Skip to content

Commit 4b05541

Browse files
lostatredrockAndrew Nagel
lostatredrock
and
Andrew Nagel
authored
Fix unintentional TLS downgrade (#1134).
Change the logic used to determine when a connection attempt is failing due to a lack of support for TLS 1.2+ in yaSSL-based MySQL Server so that a downgrade no longer occurs if the user has explicitly configured supported TLS Version(s) in the connection string. Signed-off-by: Andrew Nagel <[email protected]> Signed-off-by: Andrew Nagel <[email protected]> Co-authored-by: Andrew Nagel <[email protected]>
1 parent a865efb commit 4b05541

File tree

1 file changed

+5
-3
lines changed

1 file changed

+5
-3
lines changed

src/MySqlConnector/Core/ServerSession.cs

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -416,7 +416,9 @@ public async Task DisposeAsync(IOBehavior ioBehavior, CancellationToken cancella
416416
InitialHandshakePayload initialHandshake;
417417
do
418418
{
419-
shouldRetrySsl = (sslProtocols == SslProtocols.None || (sslProtocols & SslProtocols.Tls12) == SslProtocols.Tls12) && Utility.IsWindows();
419+
bool tls11or10Supported = (sslProtocols & (SslProtocols.Tls | SslProtocols.Tls11)) != SslProtocols.None;
420+
bool tls12Supported = (sslProtocols & SslProtocols.Tls12) == SslProtocols.Tls12;
421+
shouldRetrySsl = (sslProtocols == SslProtocols.None || (tls12Supported && tls11or10Supported)) && Utility.IsWindows();
420422

421423
var connected = false;
422424
if (cs.ConnectionProtocol == MySqlConnectionProtocol.Sockets)
@@ -525,7 +527,7 @@ public async Task DisposeAsync(IOBehavior ioBehavior, CancellationToken cancella
525527
{
526528
// negotiating TLS 1.2 with a yaSSL-based server throws an exception on Windows, see comment at top of method
527529
Log.Debug(ex, "Session{0} failed negotiating TLS; falling back to TLS 1.1", m_logArguments);
528-
sslProtocols = SslProtocols.Tls | SslProtocols.Tls11;
530+
sslProtocols = sslProtocols == SslProtocols.None ? SslProtocols.Tls | SslProtocols.Tls11 : (SslProtocols.Tls | SslProtocols.Tls11) & sslProtocols;
529531
if (Pool is not null)
530532
Pool.SslProtocols = sslProtocols;
531533
}
@@ -1200,7 +1202,7 @@ private async Task<bool> OpenNamedPipeAsync(ConnectionSettings cs, int startTick
12001202
await namedPipeStream.ConnectAsync(timeout, cancellationToken).ConfigureAwait(false);
12011203
else
12021204
#endif
1203-
namedPipeStream.Connect(timeout);
1205+
namedPipeStream.Connect(timeout);
12041206
}
12051207
catch (Exception ex) when ((ex is ObjectDisposedException && cancellationToken.IsCancellationRequested) || ex is TimeoutException)
12061208
{

0 commit comments

Comments
 (0)