specify in following order:
40 1. Blocked ciphers
41 2. Approved ciphers
42 3. Client specific ciphers
43
44 TLSv1.3
45 =======
46 Server: Specify in folllowing order:
47 1. Blocked ciphers (None atm)
48 2. Approved ciphers
49
50 Client: Specify in following order:
51 1. Blocked ciphers (None atm)
52 2. Approved ciphers
53 3. Client specific ciphers (None atm)
54
55*/
56
57/*
58 List of TLSv1.3 ciphers in order to their priority.
59 Addition to the list must be done keeping priority of the
60 new cipher in mind.
61 The last entry must not contain a trailing ":".
62
63 Current criteria for inclusion is:
64 1. Must provide Perfect Forward Secrecy
65 2. Uses SHA2 in cipher/certificate
66 3. Uses AES in GCM or any other AEAD algorithms/modes
67*/
68const char default_tls13_ciphers[] = {
69 "TLS_AES_128_GCM_SHA256:"
70 "TLS_AES_256_GCM_SHA384:"
71 "TLS_CHACHA20_POLY1305_SHA256:"
72 "TLS_AES_128_CCM_SHA256"};
73
74/*
75 List of TLSv1.2 ciphers in order to their priority.
76 Addition to the list must be done keeping priority of the
77 new cipher in mind.
78 The last entry must not contain a trailing ":".
79
80 Current criteria for inclusion is:
81 1. Must provide Perfect Forward Secrecy
82 2. Uses SHA2 in cipher/certificate
83 3. Uses AES in GCM or any other AEAD algorithms/modes
84*/
85const char default_tls12_ciphers[] = {
86 "ECDHE-ECDSA-AES128-GCM-SHA256:"
87 "ECDHE-ECDSA-AES256-GCM-SHA384:"
88 "ECDHE-RSA-AES128-GCM-SHA256:"
89 "ECDHE-RSA-AES256-GCM-SHA384:"
90 "ECDHE-ECDSA-CHACHA20-POLY1305:"
91 "ECDHE-RSA-CHACHA20-POLY1305:"
92 "ECDHE-ECDSA-AES256-CCM:"
93 "ECDHE-ECDSA-AES128-CCM:"
94 "DHE-RSA-AES128-GCM-SHA256:"
95 "DHE-RSA-AES256-GCM-SHA384:"
96 "DHE-RSA-AES256-CCM:"
97 "DHE-RSA-AES128-CCM:"
98 "DHE-RSA-CHACHA20-POLY1305"};
99
100/*
101 Following ciphers (or categories of ciphers) are not permitted
102 because they are too weak to provide required security.
103
104 New cipher/category can be added at any position.
105
106 Care must be taken to prefix cipher/category with "!"
107*/
108const char blocked_tls12_ciphers[] = {
109 "!aNULL:"
110 "!eNULL:"
111 "!EXPORT:"
112 "!LOW:"
113 "!MD5:"
114 "!DES:"
115 "!3DES:"
116 "!RC2:"
117 "!RC4:"
118 "!PSK:"
119 "!DH-RSA-AES128-SHA256:"
120 "!DH-RSA-AES256-SHA256:"
121 "!DH-DSS-AES128-SHA256:"
122 "!DH-DSS-AES128-SHA:"
123 "!DH-DSS-AES256-SHA:"
124 "!DH-DSS-AES256-SHA256:"
125 "!DH-RSA-AES128-SHA:"
126 "!DH-RSA-AES256-SHA:"
127 "!DH-DSS-AES128-GCM-SHA256:"
128 "!DH-DSS-AES256-GCM-SHA384:"
129 "!DH-RSA-AES128-GCM-SHA256:"
130 "!DH-RSA-AES256-GCM-SHA384"};
131
132/*
133 Following ciphers are added to the list of permissible ciphers
134 while configuring the ciphers on client side.
135
136 This is done to provide backward compatbility.
137*/
139 "ECDHE-ECDSA-AES256-CCM8:"
140 "ECDHE-ECDSA-AES128-CCM8:"
141 "DHE-RSA-AES256-CCM8:"
142 "DHE-RSA-AES128-CCM8:"
143 "ECDHE-ECDSA-AES128-SHA256:"
144 "ECDHE-RSA-AES128-SHA256:"
145 "ECDHE-ECDSA-AES256-SHA384:"
146 "ECDHE-RSA-AES256-SHA384:"
147 "DHE-DSS-AES256-GCM-SHA384:"
148 "DHE-DSS-AES128-GCM-SHA256:"
149 "DHE-DSS-AES128-SHA256:"
150 "DHE-DSS-AES256-SHA256:"
151 "DHE-RSA-AES256-SHA256:"
152 "DHE-RSA-AES128-SHA256:"
153 "DHE-RSA-CAMELLIA256-SHA256:"
154 "DHE-RSA-CAMELLIA128-SHA256:"
155 "ECDHE-RSA-AES128-SHA:"
156 "ECDHE-ECDSA-AES128-SHA:"
157 "ECDHE-RSA-AES256-SHA:"
158 "ECDHE-ECDSA-AES256-SHA:"
159 "DHE-DSS-AES128-SHA:"
160 "DHE-RSA-AES128-SHA:"
161 "DHE-RSA-AES256-SHA:"
162 "DHE-DSS-AES256-SHA:"
163 "DHE-RSA-CAMELLIA256-SHA:"
164 "DHE-RSA-CAMELLIA128-SHA:"
165 "ECDH-ECDSA-AES128-SHA256:"
166 "ECDH-RSA-AES128-SHA256:"
167 "ECDH-RSA-AES256-SHA384:"
168 "ECDH-ECDSA-AES256-SHA384:"
169 "ECDH-ECDSA-AES128-SHA:"
170 "ECDH-ECDSA-AES256-SHA:"
171 "ECDH-RSA-AES128-SHA:"
172 "ECDH-RSA-AES256-SHA:"
173 "AES128-GCM-SHA256:"
174 "AES128-CCM:"
175 "AES128-CCM8:"
176 "AES256-GCM-SHA384:"
177 "AES256-CCM:"
178 "AES256-CCM8:"
179 "AES128-SHA256:"
180 "AES256-SHA256:"
181 "AES128-SHA:"
182 "AES256-SHA:"
183 "CAMELLIA256-SHA:"
184 "CAMELLIA128-SHA:"
185 "ECDH-ECDSA-AES128-GCM-SHA256:"
186 "ECDH-ECDSA-AES256-GCM-SHA384:"
187 "ECDH-RSA-AES128-GCM-SHA256:"
188 "ECDH-RSA-AES256-GCM-SHA384"};
189
190} // namespace
191
192#endif /* TLS_CIPHERS_INCLUDED */
const char blocked_tls12_ciphers[]
Definition: tls_ciphers.h:108
const char default_tls13_ciphers[]
Configuring list of ciphers.
Definition: tls_ciphers.h:68
const char default_tls12_ciphers[]
Definition: tls_ciphers.h:85
const char additional_client_ciphers[]
Definition: tls_ciphers.h:138