*: remove TLS1.0, TLS1.1 support

[tiancaiamao]

What problem does this PR solve?

Issue Number: ref #36036

Problem Summary:

What changed and how does it work?

TLS1.0/1.1 has security issues, remove the support of them.

Check List

Tests

• Unit test
• Integration test
• Manual test (add detailed scripts or steps below)

Generate the certificates according to this page https://docs.pingcap.com/tidb/stable/generate-self-signed-certificates
Modify pkg/config/config.toml.example

ssl-ca = "/home/genius/root.crt"
ssl-cert = "/home/genius/tikv.crt"
ssl-key = "/home/genius/tikv.key"

Run tidb-server:

./bin/tidb-server -config config.toml.example

Verify connection with mysql client:

$ mysql --tls-version=TLSv1.0 -v -v -v --ssl-ca='/home/genius/root.crt'  --ssl-cert="/home/genius/tikv.crt" --ssl-key="/home/genius/tikv.key" -uroot -h127.0.0.1  
ERROR 2026 (HY000): SSL connection error: TLS version is invalid

$ mysql --tls-version=TLSv1.1 -v -v -v --ssl-ca='/home/genius/root.crt'  --ssl-cert="/home/genius/tikv.crt" --ssl-key="/home/genius/tikv.key" -uroot -h127.0.0.1  
ERROR 2026 (HY000): SSL connection error: TLS version is invalid

• No need to test

  • I checked and no code files have been changed.

Side effects

• Performance regression: Consumes more CPU
• Performance regression: Consumes more Memory
• Breaking backward compatibility

Documentation

• Affects user behaviors
• Contains syntax changes
• Contains variable changes
• Contains experimental features
• Changes MySQL compatibility

Release note

Please refer to Release Notes Language Style Guide to write a quality release note.

remove TLS1.0, TLS1.1 support

[tiprow]

Hi @tiancaiamao. Thanks for your PR.

PRs from untrusted users cannot be marked as trusted with /ok-to-test in this repo meaning untrusted PR authors can never trigger tests themselves. Collaborators can still trigger tests on the PR using /test all.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[lance6716]

dumpling and lightning may connect to older version of TiDB and MySQL, and their TLS version is older than v1.2. Should we support this case @Frank945946

[tiancaiamao]

TLSv1.2 is introduced in year 2008, 15 years ago, that's old enough.
And as long as those software support TLSv1.2 above, change this MinVersion will not cause any trouble.
Without doubt, that's the case for TiDB.

And then I check the release history of MySQL ...

Release	General availability	Latest release
5.5 LTS	3 December 2010	2018-10-22
5.6 LTS	5 February 2013	2021-01-20
5.7 LTS	21 October 2015	2023-10-25
8.0 LTS	19 April 2018	2023-10-25

I'm sure it's pretty safe to do this change according to the above information.

[bb7133]

It is not so 'safe' actually. We do know many TiDB users still using old clients. However, it is reasonable to remove the support of 'TLS 1.0/1.1'.

Thanks @lance6716

[Frank945946]

Removing the support of 'TLS 1.0/1.1' LTGM and please leave a note to the corresponding docs then @lance6716 .

[codecov]

Codecov Report

Merging #50348 (669b625) into master (695d162) will decrease coverage by 16.3559%.
Report is 23 commits behind head on master.
The diff coverage is 50.0000%.

Additional details and impacted files

@@                Coverage Diff                @@
##             master     #50348         +/-   ##
=================================================
- Coverage   71.8223%   55.4665%   -16.3559%     
=================================================
  Files          1444       1555        +111     
  Lines        346984     587587     +240603     
=================================================
+ Hits         249212     325914      +76702     
- Misses        77425     238950     +161525     
- Partials      20347      22723       +2376     

Flag	Coverage Δ
integration	36.7226% <0.0000%> (?)
unit	69.9951% <50.0000%> (-1.8273%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
dumpling	54.0269% <100.0000%> (-2.2860%)	⬇️
parser	∅ <ø> (∅)
br	55.5409% <100.0000%> (+4.2400%)	⬆️

[bb7133]

LGTM

[ti-chi-bot]

[LGTM Timeline notifier]

Timeline:

• 2024-01-12 08:07:18.175392682 +0000 UTC m=+603427.759646364: ☑️ agreed by bb7133.
• 2024-01-12 15:17:07.880735451 +0000 UTC m=+629217.464989138: ☑️ agreed by hawkingrei.

[Frank945946]

Removing the support of 'TLS 1.0/1.1' LTGM and please leave a note to the corresponding docs then @lance6716 .

[ti-chi-bot]

@Frank945946: adding LGTM is restricted to approvers and reviewers in OWNERS files.

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[ti-chi-bot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bb7133, Frank945946, hawkingrei, lance6716, okJiang

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [bb7133,hawkingrei,lance6716,okJiang]
• br/pkg/lightning/OWNERS [lance6716,okJiang]
• dumpling/OWNERS [okJiang]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment