Add TlsCipherSuites connection string option. Fixes #904

Signed-off-by: Bradley Grainger <[email protected]>

Author: bgrainger

docs/content/api/MySqlConnector/MySqlConnectionStringBuilder/TlsCipherSuites.md

@@ -0,0 +1,17 @@
+---
+title: TlsCipherSuites
+---
+
+# MySqlConnectionStringBuilder.TlsCipherSuites property
+
+```csharp
+public string TlsCipherSuites { get; set; }
+```
+
+## See Also
+
+* class [MySqlConnectionStringBuilder](../../MySqlConnectionStringBuilderType/)
+* namespace [MySqlConnector](../../MySqlConnectionStringBuilderType/)
+* assembly [MySqlConnector](../../../MySqlConnectorAssembly/)
+
+<!-- DO NOT EDIT: generated by xmldocmd for MySqlConnector.dll -->

docs/content/api/MySqlConnector/MySqlConnectionStringBuilderType.md

@@ -60,6 +60,7 @@ public sealed class MySqlConnectionStringBuilder : DbConnectionStringBuilder
 | [SslCert](../MySqlConnectionStringBuilder/SslCert/) { get; set; } |  |
 | [SslKey](../MySqlConnectionStringBuilder/SslKey/) { get; set; } |  |
 | [SslMode](../MySqlConnectionStringBuilder/SslMode/) { get; set; } |  |
+| [TlsCipherSuites](../MySqlConnectionStringBuilder/TlsCipherSuites/) { get; set; } |  |
 | [TlsVersion](../MySqlConnectionStringBuilder/TlsVersion/) { get; set; } |  |
 | [TreatTinyAsBoolean](../MySqlConnectionStringBuilder/TreatTinyAsBoolean/) { get; set; } |  |
 | [UseAffectedRows](../MySqlConnectionStringBuilder/UseAffectedRows/) { get; set; } |  |

docs/content/connection-options.md

@@ -133,6 +133,11 @@ These are the options that need to be used in order to configure a connection to
     <td></td>
     <td>Specifies which certificate should be used from the Certificate Store specified in the setting above. This option must be used to indicate which certificate in the store should be used for authentication.</td>
   </tr>
+  <tr id="TlsCipherSuites">
+    <td>Tls Cipher Suites,TlsCipherSuites</td>
+    <td></td>
+    <td>Specifies which TLS cipher suites may be used during TLS negotiation. The default value (the empty string) allows the OS to determine the TLS cipher suites to use; this is the recommended setting. Otherwise, specify a comma-delimited list of <a href="https://docs.microsoft.com/en-us/dotnet/api/system.net.security.tlsciphersuite"><code>TlsCipherSuite</code> enum values</a> to allow just those cipher suites. (This option is only supported on Linux when using .NET Core 3.1 or .NET 5.0 or later.)</td>
+  </tr>
   <tr id="TlsVersion">
     <td>Tls Version, TlsVersion, Tls-Version</td>
     <td></td>

src/MySqlConnector/Core/ConnectionSettings.cs

@@ -1,6 +1,7 @@
 using System;
 using System.Collections.Generic;
 using System.IO;
+using System.Net.Security;
 using System.Security.Authentication;
 using MySqlConnector.Utilities;
 
@@ -87,6 +88,28 @@ public ConnectionSettings(MySqlConnectionStringBuilder csb)
 					throw new NotSupportedException("All specified TLS versions are incompatible with this platform.");
 			}
 
+			if (csb.TlsCipherSuites != "")
+			{
+#if NET45 || NET461 || NET471 || NETSTANDARD1_3 || NETSTANDARD2_0 || NETSTANDARD2_1 || NETCOREAPP2_1
+				throw new PlatformNotSupportedException("The TlsCipherSuites connection string option is only supported on .NET Core 3.1 (or later) on Linux.");
+#else
+				var tlsCipherSuites = new List<TlsCipherSuite>();
+				foreach (var token in csb.TlsCipherSuites.Split(','))
+				{
+					var suiteName = token.Trim();
+					if (Enum.TryParse<TlsCipherSuite>(suiteName, ignoreCase: true, out var cipherSuite))
+						tlsCipherSuites.Add(cipherSuite);
+					else if (int.TryParse(suiteName, out var value) && Enum.IsDefined(typeof(TlsCipherSuite), value))
+						tlsCipherSuites.Add((TlsCipherSuite) value);
+					else if (Enum.TryParse<TlsCipherSuite>("TLS_" + suiteName, ignoreCase: true, out cipherSuite))
+						tlsCipherSuites.Add(cipherSuite);
+					else
+						throw new NotSupportedException("Unknown value '{0}' for TlsCipherSuites.".FormatInvariant(suiteName));
+				}
+				TlsCipherSuites = tlsCipherSuites;
+#endif
+			}
+
 			// Connection Pooling Options
 			Pooling = csb.Pooling;
 			ConnectionLifeTime = Math.Min(csb.ConnectionLifeTime, uint.MaxValue / 1000) * 1000;
@@ -176,6 +199,9 @@ private static MySqlGuidFormat GetEffectiveGuidFormat(MySqlGuidFormat guidFormat
 		public MySqlCertificateStoreLocation CertificateStoreLocation { get; }
 		public string CertificateThumbprint { get; }
 		public SslProtocols TlsVersions { get; }
+#if !NET45 && !NET461 && !NET471 && !NETSTANDARD1_3 && !NETSTANDARD2_0 && !NETSTANDARD2_1 && !NETCOREAPP2_1
+		public IReadOnlyList<TlsCipherSuite>? TlsCipherSuites { get; }
+#endif
 
