Fix for Bug#31117686, PROTOCOL ALLOWLIST NOT COMPATIBLE WITH IBM JAVA.

soklakov · soklakov · commit 15080450a368 · 2021-09-01T20:44:37.000+04:00
diff --git a/CHANGES b/CHANGES
@@ -3,6 +3,8 @@
 
 Version 8.0.27
 
+  - Fix for Bug#31117686, PROTOCOL ALLOWLIST NOT COMPATIBLE WITH IBM JAVA.
+
   - Fix for Bug#104559 (33232419), ResultSet.getObject(i, java.util.Date.class) throws NPE when the value is null.
 
   - WL#14707, Support OCI IAM authentication.
diff --git a/src/main/core-impl/java/com/mysql/cj/protocol/ExportControlled.java b/src/main/core-impl/java/com/mysql/cj/protocol/ExportControlled.java
@@ -122,9 +122,19 @@ public class ExportControlled {
         try {
             Properties tlsSettings = new Properties();
             tlsSettings.load(ExportControlled.class.getResourceAsStream(TLS_SETTINGS_RESOURCE));
-            Arrays.stream(tlsSettings.getProperty("TLSCiphers.Mandatory").split("\\s*,\\s*")).forEach(s -> ALLOWED_CIPHERS.add(s.trim()));
-            Arrays.stream(tlsSettings.getProperty("TLSCiphers.Approved").split("\\s*,\\s*")).forEach(s -> ALLOWED_CIPHERS.add(s.trim()));
-            Arrays.stream(tlsSettings.getProperty("TLSCiphers.Deprecated").split("\\s*,\\s*")).forEach(s -> ALLOWED_CIPHERS.add(s.trim()));
+            // Ciphers prefixed with "TLS_" are used by Oracle Java while the ones prefixed with "SSL_" are used by IBM Java
+            Arrays.stream(tlsSettings.getProperty("TLSCiphers.Mandatory").split("\\s*,\\s*")).forEach(s -> {
+                ALLOWED_CIPHERS.add("TLS_" + s.trim());
+                ALLOWED_CIPHERS.add("SSL_" + s.trim());
+            });
+            Arrays.stream(tlsSettings.getProperty("TLSCiphers.Approved").split("\\s*,\\s*")).forEach(s -> {
+                ALLOWED_CIPHERS.add("TLS_" + s.trim());
+                ALLOWED_CIPHERS.add("SSL_" + s.trim());
+            });
+            Arrays.stream(tlsSettings.getProperty("TLSCiphers.Deprecated").split("\\s*,\\s*")).forEach(s -> {
+                ALLOWED_CIPHERS.add("TLS_" + s.trim());
+                ALLOWED_CIPHERS.add("SSL_" + s.trim());
+            });
             Arrays.stream(tlsSettings.getProperty("TLSCiphers.Unacceptable.Mask").split("\\s*,\\s*")).forEach(s -> RESTRICTED_CIPHER_SUBSTR.add(s.trim()));
         } catch (IOException e) {
             throw ExceptionFactory.createException("Unable to load TlsSettings.properties");
diff --git a/src/main/resources/com/mysql/cj/TlsSettings.properties b/src/main/resources/com/mysql/cj/TlsSettings.properties
@@ -1,4 +1,4 @@
-# Copyright (c) 2019, 2020, Oracle and/or its affiliates.
+# Copyright (c) 2019, 2021, Oracle and/or its affiliates.
 #
 # This program is free software; you can redistribute it and/or modify it under
 # the terms of the GNU General Public License, version 2.0, as published by the
@@ -27,84 +27,100 @@
 
 # Mandatory TLS Ciphers
 TLSCiphers.Mandatory=\
-    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,\
-    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,\
-    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+    ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,\
+    ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,\
+    ECDHE_RSA_WITH_AES_128_GCM_SHA256
 
