Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

util: Disable 3DES ciphers for TLS connections (#27690) #27859

Merged
merged 3 commits into from
Sep 22, 2021

Conversation

ti-srebot
Copy link
Contributor

@ti-srebot ti-srebot commented Sep 7, 2021

cherry-pick #27690 to release-5.2
You can switch your code base to this Pull Request by using git-extras:

# In tidb repo:
git pr https://github.com/pingcap/tidb/pull/27859

After apply modifications, you can push your change to this PR via:

git push git@github.com:ti-srebot/tidb.git pr/27859:release-5.2-c85b3e283566

What problem does this PR solve?

Problem Summary:

Depending on the version of Go that is used, etc some insecure TLS ciphersuites are enabled.

This removes the following ciphersuites:

  • TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_RSA_WITH_3DES_EDE_CBC_SHA

Note that https://docs.pingcap.com/tidb/stable/enable-tls-between-clients-and-servers didn't list these ciphersuites.

See also:

What is changed and how it works?

How it Works:

tls.CipherSuites() only lists ciphersuite that have Insecure=false, but in some cases this includes 3DES based ciphersuites, and these are explicitly removed from the list before using it in the tls.Config

Check List

Tests

  • Manual test (add detailed scripts or steps below)
openssl s_client -starttls mysql -connect 127.0.0.1:4000 -tls1_2 -cipher ECDHE-RSA-DES-CBC3-SHA

Side effects

  • Breaking backward compatibility

This intentionally removes compatibility with 3DES ciphersuites. This is not expected to impact any users as this is not commonly used for MySQL connections.

Release note

Support for 3DES based TLS ciphersuites was removed

Signed-off-by: ti-srebot <ti-srebot@pingcap.com>
@ti-chi-bot
Copy link
Member

ti-chi-bot commented Sep 7, 2021

[REVIEW NOTIFICATION]

This pull request has been approved by:

  • kennytm
  • morgo

To complete the pull request process, please ask the reviewers in the list to review by filling /cc @reviewer in the comment.
After your PR has acquired the required number of LGTMs, you can assign this pull request to the committer in the list by filling /assign @committer in the comment to help you merge this pull request.

The full list of commands accepted by this bot can be found here.

Reviewer can indicate their review by submitting an approval review.
Reviewer can cancel approval by submitting a request changes review.

@ti-srebot
Copy link
Contributor Author

/run-all-tests

@ti-chi-bot ti-chi-bot added do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. release-note Denotes a PR that will be considered when it comes time to generate release notes. and removed do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. labels Sep 7, 2021
@ti-srebot ti-srebot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. type/5.2-cherry-pick labels Sep 7, 2021
@ti-srebot
Copy link
Contributor Author

@dveeden you're already a collaborator in bot's repo.

@ti-chi-bot
Copy link
Member

@dveeden: Thanks for your review. The bot only counts approvals from reviewers and higher roles in list, but you're still welcome to leave your comments.

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the ti-community-infra/tichi repository.

@ti-chi-bot ti-chi-bot added the status/LGT1 Indicates that a PR has LGTM 1. label Sep 7, 2021
@ti-chi-bot ti-chi-bot added status/LGT2 Indicates that a PR has LGTM 2. and removed status/LGT1 Indicates that a PR has LGTM 1. labels Sep 8, 2021
@dveeden
Copy link
Contributor

dveeden commented Sep 16, 2021

/run-all-tests

@dveeden
Copy link
Contributor

dveeden commented Sep 16, 2021

/assign @morgo

@zhouqiang-cl zhouqiang-cl added the cherry-pick-approved Cherry pick PR approved by release team. label Sep 22, 2021
@morgo
Copy link
Contributor

morgo commented Sep 22, 2021

/merge

@ti-chi-bot
Copy link
Member

This pull request has been accepted and is ready to merge.

Commit hash: ce11d54

@ti-chi-bot ti-chi-bot added the status/can-merge Indicates a PR has been approved by a committer. label Sep 22, 2021
@ti-chi-bot ti-chi-bot merged commit 5bd54df into pingcap:release-5.2 Sep 22, 2021
@zhouqiang-cl zhouqiang-cl added this to the v5.2.2 milestone Oct 20, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
cherry-pick-approved Cherry pick PR approved by release team. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. status/can-merge Indicates a PR has been approved by a committer. status/LGT2 Indicates that a PR has LGTM 2. type/5.2-cherry-pick
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants