Added support for TLSv1.1 and TLSv1.2

risdenk · Nov 18, 2015 · 13e0402 · 13e0402
1 parent 13c5af1
commit 13e0402
Show file tree

Hide file tree

Showing 3 changed files with 84 additions and 5 deletions.
diff --git a/CHANGES b/CHANGES
@@ -2,6 +2,8 @@
 # $Id$
 dd-mm-yy - Version 5.1.38
 
+  - Added support for TLSv1.1 and TLSv1.2
+
   - Fix for Bug#78961 (22096981), Can't call MySQL procedure with InOut parameters in Fabric environment.
 
   - Fix for Bug#56100 (11763401), Replication driver routes DML statements to read-only slaves.

diff --git a/src/com/mysql/jdbc/ExportControlled.java b/src/com/mysql/jdbc/ExportControlled.java
@@ -87,8 +87,15 @@ protected static void transformSocketToSSLSocket(MysqlIO mysqlIO) throws SQLExce
         try {
             mysqlIO.mysqlConnection = sslFact.connect(mysqlIO.host, mysqlIO.port, null);
 
-            // need to force TLSv1, or else JSSE tries to do a SSLv2 handshake which MySQL doesn't understand
-            ((SSLSocket) mysqlIO.mysqlConnection).setEnabledProtocols(new String[] { "TLSv1" });
+            List<String> allowedProtocols = new ArrayList<String>();
+            List<String> supportedProtocols = Arrays.asList(((SSLSocket) mysqlIO.mysqlConnection).getSupportedProtocols());
+            for (String protocol : (Util.isEnterpriseEdition(mysqlIO.getServerVersion()) ? new String[] { "TLSv1.2", "TLSv1.1", "TLSv1" } : new String[] {
+                    "TLSv1.1", "TLSv1" })) {
+                if (supportedProtocols.contains(protocol)) {
+                    allowedProtocols.add(protocol);
+                }
+            }
+            ((SSLSocket) mysqlIO.mysqlConnection).setEnabledProtocols(allowedProtocols.toArray(new String[0]));
 
             // check allowed cipher suites
             String enabledSSLCipherSuites = mysqlIO.connection.getEnabledSSLCipherSuites();
@@ -109,8 +116,8 @@ protected static void transformSocketToSSLSocket(MysqlIO mysqlIO) throws SQLExce
             } else {
                 // If we don't override ciphers, then we check for known restrictions
                 boolean disableDHAlgorithm = false;
-                if (mysqlIO.versionMeetsMinimum(5, 5, 45) && !mysqlIO.versionMeetsMinimum(5, 6, 0)
-                        || mysqlIO.versionMeetsMinimum(5, 6, 26) && !mysqlIO.versionMeetsMinimum(5, 7, 0) || mysqlIO.versionMeetsMinimum(5, 7, 6)) {
+                if (mysqlIO.versionMeetsMinimum(5, 5, 45) && !mysqlIO.versionMeetsMinimum(5, 6, 0) || mysqlIO.versionMeetsMinimum(5, 6, 26)
+                        && !mysqlIO.versionMeetsMinimum(5, 7, 0) || mysqlIO.versionMeetsMinimum(5, 7, 6)) {
                     // Workaround for JVM bug http://bugs.java.com/bugdatabase/view_bug.do?bug_id=6521495
                     // Starting from 5.5.45, 5.6.26 and 5.7.6 server the key length used for creating Diffie-Hellman keys has been
                     // increased from 512 to 2048 bits, while JVMs affected by this bug allow only range from 512 to 1024 (inclusive).
@@ -136,7 +143,7 @@ protected static void transformSocketToSSLSocket(MysqlIO mysqlIO) throws SQLExce
 
             // if some ciphers were filtered into allowedCiphers 
             if (allowedCiphers != null) {
-                ((SSLSocket) mysqlIO.mysqlConnection).setEnabledCipherSuites(allowedCiphers.toArray(new String[] {}));
+                ((SSLSocket) mysqlIO.mysqlConnection).setEnabledCipherSuites(allowedCiphers.toArray(new String[0]));
             }
 
