WL#14805, Remove support for TLS 1.0 and 1.1.

Author: soklakov

CHANGES

@@ -3,6 +3,8 @@
 
 Version 8.0.28
 
+  - WL#14805, Remove support for TLS 1.0 and 1.1.
+
   - WL#14650, Support for MFA (multi factor authentication) authentication.
 
 Version 8.0.27

src/main/core-api/java/com/mysql/cj/conf/PropertyDefinitions.java

@@ -361,11 +361,11 @@ public enum DatabaseTerm {
                 new BooleanPropertyDefinition(PropertyKey.fallbackToSystemKeyStore, DEFAULT_VALUE_TRUE, RUNTIME_MODIFIABLE,
                         Messages.getString("ConnectionProperties.fallbackToSystemKeyStore"), "8.0.22", CATEGORY_SECURITY, 12),
 
-                new StringPropertyDefinition(PropertyKey.enabledSSLCipherSuites, DEFAULT_VALUE_NULL_STRING, RUNTIME_MODIFIABLE,
-                        Messages.getString("ConnectionProperties.enabledSSLCipherSuites"), "5.1.35", CATEGORY_SECURITY, 13),
+                new StringPropertyDefinition(PropertyKey.tlsCiphersuites, DEFAULT_VALUE_NULL_STRING, RUNTIME_MODIFIABLE,
+                        Messages.getString("ConnectionProperties.tlsCiphersuites"), "5.1.35", CATEGORY_SECURITY, 13),
 
-                new StringPropertyDefinition(PropertyKey.enabledTLSProtocols, DEFAULT_VALUE_NULL_STRING, RUNTIME_MODIFIABLE,
-                        Messages.getString("ConnectionProperties.enabledTLSProtocols"), "8.0.8", CATEGORY_SECURITY, 14),
+                new StringPropertyDefinition(PropertyKey.tlsVersions, DEFAULT_VALUE_NULL_STRING, RUNTIME_MODIFIABLE,
+                        Messages.getString("ConnectionProperties.tlsVersions"), "8.0.8", CATEGORY_SECURITY, 14),
 
                 new BooleanPropertyDefinition(PropertyKey.allowLoadLocalInfile, DEFAULT_VALUE_FALSE, RUNTIME_MODIFIABLE,
                         Messages.getString("ConnectionProperties.loadDataLocal"), "3.0.3", CATEGORY_SECURITY, Integer.MAX_VALUE),

src/main/core-api/java/com/mysql/cj/conf/PropertyKey.java

@@ -115,8 +115,6 @@ public enum PropertyKey {
     emptyStringsConvertToZero("emptyStringsConvertToZero", true), //
     emulateLocators("emulateLocators", true), //
     emulateUnsupportedPstmts("emulateUnsupportedPstmts", true), //
-    enabledSSLCipherSuites("enabledSSLCipherSuites", true), //
-    enabledTLSProtocols("enabledTLSProtocols", true), //
     enableEscapeProcessing("enableEscapeProcessing", true), //
     enablePacketDebug("enablePacketDebug", true), //
     enableQueryTimeouts("enableQueryTimeouts", true), //
@@ -225,6 +223,8 @@ public enum PropertyKey {
     tcpSndBuf("tcpSndBuf", true), //
     tcpTrafficClass("tcpTrafficClass", true), //
     tinyInt1isBit("tinyInt1isBit", true), //
+    tlsCiphersuites("tlsCiphersuites", "enabledSSLCipherSuites", true), //
+    tlsVersions("tlsVersions", "enabledTLSProtocols", true), //
     traceProtocol("traceProtocol", true), //
     trackSessionState("trackSessionState", true), //
     transformedBitIsBoolean("transformedBitIsBoolean", true), //

