WL#15800: Deprecate usage of weak ciphers in server

Description:
- Added deprecated cipher checks in server.
- Removed deprecated ciphers from server default
- Added test cases
- Fixed test cases: Removed usage of deprecated ciphers

Change-Id: I68d21d2cb2f27c4d38c6b955bc1ac02e13104c4f

Author: harinvadodaria

include/tls_ciphers.h

@@ -0,0 +1,192 @@
+/*
+  Copyright (c) 2018, 2023, Oracle and/or its affiliates.
+
+  This program is free software; you can redistribute it and/or modify
+  it under the terms of the GNU General Public License, version 2.0,
+  as published by the Free Software Foundation.
+
+  This program is also distributed with certain software (including
+  but not limited to OpenSSL) that is licensed under separate terms,
+  as designated in a particular file or component or in included license
+  documentation.  The authors of MySQL hereby grant you an additional
+  permission to link the program and your derivative works with the
+  separately licensed software that they have included with MySQL.
+
+  This program is distributed in the hope that it will be useful,
+  but WITHOUT ANY WARRANTY; without even the implied warranty of
+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+  GNU General Public License for more details.
+
+  You should have received a copy of the GNU General Public License
+  along with this program; if not, write to the Free Software
+  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+*/
+
+#ifndef TLS_CIPHERS_INCLUDED
+#define TLS_CIPHERS_INCLUDED
+
+namespace {
+
+/**
+  Configuring list of ciphers
+
+  TLSv1.2
+  =======
+  Server: Specify in folllowing order:
+  1. Blocked ciphers
+  2. Approved ciphers
+
+  Client: Specify in following order:
+  1. Blocked ciphers
+  2. Approved ciphers
+  3. Client specific ciphers
+
+  TLSv1.3
+  =======
+  Server: Specify in folllowing order:
+  1. Blocked ciphers (None atm)
+  2. Approved ciphers
+
+  Client: Specify in following order:
+  1. Blocked ciphers (None atm)
+  2. Approved ciphers
+  3. Client specific ciphers (None atm)
+
+*/
+
+/*
+  List of TLSv1.3 ciphers in order to their priority.
+  Addition to the list must be done keeping priority of the
+  new cipher in mind.
+  The last entry must not contain a trailing ":".
+
+  Current criteria for inclusion is:
+  1. Must provide Perfect Forward Secrecy
+  2. Uses SHA2 in cipher/certificate
+  3. Uses AES in GCM or any other AEAD algorithms/modes
+*/
+const char default_tls13_ciphers[] = {
+    "TLS_AES_128_GCM_SHA256:"
+    "TLS_AES_256_GCM_SHA384:"
+    "TLS_CHACHA20_POLY1305_SHA256:"
+    "TLS_AES_128_CCM_SHA256"};
+
+/*
+  List of TLSv1.2 ciphers in order to their priority.
+  Addition to the list must be done keeping priority of the
+  new cipher in mind.
+  The last entry must not contain a trailing ":".
+
+  Current criteria for inclusion is:
+  1. Must provide Perfect Forward Secrecy
+  2. Uses SHA2 in cipher/certificate
+  3. Uses AES in GCM or any other AEAD algorithms/modes
+*/
+const char default_tls12_ciphers[] = {
+    "ECDHE-ECDSA-AES128-GCM-SHA256:"
+    "ECDHE-ECDSA-AES256-GCM-SHA384:"
+    "ECDHE-RSA-AES128-GCM-SHA256:"
+    "ECDHE-RSA-AES256-GCM-SHA384:"
+    "ECDHE-ECDSA-CHACHA20-POLY1305:"
+    "ECDHE-RSA-CHACHA20-POLY1305:"
+    "ECDHE-ECDSA-AES256-CCM:"
+    "ECDHE-ECDSA-AES128-CCM:"
+    "DHE-RSA-AES128-GCM-SHA256:"
+    "DHE-RSA-AES256-GCM-SHA384:"
+    "DHE-RSA-AES256-CCM:"
+    "DHE-RSA-AES128-CCM:"
+    "DHE-RSA-CHACHA20-POLY1305"};
+
+/*
+  Following ciphers (or categories of ciphers) are not permitted
+  because they are too weak to provide required security.
+
+  New cipher/category can be added at any position.
