9.5 Ensure mutual TLS is enabled

Information

Mutual TLS (a.k.a. Two-Way TLS) enhances TLS by requiring that both parties authenticate each other when establishing a connection. Mutual TLS adds a requirement (over TLS) that the client provide its certificate so the server can authenticate the client.

Rationale:

By requiring the client to authenticate to the server (in this case, the REPLICA to authenticate to the PRIMARY), the server (PRIMARY) prevents unauthorized clients (REPLICAs) from performing replication.

Impact:

The REPLICA will need to have TLS enabled to support mutual TLS.

Solution

To remediate this setting, you must run the CHANGE MASTER TO command on the REPLICA with MASTER_SSL_CERT and MASTER_SSL_KEY set to the paths for the REPLICA's certificate and private key files.
For example, run:

STOP REPLICA; -- required if replication was already running
CHANGE MASTER TO
MASTER_SSL_CERT='/etc/mysql/mariadb.conf.d/certificates/server-cert.pem',
MASTER_SSL_KEY='/etc/mysql/mariadb.conf.d/certificates/server-key.pem';
START REPLICA; -- required if you want to restart replication

If the PRIMARY does not require your replication users to provide X.509 certificates, use the ALTER USER command with REQUIRE X509 (and/or optionally REQUIRE SUBJECT and/or REQUIRE ISSUER) for the user accounts needing remediation.
For example, run:

ALTER USER <replication user> REQUIRE X509;

Default Value:

Disabled.

See Also

https://workbench.cisecurity.org/benchmarks/16527

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, 800-53|CM-7, CSCv7|1.7

Plugin: MySQLDB

Control ID: f639945383176cba40b7e52c7cd626cd80eb41efc341454dc8b4d71d33000ba8