 		// Connection Pooling Options
 		public bool Pooling { get; }

src/MySqlConnector/Core/ServerSession.cs

@@ -1317,26 +1317,57 @@ bool ValidateRemoteCertificate(object rcbSender, X509Certificate? rcbCertificate
 			using (var initSsl = HandshakeResponse41Payload.CreateWithSsl(serverCapabilities, cs, m_useCompression, m_characterSet))
 				await SendReplyAsync(initSsl, ioBehavior, cancellationToken).ConfigureAwait(false);
 
+			var clientAuthenticationOptions = new SslClientAuthenticationOptions
+			{
+				EnabledSslProtocols = sslProtocols,
+				ClientCertificates = clientCertificates,
+				TargetHost = HostName,
+				CertificateRevocationCheckMode = checkCertificateRevocation ? X509RevocationMode.Online : X509RevocationMode.NoCheck
+			};
+
+#if !NET45 && !NET461 && !NET471 && !NETSTANDARD1_3 && !NETSTANDARD2_0 && !NETSTANDARD2_1 && !NETCOREAPP2_1
+			if (cs.TlsCipherSuites is { Count: > 0 })
+				clientAuthenticationOptions.CipherSuitesPolicy = new CipherSuitesPolicy(cs.TlsCipherSuites);
+#endif
+
 			try
 			{
 				if (ioBehavior == IOBehavior.Asynchronous)
 				{
-					await sslStream.AuthenticateAsClientAsync(HostName, clientCertificates, sslProtocols, checkCertificateRevocation).ConfigureAwait(false);
+#if NET45 || NET461 || NET471 || NETSTANDARD1_3 || NETSTANDARD2_0
+					await sslStream.AuthenticateAsClientAsync(clientAuthenticationOptions.TargetHost,
+						clientAuthenticationOptions.ClientCertificates,
+						clientAuthenticationOptions.EnabledSslProtocols,
+						checkCertificateRevocation).ConfigureAwait(false);
+#else
+					await sslStream.AuthenticateAsClientAsync(clientAuthenticationOptions, cancellationToken).ConfigureAwait(false);
+#endif
 				}
 				else
 				{
 #if NETSTANDARD1_3
 					await sslStream.AuthenticateAsClientAsync(HostName, clientCertificates, sslProtocols, checkCertificateRevocation).ConfigureAwait(false);
+#elif NET45 || NET461 || NET471 || NETSTANDARD2_0 || NETSTANDARD2_1 || NETCOREAPP2_0 || NETCOREAPP2_1 || NETCOREAPP3_1
+					sslStream.AuthenticateAsClient(clientAuthenticationOptions.TargetHost,
+						clientAuthenticationOptions.ClientCertificates,
+						clientAuthenticationOptions.EnabledSslProtocols,
+						checkCertificateRevocation);
 #else
-					sslStream.AuthenticateAsClient(HostName, clientCertificates, sslProtocols, checkCertificateRevocation);
+					sslStream.AuthenticateAsClient(clientAuthenticationOptions);
 #endif
 				}
 				var sslByteHandler = new StreamByteHandler(sslStream);
 				m_payloadHandler!.ByteHandler = sslByteHandler;
 				m_isSecureConnection = true;
 				m_sslStream = sslStream;
-				m_logArguments[1] = sslStream.SslProtocol;
-				Log.Info("Session{0} connected TLS with Protocol {1}", m_logArguments);
+				if (Log.IsInfoEnabled())
+				{
+#if NET45 || NET461 || NET471 || NETSTANDARD1_3 || NETSTANDARD2_0 || NETSTANDARD2_1 || NETCOREAPP2_1
+					Log.Info("Session{0} connected TLS with SslProtocol={1}, CipherAlgorithm={2}, HashAlgorithm={3}, KeyExchangeAlgorithm={4}, KeyExchangeStrength={5}", m_logArguments[0], sslStream.SslProtocol, sslStream.CipherAlgorithm, sslStream.HashAlgorithm, sslStream.KeyExchangeAlgorithm, sslStream.KeyExchangeStrength);
+#else
+					Log.Info("Session{0} connected TLS with SslProtocol={1}, NegotiatedCipherSuite={2}", m_logArguments[0], sslStream.SslProtocol, sslStream.NegotiatedCipherSuite);
+#endif
+				}
 			}
 			catch (Exception ex)
 			{
@@ -1364,6 +1395,17 @@ bool ValidateRemoteCertificate(object rcbSender, X509Certificate? rcbCertificate
 			}
 		}
 