 # Approved TLS Ciphers
 TLSCiphers.Approved=\
-    TLS_AES_128_GCM_SHA256,\
-    TLS_AES_256_GCM_SHA384,\
-    TLS_CHACHA20_POLY1305_SHA256,\
-    TLS_AES_128_CCM_SHA256,\
-    TLS_AES_128_CCM_8_SHA256,\
-    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,\
-    TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,\
-    TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,\
-    TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,\
-    TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,\
-    TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,\
-    TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,\
-    TLS_DH_DSS_WITH_AES_128_GCM_SHA256,\
-    TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,\
-    TLS_DH_DSS_WITH_AES_256_GCM_SHA384,\
-    TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,\
-    TLS_DH_RSA_WITH_AES_128_GCM_SHA256,\
-    TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,\
-    TLS_DH_RSA_WITH_AES_256_GCM_SHA384,\
-    TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
+    AES_128_GCM_SHA256,\
+    AES_256_GCM_SHA384,\
+    CHACHA20_POLY1305_SHA256,\
+    AES_128_CCM_SHA256,\
+    AES_128_CCM_8_SHA256,\
+    ECDHE_RSA_WITH_AES_256_GCM_SHA384,\
+    DHE_RSA_WITH_AES_128_GCM_SHA256,\
+    DHE_DSS_WITH_AES_128_GCM_SHA256,\
+    DHE_DSS_WITH_AES_256_GCM_SHA384,\
+    DHE_RSA_WITH_AES_256_GCM_SHA384,\
+    ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,\
+    ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,\
+    ECDHE_ECDSA_WITH_AES_256_CCM,\
+    ECDHE_ECDSA_WITH_AES_128_CCM,\
+    DHE_RSA_WITH_AES_256_CCM,\
+    DHE_RSA_WITH_AES_128_CCM,\
+    DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,\
+    ECDHE_ECDSA_WITH_AES_256_CCM_8,\
+    ECDHE_ECDSA_WITH_AES_128_CCM_8,\
+    DHE_RSA_WITH_AES_256_CCM_8,\
+    DHE_RSA_WITH_AES_128_CCM_8
 
