Add TlsVersion connection string option. Fixes #760

Author: bgrainger

azure-pipelines.yml

@@ -140,7 +140,7 @@ jobs:
         unsupportedFeatures: 'Ed25519,CachingSha2Password,Tls13,UuidToBin'
       'MySQL 8.0':
         image: 'mysql:8.0'
-        unsupportedFeatures: 'Ed25519'
+        unsupportedFeatures: 'Ed25519,Tls11'
       'Percona 5.7':
         image: 'percona:5.7.22'
         unsupportedFeatures: 'CachingSha2Password,Ed25519,Tls13,UuidToBin'

src/MySqlConnector/Core/ConnectionPool.cs

@@ -444,7 +444,7 @@ private static IReadOnlyList<ConnectionPool> GetAllPools()
 		private ConnectionPool(ConnectionSettings cs)
 		{
 			ConnectionSettings = cs;
-			SslProtocols = Utility.GetDefaultSslProtocols();
+			SslProtocols = cs.TlsVersions;
 			m_generation = 0;
 			m_cleanSemaphore = new SemaphoreSlim(1);
 			m_sessionSemaphore = new SemaphoreSlim(cs.MaximumPoolSize);

src/MySqlConnector/Core/ConnectionSettings.cs

@@ -1,6 +1,7 @@
 using System;
 using System.Collections.Generic;
 using System.IO;
+using System.Security.Authentication;
 using MySql.Data.MySqlClient;
 using MySqlConnector.Utilities;
 
@@ -56,6 +57,35 @@ public ConnectionSettings(MySqlConnectionStringBuilder csb)
 			CertificateStoreLocation = csb.CertificateStoreLocation;
 			CertificateThumbprint = csb.CertificateThumbprint;
 
+			if (csb.TlsVersion is null)
+			{
+				TlsVersions = Utility.GetDefaultSslProtocols();
+			}
+			else
+			{
+				TlsVersions = default;
+				for (var i = 6; i < csb.TlsVersion.Length; i += 8)
+				{
+					char minorVersion = csb.TlsVersion[i];
+					if (minorVersion == '0')
+						TlsVersions |= SslProtocols.Tls;
+					else if (minorVersion == '1')
+						TlsVersions |= SslProtocols.Tls11;
+					else if (minorVersion == '2')
+						TlsVersions |= SslProtocols.Tls12;
+					else if (minorVersion == '3')
+#if NET45 || NET461 || NET471 || NETSTANDARD1_3 || NETSTANDARD2_0 || NETSTANDARD2_1 || NETCOREAPP2_1
+						TlsVersions |= 0;
+#else
+						TlsVersions |= SslProtocols.Tls13;
+#endif
+					else
+						throw new InvalidOperationException("Unexpected character '{0}' for TLS minor version.".FormatInvariant(minorVersion));
+				}
+				if (TlsVersions == default)
+					throw new NotSupportedException("All specified TLS versions are incompatible with this platform.");
+			}
+
 			// Connection Pooling Options
 			Pooling = csb.Pooling;
 			ConnectionLifeTime = Math.Min(csb.ConnectionLifeTime, uint.MaxValue / 1000) * 1000;
@@ -141,6 +171,7 @@ private static MySqlGuidFormat GetEffectiveGuidFormat(MySqlGuidFormat guidFormat
 		public string? SslKeyFile { get; }
 		public MySqlCertificateStoreLocation CertificateStoreLocation { get; }
 		public string? CertificateThumbprint { get; }
+		public SslProtocols TlsVersions { get; }
 
 		// Connection Pooling Options
 		public bool Pooling { get; }

src/MySqlConnector/Core/ServerSession.cs

@@ -1,6 +1,7 @@
 using System;
 using System.Buffers.Text;
 using System.Collections.Generic;
+using System.ComponentModel;
 using System.Data;
 using System.Diagnostics;
 using System.Globalization;
@@ -326,7 +327,7 @@ public async Task ConnectAsync(ConnectionSettings cs, int startTickCount, ILoadB
 				// (which is SslProtocols.None; see https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls),
 				// then fall back to SslProtocols.Tls11 if that fails and it's possible that the cause is a yaSSL server.
 				bool shouldRetrySsl;
-				var sslProtocols = Pool?.SslProtocols ?? Utility.GetDefaultSslProtocols();
+				var sslProtocols = Pool?.SslProtocols ?? cs.TlsVersions;
 				PayloadData payload;
 				InitialHandshakePayload initialHandshake;
 				do
@@ -1296,6 +1297,8 @@ bool ValidateRemoteCertificate(object rcbSender, X509Certificate rcbCertificate,
 					throw new MySqlException(MySqlErrorCode.UnableToConnectToHost, "SSL Authentication Error", ex);
 				if (ex is IOException && clientCertificates is object)
 					throw new MySqlException(MySqlErrorCode.UnableToConnectToHost, "MySQL Server rejected client certificate", ex);
+				if (ex is Win32Exception win32 && win32.NativeErrorCode == -2146893007) // SEC_E_ALGORITHM_MISMATCH (0x80090331)
+					throw new MySqlException(MySqlErrorCode.UnableToConnectToHost, "The server doesn't support the client's specified TLS versions.", ex);
 				throw;
 			}
 			finally

