9.2 Ensure 'MASTER_SSL_VERIFY_SERVER_CERT' is enabled

Information

On the MariaDB REPLICA, the setting MASTER_SSL_VERIFY_SERVER_CERT indicates whether the REPLICA should perform server certificate verification of the PRIMARY's certificate.

Rationale:

When establishing TLS connections, clients use certificate verification to authenticate the server as their intended peer in the connection. In this case, the REPLICA (client) should verify the PRIMARY's (server's) certificate to authenticate the PRIMARY prior to continuing the connection.

Impact:

When using CHANGE MASTER TO, be aware of the following:

REPLICA processes need to be stopped by running STOP REPLICA prior to executing CHANGE MASTER TO

Use of CHANGE MASTER TO starts new relay logs without keeping the old ones unless explicitly told to keep them

When CHANGE MASTER TO is invoked, some information is dumped to the error log (previous values for MASTER_HOST, MASTER_PORT, MASTER_LOG_FILE, and MASTER_LOG_POS)

Invoking CHANGE MASTER TO will implicitly commit any ongoing transactions in the session where the CHANGE MASTER TO was run, but not all ongoing transactions on the database.

Solution

To remediate this setting, you must use the CHANGE MASTER TO command.

STOP REPLICA; -- required if replication was already running
CHANGE MASTER TO MASTER_SSL_VERIFY_SERVER_CERT=1;
START REPLICA; -- required if you want to restart replication

Default Value:

Disabled.

See Also

https://workbench.cisecurity.org/benchmarks/16527

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, 800-53|CM-7

Plugin: MySQLDB

Control ID: e537db6fb8d6115b3e422881e82d7f6b57409d0dfce1113d42f378c693575373