*: remove TLS1.0, TLS1.1 support

pingcap · Jan 12, 2024 · 669b625 · 669b625
1 parent 695d162
commit 669b625
Show file tree

Hide file tree

Showing 6 changed files with 7 additions and 17 deletions.
diff --git a/br/pkg/lightning/config/config.go b/br/pkg/lightning/config/config.go
@@ -187,7 +187,7 @@ func (d *DBStore) adjust(
 		if d.Security.TLSConfig == nil {
 			/* #nosec G402 */
 			d.Security.TLSConfig = &tls.Config{
-				MinVersion:         tls.VersionTLS10,
+				MinVersion:         tls.VersionTLS12,
 				InsecureSkipVerify: true,
 				NextProtos:         []string{"h2", "http/1.1"}, // specify `h2` to let Go use HTTP/2.
 			}

diff --git a/dumpling/export/config.go b/dumpling/export/config.go
@@ -279,7 +279,7 @@ func (conf *Config) GetDriverConfig(db string) *mysql.Config {
 		/* #nosec G402 */
 		driverCfg.TLS = &tls.Config{
 			InsecureSkipVerify: true,
-			MinVersion:         tls.VersionTLS10,
+			MinVersion:         tls.VersionTLS12,
 			NextProtos:         []string{"h2", "http/1.1"}, // specify `h2` to let Go use HTTP/2.
 		}
 	}

diff --git a/pkg/server/server.go b/pkg/server/server.go
@@ -737,10 +737,6 @@ func (cc *clientConn) connectInfo() *variable.ConnectionInfo {
 		connType = variable.ConnTypeTLS
 		sslVersionNum := cc.tlsConn.ConnectionState().Version
 		switch sslVersionNum {
-		case tls.VersionTLS10:
-			sslVersion = "TLSv1.0"
-		case tls.VersionTLS11:
-			sslVersion = "TLSv1.1"
 		case tls.VersionTLS12:
 			sslVersion = "TLSv1.2"
 		case tls.VersionTLS13:

diff --git a/pkg/sessionctx/variable/statusvar.go b/pkg/sessionctx/variable/statusvar.go
@@ -122,9 +122,8 @@ var tlsCiphers = []uint16{
 var tlsSupportedCiphers string
 
 // Taken from https://github.com/openssl/openssl/blob/c784a838e0947fcca761ee62def7d077dc06d37f/include/openssl/ssl.h#L141 .
+// Update: remove tlsv1.0 and v1.1 support
 var tlsVersionString = map[uint16]string{
-	tls.VersionTLS10: "TLSv1",
-	tls.VersionTLS11: "TLSv1.1",
 	tls.VersionTLS12: "TLSv1.2",
 	tls.VersionTLS13: "TLSv1.3",
 }

diff --git a/pkg/util/misc.go b/pkg/util/misc.go
@@ -487,10 +487,6 @@ func LoadTLSCertificates(ca, key, cert string, autoTLS bool, rsaKeySize int) (tl
 
 	var minTLSVersion uint16 = tls.VersionTLS12
 	switch tlsver := config.GetGlobalConfig().Security.MinTLSVersion; tlsver {
-	case "TLSv1.0":
-		minTLSVersion = tls.VersionTLS10
-	case "TLSv1.1":
-		minTLSVersion = tls.VersionTLS11
 	case "TLSv1.2":
 		minTLSVersion = tls.VersionTLS12
 	case "TLSv1.3":
@@ -503,9 +499,8 @@ func LoadTLSCertificates(ca, key, cert string, autoTLS bool, rsaKeySize int) (tl
 		)
 	}
 	if minTLSVersion < tls.VersionTLS12 {
-		logutil.BgLogger().Warn(
-			"Minimum TLS version allows pre-TLSv1.2 protocols, this is not recommended",
-		)
+		err = errors.New("Minimum TLS version pre-TLSv1.2 protocols are not allowed")
+		return
 	}
 
 	// Try loading CA cert.

diff --git a/pkg/util/security.go b/pkg/util/security.go
@@ -94,7 +94,7 @@ func ToTLSConfigWithVerify(caPath, certPath, keyPath string, verifyCN []string)
 	}
 	/* #nosec G402 */
 	tlsCfg := &tls.Config{
-		MinVersion:   tls.VersionTLS10,
+		MinVersion:   tls.VersionTLS12,
 		Certificates: certificates,
 		RootCAs:      certPool,
 		ClientCAs:    certPool,
@@ -183,7 +183,7 @@ func NewTLSConfig(opts ...TLSConfigOption) (*tls.Config, error) {
 
 	/* #nosec G402 */
 	tlsCfg := &tls.Config{
-		MinVersion:         tls.VersionTLS10,
+		MinVersion:         tls.VersionTLS12,
 		InsecureSkipVerify: true,
 		NextProtos:         []string{"h2", "http/1.2"}, // specify `h2` to let Go use HTTP/2.
 	}