WL#12361: Support TLS 1.3 in the server and libmysql
Affects: Server-8.0 — Status: Complete
TLS 1.3 is now officially approved by IETF: https://tools.ietf.org/html/rfc8446 It's also supported by newer openssl version. This worklog is about supporting TLS 1.3 in the --tls-version options and enabling it by default.
FR1: MySQL server and libmysqlc, when compiled with OpenSSL 1.1.1, should support TLSv1.0, TLSv1.1, TLSv1.2 and TLSv1.3 protocols. FR2: Server/client --tls-version option should accept "TLSv1.3" value if compiled against OpenSSL 1.1.1 FR3: Correct SSL version should be used and displayed. By default it's TLSv1.3. FR4: New server/client --tls-ciphersuites options will be added (similar to OpenSSL's -ciphersuites) to configure TLSv1.3 ciphersuite list. New TLSv1.3 ciphers provided by OpenSSL 1.1.1: TLS_AES_128_GCM_SHA256 TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_CCM_SHA256 TLS_AES_128_CCM_8_SHA256 Default value contains the first 3 ciphers (as per OpenSSL 1.1.1). FR5: Ssl_cipher_list status variable value should include TLSv1.3 ciphers. FR6: New option MYSQL_OPT_TLS_CIPHERSUITES will be added in the mysql client lib: mysql_options(mysql, MYSQL_OPT_TLS_CIPHERSUITES, opt_tls_ciphersuites); Notes for documentation: 1. if one run e.g. mysql --ssl-cipher=CIPHER1 default TLSv1.3 ciphersutes list will be set. So, if no explicit --tls-version=TLSv1.2 option is set, it will establish TLSv1.3 connection using some ciphersuite from that default 1.3 list. 2. An empty --tls-ciphersuites option value is permissible. So if one run e.g. mysql --tls-ciphersuites="" and doesn't disable TLSv1.3, the connection will fail. The same behaviour for the server: connection will be refused. It's how OpenSSL behaves.
Copyright (c) 2000, 2022, Oracle Corporation and/or its affiliates. All rights reserved.