+
+  Care must be taken to prefix cipher/category with "!"
+*/
+const char blocked_tls12_ciphers[] = {
+    "!aNULL:"
+    "!eNULL:"
+    "!EXPORT:"
+    "!LOW:"
+    "!MD5:"
+    "!DES:"
+    "!3DES:"
+    "!RC2:"
+    "!RC4:"
+    "!PSK:"
+    "!DH-RSA-AES128-SHA256:"
+    "!DH-RSA-AES256-SHA256:"
+    "!DH-DSS-AES128-SHA256:"
+    "!DH-DSS-AES128-SHA:"
+    "!DH-DSS-AES256-SHA:"
+    "!DH-DSS-AES256-SHA256:"
+    "!DH-RSA-AES128-SHA:"
+    "!DH-RSA-AES256-SHA:"
+    "!DH-DSS-AES128-GCM-SHA256:"
+    "!DH-DSS-AES256-GCM-SHA384:"
+    "!DH-RSA-AES128-GCM-SHA256:"
+    "!DH-RSA-AES256-GCM-SHA384"};
+
+/*
+  Following ciphers are added to the list of permissible ciphers
+  while configuring the ciphers on client side.
+
+  This is done to provide backward compatbility.
+*/
+const char additional_client_ciphers[] = {
+    "ECDHE-ECDSA-AES256-CCM8:"
+    "ECDHE-ECDSA-AES128-CCM8:"
+    "DHE-RSA-AES256-CCM8:"
+    "DHE-RSA-AES128-CCM8:"
+    "ECDHE-ECDSA-AES128-SHA256:"
+    "ECDHE-RSA-AES128-SHA256:"
+    "ECDHE-ECDSA-AES256-SHA384:"
+    "ECDHE-RSA-AES256-SHA384:"
+    "DHE-DSS-AES256-GCM-SHA384:"
+    "DHE-DSS-AES128-GCM-SHA256:"
+    "DHE-DSS-AES128-SHA256:"
+    "DHE-DSS-AES256-SHA256:"
+    "DHE-RSA-AES256-SHA256:"
+    "DHE-RSA-AES128-SHA256:"
+    "DHE-RSA-CAMELLIA256-SHA256:"
+    "DHE-RSA-CAMELLIA128-SHA256:"
+    "ECDHE-RSA-AES128-SHA:"
+    "ECDHE-ECDSA-AES128-SHA:"
+    "ECDHE-RSA-AES256-SHA:"
+    "ECDHE-ECDSA-AES256-SHA:"
+    "DHE-DSS-AES128-SHA:"
+    "DHE-RSA-AES128-SHA:"
+    "DHE-RSA-AES256-SHA:"
+    "DHE-DSS-AES256-SHA:"
+    "DHE-RSA-CAMELLIA256-SHA:"
+    "DHE-RSA-CAMELLIA128-SHA:"
+    "ECDH-ECDSA-AES128-SHA256:"
+    "ECDH-RSA-AES128-SHA256:"
+    "ECDH-RSA-AES256-SHA384:"
+    "ECDH-ECDSA-AES256-SHA384:"
+    "ECDH-ECDSA-AES128-SHA:"
+    "ECDH-ECDSA-AES256-SHA:"
+    "ECDH-RSA-AES128-SHA:"
+    "ECDH-RSA-AES256-SHA:"
+    "AES128-GCM-SHA256:"
+    "AES128-CCM:"
+    "AES128-CCM8:"
+    "AES256-GCM-SHA384:"
+    "AES256-CCM:"
+    "AES256-CCM8:"
+    "AES128-SHA256:"
+    "AES256-SHA256:"
+    "AES128-SHA:"
+    "AES256-SHA:"
+    "CAMELLIA256-SHA:"
+    "CAMELLIA128-SHA:"
+    "ECDH-ECDSA-AES128-GCM-SHA256:"
+    "ECDH-ECDSA-AES256-GCM-SHA384:"
+    "ECDH-RSA-AES128-GCM-SHA256:"
+    "ECDH-RSA-AES256-GCM-SHA384"};
+
+}  // namespace
+
+#endif /* TLS_CIPHERS_INCLUDED */

mysql-test/include/excludenoskip.list

@@ -105,6 +105,7 @@ check_openssl_version.inc
 check_openssl.inc
 have_tlsv13.inc
 not_have_tlsv13.inc
+not_tlsv13.inc
 not_min_protocol_tlsv12.inc
 
 # 4.5 Reason for inclusion: Tests should run only with supported innodb page

mysql-test/r/grant_alter_user_qa.result

@@ -173,7 +173,7 @@ ssl_cipher
 x509_issuer	
 x509_subject	sub
 CREATE USER u10@localhost IDENTIFIED WITH 'sha256_password' BY 'auth_string#y'
-REQUIRE CIPHER "DHE-RSA-AES256-SHA" AND
+REQUIRE CIPHER "ECDHE-RSA-AES128-GCM-SHA256" AND
 SUBJECT "/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=Client"
 ISSUER "/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=CA"
 PASSWORD EXPIRE DEFAULT;
@@ -182,7 +182,7 @@ x509_subject,password_expired,password_lifetime FROM mysql.user WHERE USER='u10'
 User	u10
 plugin	sha256_password
 ssl_type	SPECIFIED
-ssl_cipher	DHE-RSA-AES256-SHA
+ssl_cipher	ECDHE-RSA-AES128-GCM-SHA256