src/main/core-impl/java/com/mysql/cj/protocol/ExportControlled.java

@@ -92,17 +92,16 @@
 import com.mysql.cj.conf.PropertyDefinitions.SslMode;
 import com.mysql.cj.conf.PropertyKey;
 import com.mysql.cj.conf.PropertySet;
+import com.mysql.cj.conf.RuntimeProperty;
 import com.mysql.cj.exceptions.CJCommunicationsException;
 import com.mysql.cj.exceptions.ExceptionFactory;
 import com.mysql.cj.exceptions.ExceptionInterceptor;
 import com.mysql.cj.exceptions.FeatureNotAvailableException;
 import com.mysql.cj.exceptions.RSAException;
 import com.mysql.cj.exceptions.SSLParamsException;
-import com.mysql.cj.exceptions.WrongArgumentException;
 import com.mysql.cj.log.Log;
 import com.mysql.cj.util.Base64Decoder;
 import com.mysql.cj.util.StringUtils;
-import com.mysql.cj.util.Util;
 
 /**
  * Holds functionality that falls under export-control regulations.
@@ -112,7 +111,8 @@ public class ExportControlled {
     private static final String TLSv1_1 = "TLSv1.1";
     private static final String TLSv1_2 = "TLSv1.2";
     private static final String TLSv1_3 = "TLSv1.3";
-    private static final String[] TLS_PROTOCOLS = new String[] { TLSv1_3, TLSv1_2, TLSv1_1, TLSv1 };
+    private static final String[] KNOWN_TLS_PROTOCOLS = new String[] { TLSv1_3, TLSv1_2, TLSv1_1, TLSv1 };
+    private static final String[] VALID_TLS_PROTOCOLS = new String[] { TLSv1_3, TLSv1_2 };
 
     private static final String TLS_SETTINGS_RESOURCE = "/com/mysql/cj/TlsSettings.properties";
     private static final List<String> ALLOWED_CIPHERS = new ArrayList<>();
@@ -150,7 +150,7 @@ public static boolean enabled() {
     }
 
     private static String[] getAllowedCiphers(PropertySet pset, List<String> socketCipherSuites) {
-        String enabledSSLCipherSuites = pset.getStringProperty(PropertyKey.enabledSSLCipherSuites).getValue();
+        String enabledSSLCipherSuites = pset.getStringProperty(PropertyKey.tlsCiphersuites).getValue();
         Stream<String> filterStream = StringUtils.isNullOrEmpty(enabledSSLCipherSuites) ? socketCipherSuites.stream()
                 : Arrays.stream(enabledSSLCipherSuites.split("\\s*,\\s*")).filter(socketCipherSuites::contains);
 
@@ -165,54 +165,66 @@ private static String[] getAllowedCiphers(PropertySet pset, List<String> socketC
         return allowedCiphers.toArray(new String[] {});
     }
 
-    private static String[] getAllowedProtocols(PropertySet pset, ServerVersion serverVersion, String[] socketProtocols) {
-        String[] tryProtocols = null;
+    private static String[] getAllowedProtocols(PropertySet pset, @SuppressWarnings("unused") ServerVersion serverVersion, String[] socketProtocols) {
+        List<String> tryProtocols = null;
 
