WL14816: Remove support for TLS 1.0 and 1.1

silvakid · silvakid · commit 33f2a7271a06 · 2021-10-09T08:23:31.000+01:00
diff --git a/driver/mysql_connection.cpp b/driver/mysql_connection.cpp
@@ -301,7 +301,7 @@ static const String2IntMap stringOptions[]=
     {OPT_READ_DEFAULT_FILE,    MYSQL_READ_DEFAULT_FILE, false},
     {OPT_CHARSET_NAME,         MYSQL_SET_CHARSET_NAME, true},
 #if MYCPPCONN_STATIC_MYSQL_VERSION_ID >= 50700
-    {OPT_TLS_VERSION,          MYSQL_OPT_TLS_VERSION, false},
+    {OPT_TLS_VERSION,          MYSQL_OPT_TLS_VERSION, true},
 #endif
     {OPT_LOAD_DATA_LOCAL_DIR, MYSQL_OPT_LOAD_DATA_LOCAL_DIR, false}
   };
@@ -755,6 +755,23 @@ void MySQL_Connection::init(ConnectOptionsMap & properties)
         throw sql::InvalidArgumentException("No string value passed for sslCipher");
       }
       ssl_used = true;
+    } else if (!it->first.compare(OPT_TLS_VERSION)) {
+      try {
+        p_s = (it->second).get< sql::SQLString >();
+      } catch (sql::InvalidArgumentException&) {
+        throw sql::InvalidArgumentException("Wrong type passed for OPT_TLS_VERSION expected sql::SQLString");
+      }
+      if (p_s) {
+        try {
+          proxy->options(sql::mysql::MYSQL_OPT_TLS_VERSION, *p_s);
+        }  catch (const sql::InvalidArgumentException&) {
+          //We will not throw error here, but wait for connection error
+          //libmysqlclient treats not valid TLS versions as invalid options.
+        }
+
+      } else {
+        throw sql::InvalidArgumentException("No string value passed for OPT_TLS_VERSION");
+      }
     } else if (!it->first.compare(OPT_DEFAULT_STMT_RESULT_TYPE)) {
       try {
         p_i = (it->second).get< int >();
@@ -1103,7 +1120,13 @@ void MySQL_Connection::init(ConnectOptionsMap & properties)
                        " the password with mysql client that is capable to do that,"
                        " or rebuild your instance of Connector/C++ against mysql client"
                        " library that supports resetting of an expired password.";
-      } else {
+      } else if(native_error == CR_SSL_CONNECTION_ERROR){
+        error_message= proxy->error();
+        if(error_message.find("TLS version") != std::string::npos)
+        {
+          error_message+=", valid versions are: TLSv1.2, TLSv1.3";
+        }
+      }else {
         error_message= proxy->error();
       }
 
diff --git a/test/unit/classes/connection.cpp b/test/unit/classes/connection.cpp
@@ -3572,6 +3572,21 @@ void connection::tls_version()
 
   connection_properties["OPT_SSL_MODE"] = sql::SSL_MODE_REQUIRED;
 
+  // Using ALL TLS version... should connect
+  connection_properties["OPT_TLS_VERSION"] = tls_available;
+
+  created_objects.clear();
+  try
+  {
+    con.reset(driver->connect(connection_properties));
+  }
+  catch (sql::SQLException &)
+  {
+    FAIL("ALL TLS available versions used and still can't connect!");
+  }
+
+
+
   // Using wrong TLS version... should fail to connect
   connection_properties["OPT_TLS_VERSION"] = sql::SQLString("TLSv999");
 
@@ -3587,6 +3602,8 @@ void connection::tls_version()
   }
 
 
+
+
   for (std::vector<std::string>::const_iterator version = tls_versions.begin();
        version != tls_versions.end();
        ++version)
@@ -3882,5 +3899,59 @@ void connection::mfa()
 
 }
 
+void connection::tls_deprecation()
+{
+  sql::ConnectOptionsMap opt;
+  opt[OPT_HOSTNAME]=url;
+  opt[OPT_USERNAME]=user;
+  opt[OPT_PASSWORD]=passwd;
+  opt[OPT_SSL_MODE]=sql::SSL_MODE_REQUIRED;
+
+  struct TEST_CASES
+  {
+    const std::string& tls_versions;
+    bool succeed;
+  };
+
+  TEST_CASES test_cases[] =
+  {
+    {"TLSv1.1,TLSv1.2" ,true },
+    {"foo,TLSv1.3"     ,true },
+    {"TLSv1.0,TLSv1.1" ,false},
+    {"foo,TLSv1.1"     ,false},
+    {"foo,bar"         ,false},
+    {""                ,false}
+  };
+
+  for(auto test : test_cases)
+  {
+    logMsg(test.tls_versions);
+    opt[OPT_TLS_VERSION] = test.tls_versions;
+    try {
+      Connection test_connection(driver->connect(opt));
+      if(!test.succeed)
+      {
+        std::stringstream err;
+        err << "TLS versions (" << test.tls_versions << ") SHOULD THROW EXCEPTION";
+        FAIL(err.str());
+      }
+      stmt.reset(test_connection->createStatement());
+      res.reset(stmt->executeQuery("select @@version"));
+
+      res->next();
+      std::string version = res->getString(1);
+
+      logMsg(std::string("Server Version ")+version);
+
+    }  catch (sql::SQLException &e) {
+      logMsg(e.what());
+      ASSERT_EQUALS(false, test.succeed);
+      ASSERT_EQUALS(2026, e.getErrorCode());
+      ASSERT_EQUALS("SSL connection error: TLS version is invalid, valid versions are: TLSv1.2, TLSv1.3", e.what());
+    }
+  }
+
+}
+
 } /* namespace connection */
 } /* namespace testsuite */
diff --git a/test/unit/classes/connection.h b/test/unit/classes/connection.h
@@ -92,6 +92,7 @@ class connection : public unit_fixture
   TEST_CASE(socket);
   TEST_CASE(dns_srv);
   TEST_CASE(mfa);
+  TEST_CASE(tls_deprecation);
   }
 
   /**
@@ -290,6 +291,12 @@ class connection : public unit_fixture
    */
   void mfa();
 
+  /*
+   * Test of MySQL_Connection::tls_deprecation()
+   *
+   */
+  void tls_deprecation();
+
 
 };
 
