WL#8196: Support for TLSv1.2 Protocol

Affects: Server-Prototype Only   —   Status: Complete

At present MySQL server supports TLSv1 protocol to secure communication between server and client. While we do not offer the downgrade to SSLv3 and thus secure against attacks like POODLE, TLSv1 is vulnerable to BEAST attack. TLSv1.2 offers better protection compared to TLSv1 and an upgrade should be considered.

http://en.wikipedia.org/wiki/Transport_Layer_Security#Cipher

Note that TLSv1.2 does not work with all ciphers with RSA key size <= 512 bits as TLSv1.2 handshake is larger than 53 bytes. User need to explicitly mentioned the cipher name when RSA key size <= 512 bits.

Refer: http://openssl.6102.n7.nabble.com/What-is-the-reason-for-error-quot-SSL-negotiation-failed-error-04075070-rsa-routines-RSA-sign-digest-td43953.html

As per http://en.wikipedia.org/wiki/RSA_numbers#RSA-1024, RSA-1024 is not recommended.

Further References:

http://blog.fox-it.com/2011/11/21/rsa-512-certificates-abused-in-the-wild/ http://en.wikipedia.org/wiki/Texas_Instruments_signing_key_controversy

User Documentation

FR1 : MySQL server and libmysqlc, when compiled with OpenSSL 1.0.1, should support TLSv1.0, TLSv1.1 and TLSv1.2 protocols.

FR2 : MySQL server and libmysqlc, when compiled with yaSSL, should support TLSv1.0 and TLSv1.1 protocols.

FR3 : Default value for --ssl-cipher.

Server and client will try to use following ciphers. first cipher in the cipher list will be selected first if supported. cipher selected will be based on tls version negotiated and certificate used.

cipher gets selected when client and server is built with openssl and RSA2048 key certificate is DHE-RSA-AES128-GCM-SHA256.

cipher gets selected when client and server is built with yassl and RSA2048 key certificate is DHE-RSA-AES256-SHA.

First cipher is ECDHE-ECDSA-AES128-GCM-SHA256, but mysql default is DHE-RSA-AES128-GCM-SHA256 because default certificate generated by mysqld doesn't support it.

Default cipher selected depends on certificates and TLS protocol. Please note that this selection is done by openssl/yassl library.

Default cipher list when build with openssl is:

  "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:"
"ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-GCM-SHA256:"
"DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:"
"ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES128-SHA:DHE-RSA-AES128-SHA:"
"TLS_DHE_DSS_WITH_AES_256_CBC_SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:DH-DSS-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:AES256-GCM-SHA384:" 
"DH-DSS-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:AES128-SHA256:DH-DSS-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:AES256-SHA256:"
"DH-DSS-AES256-SHA256:ECDH-ECDSA-AES256-SHA384:AES128-SHA:DH-DSS-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES256-SHA:"
"DH-DSS-AES256-SHA:ECDH-ECDSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DH-RSA-AES128-GCM-SHA256:ECDH-RSA-AES128-GCM-SHA256:DH-RSA-AES256-GCM-SHA384:"
"ECDH-RSA-AES256-GCM-SHA384:DH-RSA-AES128-SHA256:ECDH-RSA-AES128-SHA256:DH-RSA-AES256-SHA256:ECDH-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:"
"ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES128-SHA:DHE-RSA-AES128-SHA:TLS_DHE_DSS_WITH_AES_256_CBC_SHA:" 
"DHE-RSA-AES256-SHA:AES128-SHA:DH-DSS-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES256-SHA:DH-DSS-AES256-SHA:ECDH-ECDSA-AES256-SHA:"
"DH-RSA-AES128-SHA:ECDH-RSA-AES128-SHA:DH-RSA-AES256-SHA:ECDH-RSA-AES256-SHA:DES-CBC3-SHA:"

default cipher list when build with yassl is:

"DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:AES128-RMD:DES-CBC3-RMD:DHE-RSA-AES256-RMD:DHE-RSA-AES128-RMD:DHE-RSA-DES-CBC3-RMD:AES256-SHA:RC4-SHA:RC4-MD5:" "DES-CBC3-SHA:DES-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC-SHA:AES128-SHA:AES256-RMD"

FR4: Correct SSL version should be used and displayed. By default (using ssl_version command):

Client and server with openssl: TLSv1.2

Client and server with yassl: TLSv1.1

Client and server mix with openssl and yassl: TLSv1.1

FR5. New server option tls-version will be added. option name: --tls-version permitted values, multiple value will be comma separated:

       TLSv1
       TLSv1.1
       TLSv1.2

FR6. New client option tls-version will be added. option name: --tls-version permitted values, multiple value will be comma separated:

       TLSv1
       TLSv1.1
       TLSv1.2

FR7. default tls version used will be based on client and server ssl negotiation. It will try to connect via most secure tls version which is TLSv1.2. client and server will try to connect with following tls version order:

 TLSv1.2,  TLSv1.1, TLSv1

FR8. Restricted Ciphers.

Following ciphers will be permanently restricted: !DHE-DSS-DES-CBC3-SHA:!DHE-RSA-DES-CBC3-SHA:!ECDH-RSA-DES-CBC3-SHA:!ECDH-ECDSA-DES-CBC3-SHA:!ECDHE-RSA-DES-CBC3-SHA:!ECDHE-ECDSA-DES-CBC3-SHA

Following category of ciphers/ ssl connection will be restricted permanently. !aNULL:!eNULL:!EXPORT:!LOW:!MD5:!DES:!RC2:!RC4:!PSK:!SSLv3

When ciphers from above list is used with compatible certificates, then server will be disabled with ssl.

FR9: New option MYSQL_OPT_TLS_VERSION has been added in the mysql client lib. mysql_options(mysql, MYSQL_OPT_TLS_VERSION, opt_tls_version);

FR10: User need to mention ciphers explicitly when using TLSV1.2 method with certificate having key size <= 512. However ciphers are not needed to be mentioned explicitly when using same certificate with TLSv.1.1 or TLSv1.

List of ciphers with key size <=512 bits which works with tls1.2 protocol is:

AES256-SHA:DHE-RSA-AES256-SHA:AES256-SHA256:CAMELLIA256-SHA:DES-CBC3-SHA:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:RC4-SHA RC4-MD5

NFR1: if RSA key size is more then 512 bits, behavior of all the ciphers will be same as before this work log.