tidb
tidb copied to clipboard
pingcap
util: Use TLSv1.2 as minimum TLS version by default
What problem does this PR solve?
Issue Number: close #36036
Problem Summary:
https://www.rfc-editor.org/rfc/rfc8996.html#name-do-not-use-tls-11
What is changed and how it works?
Check List
Tests
- [ ] Unit test
- [ ] Integration test
- [x] Manual test (add detailed scripts or steps below)
- [ ] No code
Side effects
- [ ] Performance regression: Consumes more CPU
- [ ] Performance regression: Consumes more Memory
- [x] Breaking backward compatibility
Documentation
- [x] Affects user behaviors
- [ ] Contains syntax changes
- [ ] Contains variable changes
- [ ] Contains experimental features
- [ ] Changes MySQL compatibility
Release note
The minimum TLS version has been changed from TLSv1.1 to TLSv1.2 to comply with IETF RFC 8996.
[REVIEW NOTIFICATION]
This pull request has been approved by:
- hawkingrei
To complete the pull request process, please ask the reviewers in the list to review by filling /cc @reviewer in the comment.
After your PR has acquired the required number of LGTMs, you can assign this pull request to the committer in the list by filling /assign @committer in the comment to help you merge this pull request.
The full list of commands accepted by this bot can be found here.
Reviewer can indicate their review by submitting an approval review. Reviewer can cancel approval by submitting a request changes review.
Code Coverage Details: https://codecov.io/github/pingcap/tidb/commit/b36d47ece1ce3ca9216be8d87902064e58f942da
@dveeden: GitHub didn't allow me to request PR reviews from the following users: likzn.
Note that only pingcap members and repo collaborators can review this PR, and authors cannot review their own PRs.
In response to this:
/cc @likzn @hawkingrei @zhangyangyu
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
I think this is not a simple one line change. It might affect some users still using TLSv1.1(both conscious & unconscious). We need to see how the product managers think.
I think this is not a simple one line change. It might affect some users still using TLSv1.1(both conscious & unconscious). We need to see how the product managers think.
Yes I agree.
If people use very old clients that use YaSSL they won't be able to use TLSv1.2 or newer. (see also: https://dev.mysql.com/doc/refman/5.7/en/ssl-libraries.html )
However this should only be merged into master and not be backported. So this won't affect users of TiDB v6.1.x or older.
This is only changing the default, so people can change the config to allow TLSv1.1 if needed.
This will improve security and may also be beneficial for compliance with various regulations.
This is how MySQL handles this: (source: https://dev.mysql.com/doc/refman/8.0/en/encrypted-connection-protocols-ciphers.html )
Customers can choose TLS 1.1, 1.2, 1.3 versions, the default is to configure TLS 1.2, but does not support TLS1.0?
Customers can choose TLS 1.1, 1.2, 1.3 versions, the default is to configure TLS 1.2, but does not support TLS1.0?
By default TiDB supports TLSv1.1, 1.2 and 1.3. It can be configured to support TLSv1.0.
This change would change the default to only support TLSv1.2 and TLSv1.3.
@lulukelu: Thanks for your review. The bot only counts approvals from reviewers and higher roles in list, but you're still welcome to leave your comments.
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the ti-community-infra/tichi repository.
Unless you are using very old versions of MySQL Server or connectors, you are unlikely to have connections using TLSv1.0 or TLSv1.1.
I have a concern that this will break some existing users if they're using very old clients. I tried to search for the version of clients that support TLS v1 only, but didn't get a clear conclusion yet.
Unless you are using very old versions of MySQL Server or connectors, you are unlikely to have connections using TLSv1.0 or TLSv1.1.
I have a concern that this will break some existing users if they're using very old clients. I tried to search for the version of clients that support TLS v1 only, but didn't get a clear conclusion yet.
MySQL v5.6 and earlier only supported TLSv1.0. Very early on in the MySQL 5.7 lifecycle support for TLSv1.1 was added. The YaSSL library that was used for the community edition only supported TLSv1.0 and TLSv1.1, but not TLSv1.2 or newer. Later on support for YaSSL was removed (replaced by OpenSSL). Note that MySQL 5.7 is nearing end-of-life soon.
If this breaks things then a configuration change should allow TLSv1.1 (and TLSv1.0) if needed.
- https://bugs.mysql.com/bug.php?id=75239
- https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-10.html
- https://dev.mysql.com/doc/refman/5.7/en/source-ssl-library-configuration.html
@dveeden: Cannot trigger testing until a trusted user reviews the PR and leaves an /ok-to-test message.
In response to this:
/test unit-test
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
![tiprow[bot] avatar](https://avatars.githubusercontent.com/in/18927?v=4 "Published by a pub.dev verified publisher"){kind=small}
From a security perspective, the product needs to be factory-safe by default, while retaining the compatibility of non-secure versions. Users can modify it according to their own conditions, and the security risks caused by the modification are borne by the customer. So from the perspective of the security team, we agree with this modification.
Codecov Report
Merging #36037 (6820cb9) into master (625dc4e) will increase coverage by
2.3465%. Report is 478 commits behind head on master. The diff coverage is100.0000%.
Additional details and impacted files
@@ Coverage Diff @@
## master #36037 +/- ##
================================================
+ Coverage 71.4230% 73.7696% +2.3465%
================================================
Files 1404 1486 +82
Lines 407220 469654 +62434
================================================
+ Hits 290849 346462 +55613
- Misses 96417 102770 +6353
- Partials 19954 20422 +468
| Flag | Coverage Δ | |
|---|---|---|
| integration | 51.6562% <0.0000%> (?) |
|
| unit | 71.4206% <100.0000%> (-0.0025%) |
:arrow_down: |
Flags with carried forward coverage won't be shown. Click here to find out more.
| Components | Coverage Δ | |
|---|---|---|
| dumpling | 53.9874% <ø> (ø) |
|
| parser | ∅ <ø> (∅) |
|
| br | 52.7496% <ø> (-0.3321%) |
:arrow_down: |
![codecov[bot] avatar](https://avatars.githubusercontent.com/in/254?v=4 "Published by a pub.dev verified publisher"){kind=small}
@ljun0712: adding LGTM is restricted to approvers and reviewers in OWNERS files.
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
![ti-chi-bot[bot] avatar](https://avatars.githubusercontent.com/in/214286?v=4 "Published by a pub.dev verified publisher"){kind=small}
[APPROVALNOTIFIER] This PR is APPROVED
This pull-request has been approved by: bb7133, CbcWestwolf, hawkingrei, ljun0712, lulukelu
The full list of commands accepted by this bot can be found here.
The pull request process is described here
- ~~OWNERS~~ [CbcWestwolf,bb7133,hawkingrei]
Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment
[LGTM Timeline notifier]
Timeline:
-
2023-11-23 10:07:32.218097971 +0000 UTC m=+485280.883324151: :ballot_box_with_check: agreed by CbcWestwolf. -
2024-01-04 18:19:00.117160584 +0000 UTC m=+2367431.154387526: :ballot_box_with_check: agreed by bb7133.