 x509_issuer	/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=CA
 x509_subject	/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=Client
 password_expired	N
@@ -191,7 +191,7 @@ SELECT USER();
 USER()
 u10@localhost
 CREATE USER tu6@localhost IDENTIFIED WITH 'test_plugin_server' AS '#hGrt0O6'
-REQUIRE CIPHER "DHE-RSA-AES256-SHA" AND
+REQUIRE CIPHER "ECDHE-RSA-AES128-GCM-SHA256" AND
 SUBJECT "/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=Client"
 ISSUER "/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=CA"
 WITH MAX_QUERIES_PER_HOUR 2 MAX_USER_CONNECTIONS 2;
@@ -200,7 +200,7 @@ x509_subject,max_questions,max_user_connections FROM mysql.user WHERE USER='tu6'
 User	tu6
 plugin	test_plugin_server
 ssl_type	SPECIFIED
-ssl_cipher	DHE-RSA-AES256-SHA
+ssl_cipher	ECDHE-RSA-AES128-GCM-SHA256
 x509_issuer	/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=CA
 x509_subject	/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=Client
 max_questions	2
@@ -568,13 +568,13 @@ password_expired	N
 password_last_changed	#
 password_lifetime	NULL
 CREATE USER u7@localhost IDENTIFIED WITH 'sha256_password' BY 'auth_string'
-                         REQUIRE CIPHER 'DHE-RSA-AES256-SHA';
+                         REQUIRE CIPHER 'ECDHE-RSA-AES128-GCM-SHA256';
 SELECT User,ssl_type,ssl_cipher,x509_issuer,x509_subject,
 plugin,password_expired,
 password_last_changed,password_lifetime FROM mysql.user WHERE USER='u7';
 User	u7
 ssl_type	SPECIFIED
-ssl_cipher	DHE-RSA-AES256-SHA
+ssl_cipher	ECDHE-RSA-AES128-GCM-SHA256
 x509_issuer	
 x509_subject	
 plugin	sha256_password
@@ -613,13 +613,13 @@ password_expired	N
 password_last_changed	#
 password_lifetime	NULL
 ALTER USER u8@localhost IDENTIFIED WITH 'sha256_password' BY 'auth_string'
-                        REQUIRE CIPHER "DHE-RSA-AES256-SHA";
+                        REQUIRE CIPHER "ECDHE-RSA-AES128-GCM-SHA256";
 SELECT User,ssl_type,ssl_cipher,x509_issuer,x509_subject,
 plugin,password_expired,
 password_last_changed,password_lifetime FROM mysql.user WHERE USER='u8';
 User	u8
 ssl_type	SPECIFIED
-ssl_cipher	DHE-RSA-AES256-SHA
+ssl_cipher	ECDHE-RSA-AES128-GCM-SHA256
 x509_issuer	
 x509_subject	
 plugin	sha256_password
@@ -644,13 +644,13 @@ password_expired	N
 password_last_changed	#
 password_lifetime	NULL
 ALTER USER tu1@localhost IDENTIFIED WITH 'sha256_password'
-                         REQUIRE CIPHER "DHE-RSA-AES256-SHA";
+                         REQUIRE CIPHER "ECDHE-RSA-AES128-GCM-SHA256";
 SELECT User,ssl_type,ssl_cipher,x509_issuer,x509_subject,
 plugin,password_expired,
 password_last_changed,password_lifetime FROM mysql.user WHERE USER='tu1';
 User	tu1
 ssl_type	SPECIFIED
-ssl_cipher	DHE-RSA-AES256-SHA
+ssl_cipher	ECDHE-RSA-AES128-GCM-SHA256
 x509_issuer	
 x509_subject	
 plugin	sha256_password
@@ -699,15 +699,15 @@ password_expired	N
 password_last_changed	#
 password_lifetime	NULL
 CREATE USER u10@localhost IDENTIFIED WITH 'sha256_password' BY 'auth_string'
-                          REQUIRE CIPHER "DHE-RSA-AES256-SHA" AND
+                          REQUIRE CIPHER "ECDHE-RSA-AES128-GCM-SHA256" AND
 SUBJECT "/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=Client"
                           ISSUER "/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=CA";
