main.ssl_bug75311 fails on platforms with OpenSSL 1.1.1

https://github.com/percona/percona-server/pull/3514

As discussed

5.6, 5.7: TLSv1.3 was just disabled by upstream. After upstream merge the test will succeed.

8.0: MTR test fixed as described above. Will be merged after 8.0.17 release

Current situation:

1. All TLS protocols are enabled by default on client and server. We can disable them by explicitly specifying --tls-protocol=A,B,C option

2. MTR test does explicit configuration of available ciphers in opt file. It sets 1 cipher.

3. Test expects that exactly one cipher is enabled

4. Test tries to connect to the server, explicitly specifying another cipher. Protocol negotiation starts with the highest TLS version.

When we link with SSL 1.0.2:

1. The highest TLS protocol is 1.2

2. Server is started with explicit configuration of --ssl-cipher=DHE-RSA-AES256-SHA. This causes all default ciphers to be removed and replaced by this one available only.

3. Test checks which ciphers are enabled. The result is 1 cipher.

4. Test tries to connect using cipher AES256-SHA256. Negotiation starts from TLSv1.2. As AES256-SHA256 is not enabled, negotiation fails which is expected result of the test.

When we link with SSL 1.1.1:

1. The highest TLS protocol is 1.3

2. Server is started with explicit configuration of --ssl-cipher=DHE-RSA-AES256-SHA. However for OpenSSL and TLSv1.3 3 following ciphers are enabled implicitly: TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_AES_128_GCM_SHA256.
   https://dev.mysql.com/doc/refman/8.0/en/encrypted-connection-protocols-ciphers.html
   https://wiki.openssl.org/index.php/TLS1.3
   This causes ciphers list to be 1 explicitly enabled + 3 implicitly enabled. This is well visible in SHOW SESSION STATUS LIKE 'Ssl_cipher_list';

3. Test checks which ciphers are enabled. The result is list of 4 ciphers. This is the first reason of test failure.

4. Test tries to connect using cipher AES256-SHA256. Negotiation starts from TLSv1.3. As there are ciphers enabled (implicit) negotiation succeeds with TLSv.1.3 and one of TLSv1.3 ciphers. This is the second reason of test failure.

How to fix

8.0:

Fix is easy. We need to modify MTR to

1. check if explicitly configured cipher is on the list, rather than expecting 1-item list

2. Try to connect to the server enforcing negotiation to use only TLSv1.2 (--tls-version=TLSv1.2)

3. Another way to fix it to let negotiation to start from TLSv1.3, but remove implicitly configured ciphers (--tls-ciphersuites= option introduced in 8.0.16)

5.7:

5.7 is not TLSv.1.3 ready. As said above, all protocols are enabled by default in OpenSSL and they can be disabled on server startup. However there is no code that would disable TLSv1.3. So TLSv1.3 is always enabled and used while protocol negotiation.

The same problem is with --tls-protocol=A,B,C option for client. It works in the way that all protocols besides specified ones are being disabled. There is no code that disables TLSv1.3, so even specifying --tls-protocol=TLSv.1.1 means TLSv1.1 + TLSv1.3.

Above can be fixed by adjusting viosslfactories.cc and sys_vars.cc (make them aware of TLSv1.3)

5.6:

**Here situation is yet a little bit harder, because client does not support --tls-protocol option. So TLS protcols can be limited only on server side (server supports --tls-protocol option). However, similary to 5.7, there is lack of code that switches off TLSv1.3, so it is always enabled.

Above can be fixed in similar way as in 5.7 case.

@George Lorch, @Yura Sorokin,

Please decide which way to go:

1. Fix MTR for 8.0, leaving tests for 5.6 and 5.7 with OpenSSL 1.1.1  failing

2. Make 5.6 and 5.7 aware of TLSv1.3 which will allow us to have tests passed for all branches (and allow user to use TLSv1.3 or not when connecting)