Add support for TLS 1.1 and 1.2, disable 1.0 by default

Registered by Laurynas Biveinis on 2016-05-16

https://github.com/percona/percona-server/pull/620

This is to add TLS v1.1 and v1.2 protocol support to Percona Server 5.5, which currently supports only TLS v1.0. At the same time disable (but provide way to re-enable if needed) TLS v1.0 support.

Backport 5.7 server variable tls-version: http://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_tls_version. Change its default from "TLSv1,TLSv1.1,TLSv1.2" to "TLSv1.1,TLSv1.2". MASTER_TLS_VERSION clause of CHANGE MASTER TO statement will not be backported.

The client-side will get the ability to make TLSv1.1 and 1.2 connections, but the option to allow only some protocol versions (--tls-version, MYSQL_OPT_TLS_VERSION in C API) will not be backported due to compatibility concerns and relatively easy option to use 5.7 clients instead if needed.

Introduce new server read-only global variable have_tlsv1_2, which is set to ON if the server has been compiled with a SSL library providing TLSv1.2 support. This variable is to be used by the testsuite to skip the TLSv1.2-requiring tests on old OpenSSL/YaSSL builds.

Blueprint information

Status:
Complete
Approver:
Laurynas Biveinis
Priority:
High
Drafter:
Laurynas Biveinis
Direction:
Approved
Assignee:
Laurynas Biveinis
Definition:
Approved
Series goal:
Accepted for 5.5
Implementation:
Implemented
Milestone target:
milestone icon 5.5.50-38.0
Started by
Laurynas Biveinis on 2016-05-16
Completed by
Laurynas Biveinis on 2016-06-30

Whiteboard

(?)

Work Items

Dependency tree

* Blueprints in grey have been implemented.

This blueprint contains Public information 
Everyone can see this information.