-        // If enabledTLSProtocols configuration option is set, overriding the default TLS version restrictions.
-        // This allows enabling TLSv1.2 for self-compiled MySQL versions supporting it, as well as the ability
-        // for users to restrict TLS connections to approved protocols (e.g., prohibiting TLSv1) on the client side.
-        String enabledTLSProtocols = pset.getStringProperty(PropertyKey.enabledTLSProtocols).getValue();
-        if (enabledTLSProtocols != null && enabledTLSProtocols.length() > 0) {
-            tryProtocols = enabledTLSProtocols.split("\\s*,\\s*");
-        }
-        // It is problematic to enable TLSv1.2 on the client side when the server is compiled with yaSSL. When client attempts to connect with
-        // TLSv1.2 yaSSL just closes the socket instead of re-attempting handshake with lower TLS version. So here we allow all protocols only
-        // for server versions which are known to be compiled with OpenSSL.
-        else if (serverVersion == null) {
-            // X Protocol doesn't provide server version, but we prefer to use most recent TLS version, though it also means that X Protocol
-            // connection to old MySQL 5.7 GPL releases will fail by default, user must use enabledTLSProtocols=TLSv1.1 to connect them.
-            tryProtocols = TLS_PROTOCOLS;
-        } else if (serverVersion.meetsMinimum(new ServerVersion(5, 7, 28))
-                || serverVersion.meetsMinimum(new ServerVersion(5, 6, 46)) && !serverVersion.meetsMinimum(new ServerVersion(5, 7, 0))
-                || serverVersion.meetsMinimum(new ServerVersion(5, 6, 0)) && Util.isEnterpriseEdition(serverVersion.toString())) {
-            tryProtocols = TLS_PROTOCOLS;
+        RuntimeProperty<String> tlsVersions = pset.getStringProperty(PropertyKey.tlsVersions);
+        if (tlsVersions != null && tlsVersions.isExplicitlySet()) {
+            // If tlsVersions configuration option is set then override the default TLS versions restriction.
+            if (tlsVersions.getValue() == null) {
+                throw ExceptionFactory.createException(SSLParamsException.class,
+                        "Specified list of TLS versions is empty. Accepted values are TLSv1.2 and TLSv1.3.");
+            }
+            tryProtocols = getValidProtocols(tlsVersions.getValue().split("\\s*,\\s*"));
         } else {
-            // allow only TLSv1 and TLSv1.1 for other server versions by default
-            tryProtocols = new String[] { TLSv1_1, TLSv1 };
+            tryProtocols = new ArrayList<>(Arrays.asList(VALID_TLS_PROTOCOLS));
         }
 
-        List<String> configuredProtocols = new ArrayList<>(Arrays.asList(tryProtocols));
         List<String> jvmSupportedProtocols = Arrays.asList(socketProtocols);
-
         List<String> allowedProtocols = new ArrayList<>();
-        for (String protocol : TLS_PROTOCOLS) {
-            if (jvmSupportedProtocols.contains(protocol) && configuredProtocols.contains(protocol)) {
+        for (String protocol : tryProtocols) {
+            if (jvmSupportedProtocols.contains(protocol)) {
                 allowedProtocols.add(protocol);
             }
         }
         return allowedProtocols.toArray(new String[0]);
-
     }
 
-    public static void checkValidProtocols(List<String> protocols) {
-        List<String> validProtocols = Arrays.asList(TLS_PROTOCOLS);
-        for (String protocol : protocols) {
-            if (!validProtocols.contains(protocol)) {
-                throw ExceptionFactory.createException(WrongArgumentException.class,
-                        "'" + protocol + "' not recognized as a valid TLS protocol version (should be one of "
-                                + Arrays.stream(TLS_PROTOCOLS).collect(Collectors.joining(", ")) + ").");
+    private static List<String> getValidProtocols(String[] protocols) {
+
+        List<String> requestedProtocols = Arrays.stream(protocols).filter(p -> !StringUtils.isNullOrEmpty(p.trim())).collect(Collectors.toList());
+        if (requestedProtocols.size() == 0) {
+            throw ExceptionFactory.createException(SSLParamsException.class,
+                    "Specified list of TLS versions is empty. Accepted values are TLSv1.2 and TLSv1.3.");
+        }
+
+        List<String> sanitizedProtocols = new ArrayList<>();
+        for (String protocol : KNOWN_TLS_PROTOCOLS) {
+            if (requestedProtocols.contains(protocol)) {
+                sanitizedProtocols.add(protocol);
             }
         }
+        if (sanitizedProtocols.size() == 0) {
+            throw ExceptionFactory.createException(SSLParamsException.class,
+                    "Specified list of TLS versions only contains non valid TLS protocols. Accepted values are TLSv1.2 and TLSv1.3.");
+        }
+
+        List<String> validProtocols = new ArrayList<>();
+        for (String protocol : VALID_TLS_PROTOCOLS) {
+            if (sanitizedProtocols.contains(protocol)) {
+                validProtocols.add(protocol);
+            }
+        }
+        if (validProtocols.size() == 0) {
+            throw ExceptionFactory.createException(SSLParamsException.class,
+                    "TLS protocols TLSv1 and TLSv1.1 are not supported. Accepted values are TLSv1.2 and TLSv1.3.");
+        }
+
+        return validProtocols;
+    }
+
+    public static void checkValidProtocols(List<String> protocols) {
+        getValidProtocols(protocols.toArray(new String[0]));
     }
 