+#if NET45 || NET461 || NET471 || NETSTANDARD1_3 || NETSTANDARD2_0
+		// a stripped-down version of this POCO options class for TFMs that don't have it buit-in
+		internal sealed class SslClientAuthenticationOptions
+		{
+			public X509RevocationMode CertificateRevocationCheckMode { get; set; }
+			public X509CertificateCollection? ClientCertificates { get; set; }
+			public SslProtocols EnabledSslProtocols { get; set; }
+			public string? TargetHost { get; set; }
+		}
+#endif
+
 		// Some servers are exposed through a proxy, which handles the initial handshake and gives the proxy's
 		// server version and thread ID. Detect this situation and return `true` if the real server's details should
 		// be requested after connecting (which takes an extra roundtrip).

src/MySqlConnector/MySqlConnectionStringBuilder.cs

@@ -143,6 +143,13 @@ public string TlsVersion
 			set => MySqlConnectionStringOption.TlsVersion.SetValue(this, value);
 		}
 
+		[AllowNull]
+		public string TlsCipherSuites
+		{
+			get => MySqlConnectionStringOption.TlsCipherSuites.GetValue(this);
+			set => MySqlConnectionStringOption.TlsCipherSuites.SetValue(this, value);
+		}
+
 		// Connection Pooling Options
 		public bool Pooling
 		{
@@ -432,6 +439,7 @@ internal abstract class MySqlConnectionStringOption
 		public static readonly MySqlConnectionStringReferenceOption<string> SslCert;
 		public static readonly MySqlConnectionStringReferenceOption<string> SslKey;
 		public static readonly MySqlConnectionStringReferenceOption<string> TlsVersion;
+		public static readonly MySqlConnectionStringReferenceOption<string> TlsCipherSuites;
 
 		// Connection Pooling Options
 		public static readonly MySqlConnectionStringValueOption<bool> Pooling;
@@ -602,6 +610,10 @@ static MySqlConnectionStringOption()
 					return coercedValue;
 				}));
 
+			AddOption(TlsCipherSuites = new(
+				keys: new[] { "TlsCipherSuites", "Tls Cipher Suites" },
+				defaultValue: ""));
+
 			// Connection Pooling Options
 			AddOption(Pooling = new(
 				keys: new[] { "Pooling" },

tests/MySqlConnector.Tests/MySqlConnectionStringBuilderTests.cs

@@ -74,6 +74,7 @@ public void Defaults()
 			Assert.Equal("", csb.SslCa);
 			Assert.Equal("", csb.SslCert);
 			Assert.Equal("", csb.SslKey);
+			Assert.Equal("", csb.TlsCipherSuites);
 			Assert.Equal("", csb.TlsVersion);
 #else
 			Assert.Null(csb.SslCa);
@@ -130,6 +131,7 @@ public void ParseConnectionString()
 					"nobackslashescapes=true;" +
 					"server spn=mariadb/[email protected];" +
 					"use xa transactions=false;" +
+					"tls cipher suites=TLS_AES_128_CCM_8_SHA256,TLS_RSA_WITH_RC4_128_MD5;" +
 #endif
 					"ignore prepare=false;" +
 					"interactive=true;" +
@@ -148,6 +150,7 @@ public void ParseConnectionString()
 					"ssl-cert=client-cert.pem;" +
 					"ssl-key=client-key.pem;" +
 					"ssl mode=verifyca;" +
+					"tls version=Tls10, TLS v1.2;" +
 					"Uid=username;" +
 					"useaffectedrows=true"
 			};
@@ -187,6 +190,7 @@ public void ParseConnectionString()
 			Assert.True(csb.NoBackslashEscapes);
 			Assert.Equal("mariadb/[email protected]", csb.ServerSPN);
 			Assert.False(csb.UseXaTransactions);
+			Assert.Equal("TLS_AES_128_CCM_8_SHA256,TLS_RSA_WITH_RC4_128_MD5", csb.TlsCipherSuites);
 #endif
 			Assert.False(csb.IgnorePrepare);
 			Assert.True(csb.InteractiveSession);
@@ -205,6 +209,11 @@ public void ParseConnectionString()
 			Assert.Equal("client-cert.pem", csb.SslCert);
 			Assert.Equal("client-key.pem", csb.SslKey);
 			Assert.Equal(MySqlSslMode.VerifyCA, csb.SslMode);
+#if BASELINE
+			Assert.Equal("Tls, Tls12", csb.TlsVersion);
+#else
+			Assert.Equal("TLS 1.0, TLS 1.2", csb.TlsVersion);
+#endif
 			Assert.True(csb.UseAffectedRows);
 			Assert.True(csb.UseCompression);
 			Assert.Equal("username", csb.UserID);