Reverted remove of TLSv1.0 protocol

TLSv1.0 protocol was removed by mistake in commit e4e5b28
mariadb-corporation · Jun 8, 2021 · 971489f · 971489f
1 parent ab84821
commit 971489f
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 9 deletions.
diff --git a/libmariadb/secure/gnutls.c b/libmariadb/secure/gnutls.c
@@ -1019,6 +1019,8 @@ static size_t ma_gnutls_get_protocol_version(const char *tls_version_option,
     goto end;
 
 
+  if (strstr(tls_version_option, "TLSv1.0"))
+    strcat(tls_versions, ":+VERS-TLS1.0");
   if (strstr(tls_version_option, "TLSv1.1"))
     strcat(tls_versions, ":+VERS-TLS1.1");
   if (strstr(tls_version_option, "TLSv1.2"))
@@ -1031,7 +1033,7 @@ static size_t ma_gnutls_get_protocol_version(const char *tls_version_option,
   if (tls_versions[0])
     snprintf(priority_string, prio_len - 1, "-VERS-TLS-ALL%s:NORMAL", tls_versions);
   else
-    strncpy(priority_string, "NORMAL:+VERS-ALL:-VERS-TLSv1.0", prio_len - 1);
+    strncpy(priority_string, "NORMAL:+VERS-ALL", prio_len - 1);
   return strlen(priority_string);
 }
 

diff --git a/libmariadb/secure/openssl.c b/libmariadb/secure/openssl.c
@@ -103,6 +103,8 @@ static long ma_tls_version_options(const char *version)
   if (!version)
     return 0;
 
+  if (strstr(version, "TLSv1.0"))
+    protocol_options&= ~SSL_OP_NO_TLSv1;
   if (strstr(version, "TLSv1.1"))
     protocol_options&= ~SSL_OP_NO_TLSv1_1;
   if (strstr(version, "TLSv1.2"))
@@ -441,10 +443,10 @@ void *ma_tls_init(MYSQL *mysql)
 {
   SSL *ssl= NULL;
   SSL_CTX *ctx= NULL;
-  long options= SSL_OP_ALL |
-                SSL_OP_NO_SSLv2 |
-                SSL_OP_NO_SSLv3 |
-                SSL_OP_NO_TLSv1;
+  long default_options= SSL_OP_ALL |
+                        SSL_OP_NO_SSLv2 |
+                        SSL_OP_NO_SSLv3;
+  long options= 0;
   pthread_mutex_lock(&LOCK_openssl_config);
 
   #if OPENSSL_VERSION_NUMBER >= 0x10100000L
@@ -453,10 +455,9 @@ void *ma_tls_init(MYSQL *mysql)
   if (!(ctx= SSL_CTX_new(SSLv23_client_method())))
 #endif
     goto error;
-  if (mysql->options.extension)
-    options|= ma_tls_version_options(mysql->options.extension->tls_version);
-  SSL_CTX_set_options(ctx, options);
-
+  if (mysql->options.extension) 
+    options= ma_tls_version_options(mysql->options.extension->tls_version);
+  SSL_CTX_set_options(ctx, options ? options : default_options);
 
   if (ma_tls_set_certs(mysql, ctx))
   {