src/MySqlConnector/MySql.Data.MySqlClient/MySqlConnectionStringBuilder.cs

@@ -2,6 +2,7 @@
 using System.Collections.Generic;
 using System.Data.Common;
 using System.Globalization;
+using System.Text.RegularExpressions;
 using MySqlConnector.Utilities;
 
 namespace MySql.Data.MySqlClient
@@ -122,6 +123,12 @@ public string? CertificateThumbprint
 			set => MySqlConnectionStringOption.CertificateThumbprint.SetValue(this, value);
 		}
 
+		public string? TlsVersion
+		{
+			get => MySqlConnectionStringOption.TlsVersion.GetValue(this);
+			set => MySqlConnectionStringOption.TlsVersion.SetValue(this, value);
+		}
+
 		// Connection Pooling Options
 		public bool Pooling
 		{
@@ -399,6 +406,7 @@ internal abstract class MySqlConnectionStringOption
 		public static readonly MySqlConnectionStringReferenceOption<string> SslCa;
 		public static readonly MySqlConnectionStringReferenceOption<string> SslCert;
 		public static readonly MySqlConnectionStringReferenceOption<string> SslKey;
+		public static readonly MySqlConnectionStringReferenceOption<string> TlsVersion;
 
 		// Connection Pooling Options
 		public static readonly MySqlConnectionStringValueOption<bool> Pooling;
@@ -530,6 +538,44 @@ static MySqlConnectionStringOption()
 				keys: new[] { "CertificateThumbprint", "Certificate Thumbprint", "Certificate Thumb Print" },
 				defaultValue: null));
 
+			AddOption(TlsVersion = new MySqlConnectionStringReferenceOption<string>(
+				keys: new[] { "TlsVersion", "Tls Version", "Tls-Version" },
+				defaultValue: null,
+				coerce: value =>
+				{
+					if (string.IsNullOrWhiteSpace(value))
+						return null;
+
+					Span<bool> versions = stackalloc bool[4];
+					foreach (var part in value!.TrimStart('[', '(').TrimEnd(')', ']').Split(','))
+					{
+						var match = Regex.Match(part, @"\s*TLS( ?v?(1|1\.?0|1\.?1|1\.?2|1\.?3))?$", RegexOptions.IgnoreCase);
+						if (!match.Success)
+							throw new ArgumentException($"Unrecognized TlsVersion protocol version '{part}'; permitted versions are: TLS 1.0, TLS 1.1, TLS 1.2, TLS 1.3.");
+						var version = match.Groups[2].Value;
+						if (version == "" || version == "1" || version == "10" || version == "1.0")
+							versions[0] = true;
+						else if (version == "11" || version == "1.1")
+							versions[1] = true;
+						else if (version == "12" || version == "1.2")
+							versions[2] = true;
+						else if (version == "13" || version == "1.3")
+							versions[3] = true;
+					}
+
+					var coercedValue = "";
+					for (var i = 0; i < versions.Length; i++)
+					{
+						if (versions[i])
+						{
+							if (coercedValue.Length != 0)
+								coercedValue += ", ";
+							coercedValue += "TLS 1.{0}".FormatInvariant(i);
+						}
+					}
+					return coercedValue;
+				}));
+
 			// Connection Pooling Options
 			AddOption(Pooling = new MySqlConnectionStringValueOption<bool>(
 				keys: new[] { "Pooling" },

tests/MySqlConnector.Tests/MySqlConnectionStringBuilderTests.cs

@@ -1,4 +1,5 @@
 using System;
+using System.Linq;
 using MySql.Data.MySqlClient;
 using Xunit;
 