 SELECT User,ssl_type,ssl_cipher,x509_issuer,x509_subject,
 plugin,password_expired,
 password_last_changed,password_lifetime FROM mysql.user WHERE USER='u10';
 User	u10
 ssl_type	SPECIFIED
-ssl_cipher	DHE-RSA-AES256-SHA
+ssl_cipher	ECDHE-RSA-AES128-GCM-SHA256
 x509_issuer	/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=CA
 x509_subject	/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=Client
 plugin	sha256_password
@@ -1243,14 +1243,14 @@ SHOW CREATE USER u9@localhost;
 CREATE USER for u9@localhost
 CREATE USER `u9`@`localhost` IDENTIFIED WITH 'caching_sha2_password' REQUIRE SUBJECT 'sub' PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK PASSWORD HISTORY DEFAULT PASSWORD REUSE INTERVAL DEFAULT PASSWORD REQUIRE CURRENT DEFAULT
 CREATE USER u10@localhost IDENTIFIED WITH 'sha256_password' BY 'auth_string'
-            REQUIRE CIPHER "DHE-RSA-AES256-SHA" AND
+            REQUIRE CIPHER "ECDHE-RSA-AES128-GCM-SHA256" AND
 SUBJECT "/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=Client"
             ISSUER "/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=CA";
 SHOW CREATE USER u10@localhost;
 CREATE USER for u10@localhost
-CREATE USER `u10`@`localhost` IDENTIFIED WITH 'sha256_password' AS '<non-deterministic-password-hash>' REQUIRE SUBJECT '/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=Client' ISSUER '/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=CA' CIPHER 'DHE-RSA-AES256-SHA' PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK PASSWORD HISTORY DEFAULT PASSWORD REUSE INTERVAL DEFAULT PASSWORD REQUIRE CURRENT DEFAULT
+CREATE USER `u10`@`localhost` IDENTIFIED WITH 'sha256_password' AS '<non-deterministic-password-hash>' REQUIRE SUBJECT '/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=Client' ISSUER '/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=CA' CIPHER 'ECDHE-RSA-AES128-GCM-SHA256' PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK PASSWORD HISTORY DEFAULT PASSWORD REUSE INTERVAL DEFAULT PASSWORD REQUIRE CURRENT DEFAULT
 ALTER USER u10@localhost IDENTIFIED WITH 'sha256_password' BY 'auth_string'
-           REQUIRE CIPHER "DHE-RSA-AES256-SHA" AND
+           REQUIRE CIPHER "ECDHE-RSA-AES128-GCM-SHA256" AND
 SUBJECT "/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=Client"
            ISSUER "/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=CA"
            WITH MAX_CONNECTIONS_PER_HOUR 1000
@@ -1259,7 +1259,7 @@ MAX_UPDATES_PER_HOUR 100;
 # SHOW CREATE USER after ALTER user attributes
 SHOW CREATE USER u10@localhost;
 CREATE USER for u10@localhost
-CREATE USER `u10`@`localhost` IDENTIFIED WITH 'sha256_password' AS '<non-deterministic-password-hash>' REQUIRE SUBJECT '/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=Client' ISSUER '/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=CA' CIPHER 'DHE-RSA-AES256-SHA' WITH MAX_QUERIES_PER_HOUR 60 MAX_UPDATES_PER_HOUR 100 MAX_CONNECTIONS_PER_HOUR 1000 MAX_USER_CONNECTIONS 20 PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK PASSWORD HISTORY DEFAULT PASSWORD REUSE INTERVAL DEFAULT PASSWORD REQUIRE CURRENT DEFAULT
