server icon indicating copy to clipboard operation
server copied to clipboard

Published 20 hours ago verified publisher icon MariaDB

[MDEV-33834] Extend audit plugin to include tls_version and tls_version_length variables

Open keeper opened this issue 1 year ago • 4 comments
trafficstars

MDEV: https://jira.mariadb.org/browse/MDEV-33834

Description

This is the continuous work of https://github.com/MariaDB/server/pull/3175.

Add tls_version and tls_version_length variables to the audit plugin so they can be logged. This is useful to help identify suspicious or malformed connections attempting to use unsupported TLS versions. A log with this information will allow to detect and block more malicious connection attempts.

Users with 'server_audit_events' empty will have these two new variables automatically visible in their logs, but if users don't want them, they can always configure what fields to include by listing the fields in 'server_audit_events'.

In connection event, The TLS version will be populated in object field in key=value format, and the key-value pair will be omitted when the value is empty.

To ensure the MTR test result matches in all environments, the TLS version string is replaced with a general TLS_VERSION to avoid the MTR test failing unexpectedly. The regex is based on the output of SSL_get_version() function in latest OpenSSL library (v3.3), which returns 10 possible values1:

  • SSLv3
  • TLSv1
  • TLSv1.1
  • TLSv1.2
  • TLSv1.3
  • DTLSv0.9
  • DTLSv1
  • DTLSv1.2
  • QUICv1
  • unknown

All new code of the whole pull request, including one or several files that are either new files or modified ones, are contributed under the BSD-new license. I am contributing on behalf of my employer Amazon Web Services, Inc.

Release Notes

None. This just adds more possibilities for users.

How can this PR be tested?

Modified the server audit plugin to include this new info, and updated the server audit plugin MTR tests.

Basing the PR against the correct MariaDB version

  • [X] This is a new feature and the PR is based against the latest MariaDB development branch.

PR quality check

  • [X] I checked the CODING_STANDARDS.md file and my PR conforms to this where appropriate.
  • [X] For any trivial modifications to the PR, I am ok with the reviewer making the changes themselves.

Copyright

All new code of the whole pull request, including one or several files that are either new files or modified ones, are contributed under the BSD-new license. I am contributing on behalf of my employer Amazon Web Services, Inc.

keeper avatar Sep 05 '24 00:09 keeper