Skip to content
Permalink
Browse files

[CONJ-639] enabledSslProtocolSuites now permit TLSv1.2 by default

This is initially due because of MDEV-12190 : server build with yassl didn't handle well when version in hello packet when using TLSv1.2 (no problem when using OpenSSL).
This is now corrected MariaDB server side for all version. It can still create issues with old MySQL server version using YaSSL

(cherry picked from commit 89c9e5d)
  • Loading branch information...
rusher committed Sep 3, 2018
1 parent 0b94b90 commit 8b8f9e102bd0673d6a8aa314b9eeba8267dd4834
@@ -137,7 +137,9 @@ See [[use-mariadb-connector-j-driver.creole#using-pooling|using pooling]] for mo
|=keyPassword|Password for the private key in client certificate keyStore. (only needed if private key password differ from keyStore password).\\//Since 1.5.3//|
|=trustStore|File path of the trustStore file (similar to java System property "javax.net.ssl.trustStore"). (legacy alias trustCertificateKeyStoreUrl)\\Use the specified file for trusted root certificates.\\When set, overrides serverSslCert.\\//Since 1.3.4//|
|=trustStorePassword|Password for the trusted root certificate file (similar to java System property "javax.net.ssl.trustStorePassword").\\(legacy alias trustCertificateKeyStorePassword).\\//Since 1.3.4//|
|=enabledSslProtocolSuites|Force TLS/SSL protocol to a specific set of TLS versions (comma separated list). \\Example : "TLSv1, TLSv1.1, TLSv1.2"\\//Default: TLSv1, TLSv1.1. Since 1.5.0//|
|=enabledSslProtocolSuites|Force TLS/SSL protocol to a specific set of TLS versions (comma separated list). \\Example :
"TLSv1, TLSv1.1, TLSv1.2"\\//Default: TLSv1, TLSv1.1" before 1.8.0, "TLSv1, TLSv1.1, TLSv1.2" since v1.8.0". Since 1.5
.0//|
|=enabledSslCipherSuites|Force TLS/SSL cipher (comma separated list).\\ Example : "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384"\\//Default: use JRE ciphers. Since 1.5.0//|

\\
@@ -52,6 +52,45 @@

package org.mariadb.jdbc.internal.protocol;

import static org.mariadb.jdbc.internal.com.Packet.COM_QUERY;
import static org.mariadb.jdbc.internal.com.Packet.EOF;
import static org.mariadb.jdbc.internal.com.Packet.ERROR;

import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.InputStream;
import java.net.InetSocketAddress;
import java.net.Socket;
import java.net.SocketException;
import java.net.URL;
import java.nio.charset.Charset;
import java.security.GeneralSecurityException;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.SQLNonTransientConnectionException;
import java.util.Arrays;
import java.util.Calendar;
import java.util.Collections;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.TimeZone;
import java.util.TreeMap;
import java.util.concurrent.locks.ReentrantLock;
import javax.net.ssl.KeyManager;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
import org.mariadb.jdbc.HostAddress;
import org.mariadb.jdbc.MariaDbConnection;
import org.mariadb.jdbc.UrlParser;
@@ -61,8 +100,11 @@
import org.mariadb.jdbc.internal.com.read.OkPacket;
import org.mariadb.jdbc.internal.com.read.ReadInitialHandShakePacket;
import org.mariadb.jdbc.internal.com.read.dao.Results;
import org.mariadb.jdbc.internal.com.read.resultset.SelectResultSet;
import org.mariadb.jdbc.internal.com.send.*;
import org.mariadb.jdbc.internal.com.send.InterfaceAuthSwitchSendResponsePacket;
import org.mariadb.jdbc.internal.com.send.SendClosePacket;
import org.mariadb.jdbc.internal.com.send.SendHandshakeResponsePacket;
import org.mariadb.jdbc.internal.com.send.SendOldPasswordAuthPacket;
import org.mariadb.jdbc.internal.com.send.SendSslConnectionRequestPacket;
import org.mariadb.jdbc.internal.failover.FailoverProxy;
import org.mariadb.jdbc.internal.io.LruTraceCache;
import org.mariadb.jdbc.internal.io.input.DecompressPacketInputStream;
@@ -87,30 +129,6 @@
import org.mariadb.jdbc.internal.util.exceptions.ExceptionMapper;
import org.mariadb.jdbc.internal.util.pool.GlobalStateInfo;

import javax.net.ssl.*;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.InputStream;
import java.net.InetSocketAddress;
import java.net.Socket;
import java.net.SocketException;
import java.net.URL;
import java.nio.charset.Charset;
import java.security.GeneralSecurityException;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.SQLNonTransientConnectionException;
import java.util.*;
import java.util.concurrent.locks.ReentrantLock;

import static org.mariadb.jdbc.internal.com.Packet.*;

public abstract class AbstractConnectProtocol implements Protocol {
private static final byte[] SESSION_QUERY = ("SELECT @@max_allowed_packet,"
+ "@@system_time_zone,"
@@ -1225,7 +1243,7 @@ public int getMinorServerVersion() {
*/
private void enabledSslProtocolSuites(SSLSocket sslSocket) throws SQLException {
if (options.enabledSslProtocolSuites == null) {
sslSocket.setEnabledProtocols(new String[]{"TLSv1", "TLSv1.1"});
sslSocket.setEnabledProtocols(new String[]{"TLSv1", "TLSv1.1", "TLSv1.2"});
} else {
List<String> possibleProtocols = Arrays.asList(sslSocket.getSupportedProtocols());
String[] protocols = options.enabledSslProtocolSuites.split("[,;\\s]+");

0 comments on commit 8b8f9e1

Please sign in to comment.
You can’t perform that action at this time.