9.4 Ensure only approved ciphers are used for Replication

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

MariaDB supports multiple encryption ciphers that can be used for TLS connections during replication. Ciphers can vary in strength, speed and overhead.

Rationale:

Requiring REPLICA servers to utilize strong ciphers when connecting to a PRIMARY server protects data in transit.

Impact:

If the PRIMARY and REPLICA servers don't support common cipher suites, replication will fail.

Solution

To remediate this setting, you must use the CHANGE MASTER TO command with MASTER_SSL_CIPHER.
For example, run:

STOP REPLICA; -- required if replication was already running
CHANGE MASTER TO
MASTER_SSL_CIPHER='ECDHE-ECDSA-AES128-GCM-SHA256';
START REPLICA; -- required if you want to restart replication

Default Value:

Empty

See Also

https://workbench.cisecurity.org/benchmarks/12270