WL#14519: Deprecate the use of TLS v1.0 and v1.1
Affects: Server-8.0
—
Status: Complete
https://tools.ietf.org/id/draft-ietf-tls-oldversions-deprecate-02.html
Transport Layer Security (TLS) versions 1.0 [RFC2246] and 1.1 [RFC4346] were
superceded by TLSv1.2 [RFC5246] in 2008, which has now itself been superceded by
TLSv1.3 [RFC8446]. It is therefore timely to further deprecate these old
versions. The expectation is that TLSv1.2 will continue to be used for many years
alongside TLSv1.3.
TLSv1.1 and TLSv1.0 are also actively being deprecated in accordance with guidance
from government agencies (e.g. NIST SP 80052r2) and industry consortia such as
the Payment Card Industry Association (PCI) [PCI-TLS1].
3GPP have deprecated TLSv1.0 and DTLSv1.0 since their release-14 in 2016.
[TGPP33310]
The primary technical reasons for deprecating these versions include:
They require implementation of older cipher suites that are no longer
desirable for cryptographic reasons, e.g. TLSv1.0 makes
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA mandatory to implement
Lack of support for current recommended cipher suites, especially using AEAD
ciphers which are not supported prior to TLSv1.2. Note: registry entries for no-
longer-desirable ciphersuites remain in the registries, but many TLS registries
are being updated through [RFC8447] which denotes such entries as "not
recommended."
Integrity of the handshake depends on SHA-1 hash
Authentication of the peers depends on SHA-1 signatures
Support for four protocol versions increases the likelihood of
misconfiguration
At least one widely-used library has plans to drop TLSv1.1 and TLSv1.0 support
in upcoming releases; products using such libraries would need to use older
versions of the libraries to support TLSv1.0 and TLSv1.1, which is clearly
undesirable
Deprecation of these versions is intended to assist developers as additional
justification to no longer support older TLS versions and to migrate to a minimum
of TLSv1.2. Deprecation also assists product teams with phasing out support for
the older versions to reduce the attack surface and the scope of maintenance for
protocols in their offerings.
FR1: If TLSv1.0 or TLSv1.1 are specified as a part of tls-version or admin-tls- version command line option, a deprecation warning one for each deprecated version) will be printed into the server's error log. FR2: If TLSv1.0 or TLSv1.1 are specified as a part of setting a global value for the tls-version or admin-tls-version system variable from an SQL connection, a deprecation warning one for each deprecated version) will be added to the result of executing the ALTER INSTANCE RELOAD TLS tls command. FR2.1.: In this case no error log warning will be thrown FR2: If a successful connection uses TLSv1.0 or TLSv1.1, a warning should be logged in the server error log with details of current user and connected user. FR3: Setting the values for the replication client will throw no warning since it's a client to another mysql server that will have the warning. FR4: No client --tls-version version setting will cause any warnings in the client app.
Copyright (c) 2000, 2025, Oracle Corporation and/or its affiliates. All rights reserved.