@@ -66,6 +67,7 @@ public void Defaults()
 			Assert.Null(csb.SslCert);
 			Assert.Null(csb.SslKey);
 			Assert.Equal(MySqlSslMode.Preferred, csb.SslMode);
+			Assert.Null(csb.TlsVersion);
 			Assert.True(csb.TreatTinyAsBoolean);
 			Assert.False(csb.UseCompression);
 			Assert.Equal("", csb.UserID);
@@ -355,5 +357,51 @@ public void SetServerSPNToNull()
 			Assert.Equal("", csb.ConnectionString);
 		}
 #endif
+
+		[Theory]
+		[InlineData("Tls", "0")]
+		[InlineData("Tls1", "0")]
+		[InlineData("Tlsv1", "0")]
+		[InlineData("Tlsv1.0", "0")]
+		[InlineData("TLS 1.0", "0")]
+		[InlineData("TLS v1.0", "0")]
+		[InlineData("Tls11", "1")]
+		[InlineData("Tlsv11", "1")]
+		[InlineData("Tlsv1.1", "1")]
+		[InlineData("TLS 1.1", "1")]
+		[InlineData("TLS v1.1", "1")]
+		[InlineData("Tls12", "2")]
+		[InlineData("Tlsv12", "2")]
+		[InlineData("Tlsv1.2", "2")]
+		[InlineData("TLS 1.2", "2")]
+		[InlineData("TLS v1.2", "2")]
+		[InlineData("Tls13", "3")]
+		[InlineData("Tlsv13", "3")]
+		[InlineData("Tlsv1.3", "3")]
+		[InlineData("TLS 1.3", "3")]
+		[InlineData("TLS v1.3", "3")]
+		[InlineData("Tls,Tls", "0")]
+		[InlineData("Tls1.1,Tls v1.1, TLS 1.1", "1")]
+		[InlineData("Tls12,Tls10", "0,2")]
+		[InlineData("TLS v1.3, TLS12, Tls 1.1", "1,2,3")]
+		public void ParseTlsVersion(string input, string expected)
+		{
+			var csb = new MySqlConnectionStringBuilder { TlsVersion = input };
+#if !BASELINE
+			string[] normalizedVersions = new[] { "TLS 1.0", "TLS 1.1", "TLS 1.2", "TLS 1.3" };
+#else
+			string[] normalizedVersions = new[] { "Tls", "Tls11", "Tls12", "Tls13" };
+#endif
+			var expectedTlsVersion = string.Join(", ", expected.Split(',').Select(int.Parse).Select(x => normalizedVersions[x]));
+			Assert.Equal(expectedTlsVersion, csb.TlsVersion);
+		}
+
+		[Fact]
+		public void ParseInvalidTlsVersion()
+		{
+			var csb = new MySqlConnectionStringBuilder();
+			Assert.Throws<ArgumentException>(() => csb.TlsVersion = "Tls14");
+			Assert.Throws<ArgumentException>(() => new MySqlConnectionStringBuilder("TlsVersion=Tls14"));
+		}
 	}
 }

tests/MySqlConnector.Tests/MySqlConnector.Tests.csproj

@@ -32,7 +32,7 @@
   </ItemGroup>
 
   <ItemGroup Condition=" '$(Configuration)' == 'Baseline' ">
-    <PackageReference Include="MySql.Data" Version="8.0.16" />
+    <PackageReference Include="MySql.Data" Version="8.0.19" />
     <Compile Remove="ByteBufferWriterTests.cs;CachedProcedureTests.cs;ConnectionTests.cs;FakeMySqlServer.cs;FakeMySqlServerConnection.cs;LoadBalancerTests.cs;MySqlExceptionTests.cs;NormalizeTests.cs;ServerVersionTests.cs;StatementPreparerTests.cs;TypeMapperTests.cs;UtilityTests.cs" />
   </ItemGroup>
 

tests/SideBySide/SslTests.cs

@@ -1,3 +1,4 @@
+using System;
 using System.IO;
 using System.Runtime.InteropServices;
 using System.Security.Authentication;
@@ -196,6 +197,47 @@ public async Task ConnectSslTlsVersion()
 			Assert.Equal(expectedProtocolString, reader.GetString(1));
 		}
 
+		[SkippableFact(ConfigSettings.RequiresSsl)]
+		public async Task ForceTls11()
+		{
+			// require TLS 1.1 and TLS 1.2
+			if (!AppConfig.SupportedFeatures.HasFlag(ServerFeatures.Tls11) || !AppConfig.SupportedFeatures.HasFlag(ServerFeatures.Tls12))
+				return;
+
+			var csb = AppConfig.CreateConnectionStringBuilder();
+			csb.TlsVersion = "TLS 1.1";
+
+			using var connection = new MySqlConnection(csb.ConnectionString);
+			await connection.OpenAsync();
+
+#if !BASELINE
+			Assert.Equal(SslProtocols.Tls11, connection.SslProtocol);
+#endif
+			using var cmd = new MySqlCommand("show status like 'Ssl_version';", connection);
+			using var reader = await cmd.ExecuteReaderAsync();
+			Assert.True(reader.Read());
+			Assert.Equal("TLSv1.1", reader.GetString(1));
+		}
+
+#if NETCOREAPP3_0
+		[SkippableFact(ConfigSettings.RequiresSsl)]
+		public async Task RequireTls13()
+		{
+			if (AppConfig.SupportedFeatures.HasFlag(ServerFeatures.Tls13))
+				return;
+
+			var csb = AppConfig.CreateConnectionStringBuilder();
+			csb.TlsVersion = "TLS 1.3";
+
+			using var connection = new MySqlConnection(csb.ConnectionString);
+#if !BASELINE
+			await Assert.ThrowsAsync<MySqlException>(async () => await connection.OpenAsync());
+#else
+			await Assert.ThrowsAsync<Win32Exception>(async () => await connection.OpenAsync());
+#endif
+		}
+#endif
+
 		readonly DatabaseFixture m_database;
 	}
 }