 # Deprecated TLS Ciphers
 TLSCiphers.Deprecated=\
-    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,\
-    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,\
-    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,\
-    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,\
-    TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,\
-    TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,\
-    TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,\
-    TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,\
-    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,\
-    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,\
-    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,\
-    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,\
-    TLS_DHE_DSS_WITH_AES_128_CBC_SHA,\
-    TLS_DHE_RSA_WITH_AES_128_CBC_SHA,\
-    TLS_DHE_DSS_WITH_AES_256_CBC_SHA,\
-    TLS_DHE_RSA_WITH_AES_256_CBC_SHA,\
-    TLS_DH_RSA_WITH_AES_128_CBC_SHA256,\
-    TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,\
-    TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,\
-    TLS_DH_RSA_WITH_AES_256_CBC_SHA256,\
-    TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,\
-    TLS_DH_DSS_WITH_AES_128_CBC_SHA256,\
-    TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,\
-    TLS_DH_DSS_WITH_AES_128_CBC_SHA,\
-    TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,\
-    TLS_DH_DSS_WITH_AES_256_CBC_SHA,\
-    TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,\
-    TLS_DH_DSS_WITH_AES_256_CBC_SHA256,\
-    TLS_DH_RSA_WITH_AES_128_CBC_SHA,\
-    TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,\
-    TLS_DH_RSA_WITH_AES_256_CBC_SHA,\
-    TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,\
-    TLS_RSA_WITH_AES_128_GCM_SHA256,\
-    TLS_RSA_WITH_AES_256_GCM_SHA384,\
-    TLS_RSA_WITH_AES_128_CBC_SHA256,\
-    TLS_RSA_WITH_AES_256_CBC_SHA256,\
-    TLS_RSA_WITH_AES_128_CBC_SHA,\
-    TLS_RSA_WITH_AES_256_CBC_SHA,\
-    TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,\
-    TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,\
-    TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA,\
-    TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA,\
-    TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,\
-    TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,\
-    TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,\
-    TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,\
-    TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,\
-    TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,\
-    TLS_RSA_WITH_3DES_EDE_CBC_SHA
+    ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,\
+    ECDHE_RSA_WITH_AES_128_CBC_SHA256,\
+    ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,\
+    ECDHE_RSA_WITH_AES_256_CBC_SHA384,\
+    DHE_DSS_WITH_AES_128_CBC_SHA256,\
+    DHE_DSS_WITH_AES_256_CBC_SHA256,\
+    DHE_RSA_WITH_AES_256_CBC_SHA256,\
+    DHE_RSA_WITH_AES_128_CBC_SHA256,\
+    DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,\
+    DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,\
+    ECDHE_RSA_WITH_AES_128_CBC_SHA,\
+    ECDHE_ECDSA_WITH_AES_128_CBC_SHA,\
+    ECDHE_RSA_WITH_AES_256_CBC_SHA,\
+    ECDHE_ECDSA_WITH_AES_256_CBC_SHA,\
+    DHE_DSS_WITH_AES_128_CBC_SHA,\
+    DHE_RSA_WITH_AES_128_CBC_SHA,\
+    DHE_RSA_WITH_AES_256_CBC_SHA,\
+    DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,\
+    RSA_WITH_CAMELLIA_128_CBC_SHA,\
+    DH_RSA_WITH_AES_128_CBC_SHA256,\
+    ECDH_ECDSA_WITH_AES_128_CBC_SHA256,\
+    ECDH_RSA_WITH_AES_128_CBC_SHA256,\
+    DH_RSA_WITH_AES_256_CBC_SHA256,\
+    ECDH_RSA_WITH_AES_256_CBC_SHA384,\
+    DH_DSS_WITH_AES_128_CBC_SHA256,\
+    ECDH_ECDSA_WITH_AES_256_CBC_SHA384,\
+    DH_DSS_WITH_AES_128_CBC_SHA,\
+    ECDH_ECDSA_WITH_AES_128_CBC_SHA,\
+    DH_DSS_WITH_AES_256_CBC_SHA,\
+    ECDH_ECDSA_WITH_AES_256_CBC_SHA,\
+    DH_DSS_WITH_AES_256_CBC_SHA256,\
+    DH_RSA_WITH_AES_128_CBC_SHA,\
+    ECDH_RSA_WITH_AES_128_CBC_SHA,\
+    DH_RSA_WITH_AES_256_CBC_SHA,\
+    ECDH_RSA_WITH_AES_256_CBC_SHA,\
+    RSA_WITH_AES_128_GCM_SHA256,\
+    RSA_WITH_AES_128_CCM,\
+    RSA_WITH_AES_128_CCM_8,\
+    RSA_WITH_AES_256_GCM_SHA384,\
+    RSA_WITH_AES_256_CCM,\
+    RSA_WITH_AES_256_CCM_8,\
+    RSA_WITH_AES_128_CBC_SHA256,\
+    RSA_WITH_AES_256_CBC_SHA256,\
+    RSA_WITH_AES_128_CBC_SHA,\
+    RSA_WITH_AES_256_CBC_SHA,\
+    RSA_WITH_CAMELLIA_256_CBC_SHA,\
+    RSA_WITH_CAMELLIA_128_CBC_SHA,\
+    DH_DSS_WITH_AES_128_GCM_SHA256,\
+    ECDH_ECDSA_WITH_AES_128_GCM_SHA256,\
+    DH_DSS_WITH_AES_256_GCM_SHA384,\
+    ECDH_ECDSA_WITH_AES_256_GCM_SHA384,\
+    DH_RSA_WITH_AES_128_GCM_SHA256,\
+    ECDH_RSA_WITH_AES_128_GCM_SHA256,\
+    DH_RSA_WITH_AES_256_GCM_SHA384,\
+    ECDH_RSA_WITH_AES_256_GCM_SHA384,\
+    DH_DSS_WITH_3DES_EDE_CBC_SHA,\
+    DH_RSA_WITH_3DES_EDE_CBC_SHA,\
+    DHE_DSS_WITH_3DES_EDE_CBC_SHA,\
+    DHE_RSA_WITH_3DES_EDE_CBC_SHA,\
+    ECDH_RSA_WITH_3DES_EDE_CBC_SHA,\
+    ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,\
+    ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,\
+    ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,\
+    RSA_WITH_3DES_EDE_CBC_SHA
 
 # Unacceptable TLS Ciphers
 TLSCiphers.Unacceptable.Mask=_ANON_,_NULL_,_EXPORT,_MD5,_DES,_RC2_,_RC4_,_PSK_
