The world's most popular open source database

Documentation Downloads MySQL.com

Developer Zone

Section Menu:

About Worklog
MySQL Worklogs are design specifications for changes that may define past work, or be considered for future development.

WL#14582: Deprecate the use of TLS v1.0 and v1.1

Affects: Server-8.0 — Status: Complete

Description
Requirements
Dependent Tasks
High Level Architecture
Low Level Design

Motivation

Follow https://tools.ietf.org/id/draft-ietf-tls-oldversions-deprecate-02.html the use of TLSv1.0 and TLSv1.1 should be deprecated.

MySQL Router uses TLS

on the routing ports
on http ports
between router and metadata-servers

routing ports

TLSv1.0 and TLSv1.1 connections will fail at the router is accepting a TLS connection (client_ssl_mode=REQUIRED or PREFERRED).

When passing through the TLS connections to the server (client_ssl_mode=PASSTHROUGH) the router does not interfere with the TLS handshake and it is up to the server to allow/deny the TLS connection.

http ports

TLSv1.0 and TLSv1.1 connections fail.

between router and metadata servers

MySQL Router uses libmysqlclient to connect to the metadata servers.

The allowed TLS version for those connections is controlled via:

[metadata_cache]
tls_version=...

The allowed values of tls_version allow specifying TLSv1.0 and TLSv1.1.

Goal

deprecate the use of TLSv1.0 and TLSv1.1 in tls_version in [metadata_cache]

R1: No new warnings are logged by the router if a TLSv1.0 or TLSv1.1 is established.

WL#14519: Deprecate the use of TLS v1.0 and v1.1