+CREATE USER `u10`@`localhost` IDENTIFIED WITH 'sha256_password' AS '<non-deterministic-password-hash>' REQUIRE SUBJECT '/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=Client' ISSUER '/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=CA' CIPHER 'ECDHE-RSA-AES128-GCM-SHA256' WITH MAX_QUERIES_PER_HOUR 60 MAX_UPDATES_PER_HOUR 100 MAX_CONNECTIONS_PER_HOUR 1000 MAX_USER_CONNECTIONS 20 PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK PASSWORD HISTORY DEFAULT PASSWORD REUSE INTERVAL DEFAULT PASSWORD REQUIRE CURRENT DEFAULT
 CREATE USER u11@localhost WITH MAX_QUERIES_PER_HOUR 2;
 SHOW CREATE USER u11@localhost;
 CREATE USER for u11@localhost
@@ -1447,14 +1447,14 @@ CREATE USER user12@localhost IDENTIFIED WITH 'sha256_password'
                              PASSWORD EXPIRE NEVER;
 CREATE USER u2@localhost IDENTIFIED BY 'meow';
 CREATE USER u10@localhost IDENTIFIED WITH 'sha256_password'
-                          REQUIRE CIPHER "DHE-RSA-AES256-SHA" AND
+                          REQUIRE CIPHER "ECDHE-RSA-AES128-GCM-SHA256" AND
 SUBJECT "/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=Client"
                           ISSUER "/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=CA"
                           WITH MAX_QUERIES_PER_HOUR 2 MAX_USER_CONNECTIONS 2;
 ALTER USER u10@localhost IDENTIFIED WITH 'mysql_native_password' BY 'auth_string'
                          REQUIRE SSL;
 ALTER USER user11@localhost IDENTIFIED WITH 'sha256_password'
-                            REQUIRE CIPHER "DHE-RSA-AES256-SHA" AND
+                            REQUIRE CIPHER "ECDHE-RSA-AES128-GCM-SHA256" AND
 SUBJECT "/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=Client"
                             ISSUER "/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=CA"
                             PASSWORD EXPIRE  DEFAULT ACCOUNT UNLOCK;
@@ -1487,9 +1487,9 @@ binlog.000001	#	Query	#	#	use `test`; CREATE USER 'user1'@'localhost' IDENTIFIED
 binlog.000001	#	Query	#	#	use `test`; CREATE USER 'user11'@'localhost' IDENTIFIED WITH 'mysql_native_password' PASSWORD EXPIRE NEVER ACCOUNT LOCK
 binlog.000001	#	Query	#	#	use `test`; CREATE USER 'user12'@'localhost' IDENTIFIED WITH 'sha256_password' PASSWORD EXPIRE NEVER
 binlog.000001	#	Query	#	#	use `test`; CREATE USER 'u2'@'localhost' IDENTIFIED WITH 'caching_sha2_password' AS '<non-deterministic-password-hash>'
-binlog.000001	#	Query	#	#	use `test`; CREATE USER 'u10'@'localhost' IDENTIFIED WITH 'sha256_password' REQUIRE SUBJECT '/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=Client' ISSUER '/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=CA' CIPHER 'DHE-RSA-AES256-SHA' WITH MAX_QUERIES_PER_HOUR 2 MAX_USER_CONNECTIONS 2
+binlog.000001	#	Query	#	#	use `test`; CREATE USER 'u10'@'localhost' IDENTIFIED WITH 'sha256_password' REQUIRE SUBJECT '/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=Client' ISSUER '/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=CA' CIPHER 'ECDHE-RSA-AES128-GCM-SHA256' WITH MAX_QUERIES_PER_HOUR 2 MAX_USER_CONNECTIONS 2
 binlog.000001	#	Query	#	#	use `test`; ALTER USER 'u10'@'localhost' IDENTIFIED WITH 'mysql_native_password' AS '*67092806AE91BFB6BE72DE6C7BE2B7CCA8CFA9DF' REQUIRE SSL
