9.2 Ensure 'MASTER_SSL_VERIFY_SERVER_CERT' is enabled

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

On the MariaDB REPLICA, the setting MASTER_SSL_VERIFY_SERVER_CERT indicates whether the REPLICA should perform server certificate verification of the PRIMARY's certificate.

Rationale:

When establishing TLS connections, clients use certificate verification to authenticate the server as their intended peer in the connection. In this case, the REPLICA (client) should verify the PRIMARY's (server's) certificate to authenticate the PRIMARY prior to continuing the connection.

Impact:

When using CHANGE MASTER TO, be aware of the following:

REPLICA processes need to be stopped by running STOP REPLICA prior to executing CHANGE MASTER TO

Use of CHANGE MASTER TO starts new relay logs without keeping the old ones unless explicitly told to keep them

When CHANGE MASTER TO is invoked, some information is dumped to the error log (previous values for MASTER_HOST, MASTER_PORT, MASTER_LOG_FILE, and MASTER_LOG_POS)

Invoking CHANGE MASTER TO will implicitly commit any ongoing transactions in the session where the CHANGE MASTER TO was run, but not all ongoing transactions on the database.

Solution

To remediate this setting, you must use the CHANGE MASTER TO command.

STOP REPLICA; -- required if replication was already running
CHANGE MASTER TO MASTER_SSL_VERIFY_SERVER_CERT=1;
START REPLICA; -- required if you want to restart replication

Default Value:

Disabled.

See Also

https://workbench.cisecurity.org/benchmarks/12270