             ((SSLSocket) mysqlIO.mysqlConnection).startHandshake();

diff --git a/src/testsuite/regression/ConnectionRegressionTest.java b/src/testsuite/regression/ConnectionRegressionTest.java
@@ -8207,6 +8207,11 @@ public void testBug21947042() throws Exception {
             String cipher = rset.getString(2);
             System.out.println("ssl_cipher=" + cipher);
 
+            rset = sslConn.createStatement().executeQuery("SHOW STATUS LIKE 'ssl_version'");
+            assertTrue(rset.next());
+            cipher = rset.getString(2);
+            System.out.println("ssl_version=" + cipher);
+
             sslConn.close();
 
             // check for warning
@@ -8229,6 +8234,11 @@ public void testBug21947042() throws Exception {
             cipher = rset.getString(2);
             System.out.println("ssl_cipher=" + cipher);
 
+            rset = sslConn.createStatement().executeQuery("SHOW STATUS LIKE 'ssl_version'");
+            assertTrue(rset.next());
+            cipher = rset.getString(2);
+            System.out.println("ssl_version=" + cipher);
+
             sslConn.close();
 
             // check for warning
@@ -8254,6 +8264,11 @@ public void testBug21947042() throws Exception {
             cipher = rset.getString(2);
             System.out.println("ssl_cipher=" + cipher);
 
+            rset = sslConn.createStatement().executeQuery("SHOW STATUS LIKE 'ssl_version'");
+            assertTrue(rset.next());
+            cipher = rset.getString(2);
+            System.out.println("ssl_version=" + cipher);
+
             sslConn.close();
 
             // check for warning
@@ -8353,4 +8368,59 @@ public ResultSetInternalMethods preProcess(String sql, com.mysql.jdbc.Statement
             return super.preProcess(sql, interceptedStatement, connection);
         }
     }
+
+    /**
+     * Tests fix for WL#8196, Support for TLSv1.2 Protocol.
+     * 
+     * This test requires community server (with yaSSL) in -Dcom.mysql.jdbc.testsuite.url and
+     * commercial server (with OpenSSL) in -Dcom.mysql.jdbc.testsuite.url.sha256default
+     * 
+     * Test certificates from testsuite/ssl-test-certs must be installed on both servers.
+     * 
+     * @throws Exception
+     *             if the test fails.
+     */
+    public void testTLSVersion() throws Exception {
+
+        final String[] testDbUrls;
+        Properties props = new Properties();
+        props.setProperty("allowPublicKeyRetrieval", "true");
+        props.setProperty("useSSL", "true");
+        props.setProperty("requireSSL", "true");
+        props.setProperty("trustCertificateKeyStoreUrl", "file:src/testsuite/ssl-test-certs/test-cert-store");
+        props.setProperty("trustCertificateKeyStoreType", "JKS");
+        props.setProperty("trustCertificateKeyStorePassword", "password");
+
+        if (this.sha256Conn != null && ((MySQLConnection) this.sha256Conn).versionMeetsMinimum(5, 5, 7)) {
+            testDbUrls = new String[] { BaseTestCase.dbUrl, sha256Url };
+        } else {
+            testDbUrls = new String[] { BaseTestCase.dbUrl };
+        }
+
+        for (String testDbUrl : testDbUrls) {
+            System.out.println(testDbUrl);
+            System.out.println(System.getProperty("java.version"));
+            Connection sslConn = getConnectionWithProps(testDbUrl, props);
+            assertTrue(((MySQLConnection) sslConn).getIO().isSSLEstablished());
+
+            ResultSet rset = sslConn.createStatement().executeQuery("SHOW STATUS LIKE 'ssl_version'");
+            assertTrue(rset.next());
+            String tlsVersion = rset.getString(2);
+            System.out.println(tlsVersion);
+            System.out.println();
+
+            if (((MySQLConnection) sslConn).versionMeetsMinimum(5, 7, 10) && Util.getJVMVersion() > 6) {
+                if (Util.isEnterpriseEdition(((MySQLConnection) sslConn).getServerVersion())) {
+                    assertEquals("TLSv1.2", tlsVersion);
+                } else {
+                    assertEquals("TLSv1.1", tlsVersion);
+                }
+            } else {
+                assertEquals("TLSv1", tlsVersion);
+            }
+
+            sslConn.close();
+        }
+
+    }
 }