File: set_ciphers.inc

package info (click to toggle)
mysql-8.0 8.0.43-3
  • links: PTS, VCS
  • area: main
  • in suites: sid
  • size: 1,273,924 kB
  • sloc: cpp: 4,684,605; ansic: 412,450; pascal: 108,398; java: 83,641; perl: 30,221; cs: 27,067; sql: 26,594; sh: 24,181; python: 21,816; yacc: 17,169; php: 11,522; xml: 7,388; javascript: 7,076; makefile: 2,194; lex: 1,075; awk: 670; asm: 520; objc: 183; ruby: 97; lisp: 86
file content (63 lines) | stat: -rw-r--r-- 2,075 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
 
#
# Usage:
# --let $CIPHER_DB = <db>
# --let $CIPHER_TABLE = <table>
# --let $TLS_VERSION = "TLSv1.2" or "TLSv1.3"
# --let $BLOCKED_CIPHERS = 0 or 1
# --let #OPENSSL_102 = 0 or 1
#
# --source ../inc/set_ciphers.inc
#

--let $records = `SELECT JSON_LENGTH(ciphers) FROM $cipher_db.$cipher_table`
if ($records != "") {
  --let $i = 0
  --disable_query_log
  --eval SELECT JSON_UNQUOTE(JSON_EXTRACT(ciphers, '$[$i]')) FROM $cipher_db.$cipher_table INTO @ciphers
  --inc $i
  while ($i < $records) {
    --eval SELECT CONCAT(@ciphers, ':', JSON_UNQUOTE(JSON_EXTRACT(ciphers, '$[$i]'))) FROM $cipher_db.$cipher_table INTO @ciphers
    --inc $i
  }

  --let $CIPHERS = `SELECT @ciphers`
  --echo # Setting server ciphers: $CIPHERS
  SELECT @@global.ssl_cipher INTO @saved_ciphers;
  SELECT @@global.tls_ciphersuites INTO @saved_ciphersuites;
  SELECT @@global.admin_ssl_cipher INTO @saved_admin_ciphers;
  SELECT @@global.admin_tls_ciphersuites INTO @saved_admin_ciphersuites;

  if ($TLS_VERSION == "TLSv1.2") {
      SET GLOBAL ssl_cipher=@ciphers;
      SET GLOBAL admin_ssl_cipher=@ciphers;
  }

  if ($TLS_VERSION == "TLSv1.3") {
      SET GLOBAL tls_ciphersuites=@ciphers;
      SET GLOBAL admin_tls_ciphersuites=@ciphers;
  }

  if ($BLOCKED_CIPHERS == 0) {
    ALTER INSTANCE RELOAD TLS FOR CHANNEL mysql_main;
    ALTER INSTANCE RELOAD TLS FOR CHANNEL mysql_admin;
  }
  if ($BLOCKED_CIPHERS == 1) {
    --error ER_DA_SSL_LIBRARY_ERROR
    ALTER INSTANCE RELOAD TLS FOR CHANNEL mysql_main;
    --error ER_DA_SSL_LIBRARY_ERROR
    ALTER INSTANCE RELOAD TLS FOR CHANNEL mysql_admin;

    # Reset ciphers to last known good values
    if ($TLS_VERSION == "TLSv1.2") {
      SET GLOBAL ssl_cipher=@saved_ciphers;
      SET GLOBAL admin_ssl_cipher=@saved_admin_ciphers;
    }
    if ($TLS_VERSION == "TLSv1.3") {
      SET GLOBAL tls_ciphersuites=@saved_ciphersuites;
      SET GLOBAL admin_tls_ciphersuites=@saved_admin_ciphersuites;
    }
    ALTER INSTANCE RELOAD TLS FOR CHANNEL mysql_main;
    ALTER INSTANCE RELOAD TLS FOR CHANNEL mysql_admin;
  }
  --enable_query_log
}