Skip to content

Commit b0bfd6b

Browse files
rsomla1rsomla1
committed
Approved TLS ciphers update
Note: This is still the same version 3.4 of approved cipher list but fixing error in previous update.
1 parent 18abadd commit b0bfd6b

File tree

3 files changed

+34
-26
lines changed

3 files changed

+34
-26
lines changed

cdk/foundation/tls_ciphers.h

Lines changed: 0 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -17,11 +17,6 @@
1717
X("TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", "ECDHE-RSA-CHACHA20-POLY1305") \
1818
X("TLS_ECDHE_ECDSA_WITH_AES_256_CCM", "ECDHE-ECDSA-AES256-CCM") \
1919
X("TLS_ECDHE_ECDSA_WITH_AES_128_CCM", "ECDHE-ECDSA-AES128-CCM") \
20-
X("TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", "DHE-RSA-AES128-GCM-SHA256") \
21-
X("TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", "DHE-RSA-AES256-GCM-SHA384") \
22-
X("TLS_DHE_RSA_WITH_AES_256_CCM", "DHE-RSA-AES256-CCM") \
23-
X("TLS_DHE_RSA_WITH_AES_128_CCM", "DHE-RSA-AES128-CCM") \
24-
X("TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256", "DHE-RSA-CHACHA20-POLY1305") \
2520

2621
#define TLS_CIPHERS_UNACCEPTABLE(X) \
2722
X("TLS_ECDH_anon_WITH_NULL_SHA", "AECDH-NULL-SHA") \

devapi/tests/session-t.cc

Lines changed: 10 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -269,13 +269,15 @@ TEST_F(Sess, tls_ver_ciphers)
269269
SKIP_IF_NO_XPLUGIN;
270270
SKIP_IF_SERVER_VERSION_LESS(8, 0, 14)
271271

272-
std::set<std::string> versions = {"TLSv1.1" ,"TLSv1.2"};
272+
std::set<std::string> versions = {"TLSv1.2", "TLSv1.3"};
273273

274274
// TOOD: Instead, working ciphers should be selected from the current cipher list(s).
275275

276276
std::map<std::string, std::string> suites_map = {
277-
{ "DHE-RSA-AES128-GCM-SHA256", "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256"},
278-
{ "DES-CBC3-SHA", "TLS_RSA_WITH_3DES_EDE_CBC_SHA" }
277+
// mandatory 1.2 cipher
278+
{ "ECDHE-RSA-AES128-GCM-SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"},
279+
// approved 1.3 cipher
280+
{ "TLS_AES_128_GCM_SHA256", "TLS_AES_128_GCM_SHA256" }
279281
};
280282

281283
std::string versions_str;
@@ -329,7 +331,8 @@ TEST_F(Sess, tls_ver_ciphers)
329331
get_uri() + "/?tls-versions=[TLSv1.1,TLSv1.2]"
330332
"&tls-ciphersuites=["
331333
"foo,TLS_DHE_RSA_WITH_DES_CBC_SHA,"
332-
"TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_3DES_EDE_CBC_SHA"
334+
+ suites_map.begin()->second +
335+
",TLS_RSA_WITH_3DES_EDE_CBC_SHA"
333336
"]"
334337
);
335338
);
@@ -427,7 +430,7 @@ TEST_F(Sess, tls_ver_ciphers)
427430
SessionOption::TLS_CIPHERSUITES,
428431
std::list<string>{
429432
"foo", "TLS_DHE_RSA_WITH_DES_CBC_SHA",
430-
"TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
433+
suites_map.begin()->second,
431434
"TLS_RSA_WITH_3DES_EDE_CBC_SHA"
432435
}
433436
);
@@ -437,8 +440,8 @@ TEST_F(Sess, tls_ver_ciphers)
437440
opt.erase(SessionOption::TLS_CIPHERSUITES);
438441
opt.set(
439442
SessionOption::TLS_CIPHERSUITES,
440-
"foo, TLS_DHE_RSA_WITH_DES_CBC_SHA"
441-
",TLS_DHE_RSA_WITH_AES_128_GCM_SHA256"
443+
"foo, TLS_DHE_RSA_WITH_DES_CBC_SHA,"
444+
+ suites_map.begin()->second +
442445
",TLS_RSA_WITH_3DES_EDE_CBC_SHA"
443446
);
444447

xapi/tests/xapi-t.cc

Lines changed: 24 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -2727,10 +2727,12 @@ TEST_F(xapi, tls_ver_ciphers)
27272727
printf(ERR); \
27282728
FAIL(); }
27292729

2730-
std::set<std::string> versions = {"TLSv1.1" ,"TLSv1.2"};
2730+
std::set<std::string> versions = {"TLSv1.2" ,"TLSv1.3"};
27312731
std::map<std::string, std::string> suites_map = {
2732-
{ "DHE-RSA-AES128-GCM-SHA256", "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256"},
2733-
{ "DES-CBC3-SHA", "TLS_RSA_WITH_3DES_EDE_CBC_SHA" }
2732+
// mandatory 1.2 cipher
2733+
{ "ECDHE-RSA-AES128-GCM-SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"},
2734+
// approved 1.3 cipher
2735+
{ "TLS_AES_128_GCM_SHA256", "TLS_AES_128_GCM_SHA256" }
27342736
};
27352737

27362738
std::string versions_str;
@@ -2807,6 +2809,11 @@ TEST_F(xapi, tls_ver_ciphers)
28072809
mysqlx_session_options_t *opt = mysqlx_session_options_new();
28082810
mysqlx_session_t *sess;
28092811
mysqlx_error_t *error = NULL;
2812+
// Note: make sure that one of the ciphers is acceptable
2813+
string suites =
2814+
" DHE-RSA-AES128-GCM-SHA256 , \t\n"
2815+
+ suites_map.begin()->second + " ";
2816+
const char * suites_str = suites.c_str();
28102817