-binlog.000001	#	Query	#	#	use `test`; ALTER USER 'user11'@'localhost' IDENTIFIED WITH 'sha256_password' REQUIRE SUBJECT '/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=Client' ISSUER '/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=CA' CIPHER 'DHE-RSA-AES256-SHA' PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK
+binlog.000001	#	Query	#	#	use `test`; ALTER USER 'user11'@'localhost' IDENTIFIED WITH 'sha256_password' REQUIRE SUBJECT '/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=Client' ISSUER '/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=CA' CIPHER 'ECDHE-RSA-AES128-GCM-SHA256' PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK
 binlog.000001	#	Query	#	#	use `test`; ALTER USER 'user12'@'localhost' IDENTIFIED WITH 'mysql_native_password' AS '*67092806AE91BFB6BE72DE6C7BE2B7CCA8CFA9DF' PASSWORD EXPIRE INTERVAL 90 DAY ACCOUNT UNLOCK
 binlog.000001	#	Query	#	#	use `test`; CREATE USER 'user13'@'localhost' IDENTIFIED WITH 'caching_sha2_password' AS '<non-deterministic-password-hash>' ACCOUNT UNLOCK
 binlog.000001	#	Query	#	#	use `test`; ALTER USER 'user13'@'localhost' WITH MAX_QUERIES_PER_HOUR 22 MAX_USER_CONNECTIONS 4 PASSWORD EXPIRE NEVER ACCOUNT LOCK
@@ -1521,14 +1521,14 @@ CREATE USER user12@localhost IDENTIFIED WITH 'sha256_password'
                              PASSWORD EXPIRE NEVER;
 CREATE USER u2@localhost IDENTIFIED BY 'meow';
 CREATE USER u10@localhost IDENTIFIED WITH 'sha256_password'
-            REQUIRE CIPHER "DHE-RSA-AES256-SHA" AND
+            REQUIRE CIPHER "ECDHE-RSA-AES128-GCM-SHA256" AND
 SUBJECT "/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=Client"
             ISSUER "/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=CA"
             WITH MAX_QUERIES_PER_HOUR 2 MAX_USER_CONNECTIONS 2;
 ALTER USER u10@localhost IDENTIFIED WITH 'mysql_native_password' BY 'auth_string'
                          REQUIRE SSL;
 ALTER USER user11@localhost IDENTIFIED WITH 'sha256_password'
-           REQUIRE CIPHER "DHE-RSA-AES256-SHA" AND
+           REQUIRE CIPHER "ECDHE-RSA-AES128-GCM-SHA256" AND
 SUBJECT "/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=Client"
            ISSUER "/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=CA"
            PASSWORD EXPIRE  DEFAULT ACCOUNT UNLOCK;
@@ -1566,7 +1566,7 @@ CREATE USER user12@localhost IDENTIFIED WITH 'sha256_password'
                              PASSWORD EXPIRE NEVER
 CREATE USER 'u2'@'localhost' IDENTIFIED BY <secret>
 CREATE USER u10@localhost IDENTIFIED WITH 'sha256_password'
-            REQUIRE CIPHER "DHE-RSA-AES256-SHA" AND
+            REQUIRE CIPHER "ECDHE-RSA-AES128-GCM-SHA256" AND
 SUBJECT "/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=Client"
             ISSUER "/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=CA"
             WITH MAX_QUERIES_PER_HOUR 2 MAX_USER_CONNECTIONS 2
@@ -1582,7 +1582,7 @@ command_type NOT LIKE 'Prepare';
 argument
 ALTER USER 'u10'@'localhost' IDENTIFIED WITH 'mysql_native_password' BY <secret> REQUIRE SSL
 ALTER USER user11@localhost IDENTIFIED WITH 'sha256_password'
-           REQUIRE CIPHER "DHE-RSA-AES256-SHA" AND
+           REQUIRE CIPHER "ECDHE-RSA-AES128-GCM-SHA256" AND
 SUBJECT "/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=Client"
            ISSUER "/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=CA"
            PASSWORD EXPIRE  DEFAULT ACCOUNT UNLOCK