     private static class KeyStoreConf {
@@ -333,14 +345,6 @@ public static Socket performTlsHandshake(Socket rawSocket, SocketConnection sock
         }
 
         sslSocket.startHandshake();
-
-        if (log != null) {
-            String tlsVersion = sslSocket.getSession().getProtocol();
-            if (TLSv1.equalsIgnoreCase(tlsVersion) || TLSv1_1.equalsIgnoreCase(tlsVersion)) {
-                log.logWarn("This connection is using " + tlsVersion + " which is now deprecated and will be removed in a future release of Connector/J.");
-            }
-        }
-
         return sslSocket;
     }
 

src/main/protocol-impl/java/com/mysql/cj/protocol/x/XProtocol.java

@@ -366,38 +366,28 @@ public void beforeHandshake() {
         }
 
         RuntimeProperty<String> xdevapiTlsVersions = this.propertySet.getStringProperty(PropertyKey.xdevapiTlsVersions);
-        RuntimeProperty<String> jdbcEnabledTlsProtocols = this.propertySet.getStringProperty(PropertyKey.enabledTLSProtocols);
+        RuntimeProperty<String> jdbcEnabledTlsProtocols = this.propertySet.getStringProperty(PropertyKey.tlsVersions);
         if (xdevapiTlsVersions.isExplicitlySet()) {
             if (sslMode.getValue() == SslMode.DISABLED) {
                 throw ExceptionFactory.createException(WrongArgumentException.class,
                         "Option '" + PropertyKey.xdevapiTlsVersions.getKeyName() + "' can not be specified when SSL connections are disabled.");
             }
-            if (xdevapiTlsVersions.getValue().trim().isEmpty()) {
-                throw ExceptionFactory.createException(WrongArgumentException.class,
-                        "At least one TLS protocol version must be specified in '" + PropertyKey.xdevapiTlsVersions.getKeyName() + "' list.");
-            }
 
             String[] tlsVersions = xdevapiTlsVersions.getValue().split("\\s*,\\s*");
             List<String> tryProtocols = Arrays.asList(tlsVersions);
             ExportControlled.checkValidProtocols(tryProtocols);
             jdbcEnabledTlsProtocols.setValue(xdevapiTlsVersions.getValue());
-
-        } else if (!jdbcEnabledTlsProtocols.isExplicitlySet()) {
-            jdbcEnabledTlsProtocols.setValue(xdevapiTlsVersions.getValue());
         }
 
         RuntimeProperty<String> xdevapiTlsCiphersuites = this.propertySet.getStringProperty(PropertyKey.xdevapiTlsCiphersuites);
-        RuntimeProperty<String> jdbcEnabledSslCipherSuites = this.propertySet.getStringProperty(PropertyKey.enabledSSLCipherSuites);
+        RuntimeProperty<String> jdbcEnabledSslCipherSuites = this.propertySet.getStringProperty(PropertyKey.tlsCiphersuites);
         if (xdevapiTlsCiphersuites.isExplicitlySet()) {
             if (sslMode.getValue() == SslMode.DISABLED) {
                 throw ExceptionFactory.createException(WrongArgumentException.class,
                         "Option '" + PropertyKey.xdevapiTlsCiphersuites.getKeyName() + "' can not be specified when SSL connections are disabled.");
             }
 
             jdbcEnabledSslCipherSuites.setValue(xdevapiTlsCiphersuites.getValue());
-
-        } else if (!jdbcEnabledSslCipherSuites.isExplicitlySet()) {
-            jdbcEnabledSslCipherSuites.setValue(xdevapiTlsCiphersuites.getValue());
         }
 
         boolean verifyServerCert = sslMode.getValue() == SslMode.VERIFY_CA || sslMode.getValue() == SslMode.VERIFY_IDENTITY;
@@ -425,7 +415,7 @@ public void beforeHandshake() {
             }
         }
 
-        if (xdevapiSslMode.getValue() != XdevapiSslMode.DISABLED) {
+        if (jdbcSslMode.getValue() != SslMode.DISABLED) {
             negotiateSSLConnection();
         }