28112818
// Test parsing of comma separated list values
28122819

@@ -2818,7 +2825,7 @@ TEST_F(xapi, tls_ver_ciphers)
28182825
OPT_PWD(get_password()),
28192826
OPT_SSL_MODE(SSL_MODE_REQUIRED),
28202827
OPT_TLS_VERSIONS("\t TLSv1.1,\n TLSv1.2 "),
2821-
OPT_TLS_CIPHERSUITES(" DHE-RSA-AES128-GCM-SHA256 , \t\nTLS_DHE_RSA_WITH_AES_128_GCM_SHA256 "),
2828+
OPT_TLS_CIPHERSUITES(suites_str),
28222829
PARAM_END
28232830
));
28242831

@@ -2835,7 +2842,7 @@ TEST_F(xapi, tls_ver_ciphers)
28352842
OPT_PWD(get_password()),
28362843
OPT_SSL_MODE(SSL_MODE_REQUIRED),
28372844
OPT_TLS_VERSIONS(""),
2838-
OPT_TLS_CIPHERSUITES(" DHE-RSA-AES128-GCM-SHA256 , \t\nTLS_DHE_RSA_WITH_AES_128_GCM_SHA256 "),
2845+
OPT_TLS_CIPHERSUITES(suites_str),
28392846
PARAM_END
28402847
));
28412848

@@ -2866,7 +2873,7 @@ TEST_F(xapi, tls_ver_ciphers)
28662873
OPT_PWD(get_password()),
28672874
OPT_SSL_MODE(SSL_MODE_REQUIRED),
28682875
OPT_TLS_VERSIONS("SSLv1"),
2869-
OPT_TLS_CIPHERSUITES(" DHE-RSA-AES128-GCM-SHA256 , \t\nTLS_DHE_RSA_WITH_AES_128_GCM_SHA256 "),
2876+
OPT_TLS_CIPHERSUITES(suites_str),
28702877
PARAM_END
28712878
));
28722879

@@ -2886,7 +2893,7 @@ TEST_F(xapi, tls_ver_ciphers)
28862893
OPT_PWD(get_password()),
28872894
OPT_SSL_MODE(SSL_MODE_REQUIRED),
28882895
OPT_TLS_VERSIONS("foo"),
2889-
OPT_TLS_CIPHERSUITES(" DHE-RSA-AES128-GCM-SHA256 , \t\nTLS_DHE_RSA_WITH_AES_128_GCM_SHA256 "),
2896+
OPT_TLS_CIPHERSUITES(suites_str),
28902897
PARAM_END
28912898
));
28922899

@@ -2919,6 +2926,12 @@ TEST_F(xapi, tls_ver_ciphers)
29192926
EXPECT_EQ(NULL, sess);
29202927

29212928
// Some ciphers invalid, but some are OK
2929+
2930+
string suites1 =
2931+
"foo,TLS_DHE_RSA_WITH_DES_CBC_SHA,"
2932+
+ suites_map.begin()->second +
2933+
",TLS_RSA_WITH_3DES_EDE_CBC_SHA";
2934+
29222935
mysqlx_free_options(opt);
29232936
opt = mysqlx_session_options_new();
29242937
EXPECT_EQ(RESULT_OK, mysqlx_session_option_set(
@@ -2929,10 +2942,7 @@ TEST_F(xapi, tls_ver_ciphers)
29292942
OPT_PWD(get_password()),
29302943
OPT_SSL_MODE(SSL_MODE_REQUIRED),
29312944
OPT_TLS_VERSIONS("TLSv1.1,TLSv1.2"),
2932-
OPT_TLS_CIPHERSUITES(
2933-
"foo,TLS_DHE_RSA_WITH_DES_CBC_SHA,"
2934-
"TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_3DES_EDE_CBC_SHA"
2935-
),
2945+
OPT_TLS_CIPHERSUITES(suites1.c_str()),
29362946
PARAM_END
29372947
));
29382948

@@ -2956,7 +2966,7 @@ TEST_F(xapi, tls_ver_ciphers)
29562966
OPT_SSL_MODE(SSL_MODE_REQUIRED),
29572967
OPT_TLS_VERSIONS("TLSv1.1"),
29582968
OPT_TLS_VERSIONS("TLSv1.2"),
2959-
OPT_TLS_CIPHERSUITES(" DHE-RSA-AES128-GCM-SHA256 , \t\nTLS_DHE_RSA_WITH_AES_128_GCM_SHA256 "),
2969+
OPT_TLS_CIPHERSUITES(suites_str),
29602970
PARAM_END
29612971
));
29622972

@@ -2970,8 +2980,8 @@ TEST_F(xapi, tls_ver_ciphers)
29702980
OPT_PWD(get_password()),
29712981
OPT_SSL_MODE(SSL_MODE_REQUIRED),
29722982
OPT_TLS_VERSIONS("TLSv1.1"),
2973-
OPT_TLS_CIPHERSUITES(" DHE-RSA-AES128-GCM-SHA256 , \t\nTLS_DHE_RSA_WITH_AES_128_GCM_SHA256 "),
2974-
OPT_TLS_CIPHERSUITES(" DHE-RSA-AES128-GCM-SHA256 , \t\nTLS_DHE_RSA_WITH_AES_128_GCM_SHA256 "),
2983+
OPT_TLS_CIPHERSUITES(suites_str),
2984+
OPT_TLS_CIPHERSUITES(suites_str),
29752985
PARAM_END
29762986
));
29772987
mysqlx_free(opt);

0 commit comments

Comments
 (0)