9.4 Ensure only approved ciphers are used for Replication

Information

MariaDB supports multiple encryption ciphers that can be used for TLS connections during replication. Ciphers can vary in strength, speed and overhead.

Rationale:

Requiring REPLICA servers to utilize strong ciphers when connecting to a PRIMARY server protects data in transit.

Impact:

If the PRIMARY and REPLICA servers don't support common cipher suites, replication will fail.

Solution

To remediate this setting, you must use the CHANGE MASTER TO command with MASTER_SSL_CIPHER.
For example, run:

STOP REPLICA; -- required if replication was already running
CHANGE MASTER TO
MASTER_SSL_CIPHER='ECDHE-ECDSA-AES128-GCM-SHA256';
START REPLICA; -- required if you want to restart replication

Default Value:

Empty

See Also

https://workbench.cisecurity.org/benchmarks/16527

Item Details

Category: SYSTEM AND SERVICES ACQUISITION

References: 800-53|SA-15, CSCv7|18.5

Plugin: MySQLDB

Control ID: 7e9f8ee5185718b2c311ddf90708f6e10727631d54ca83c28fcb4aff09571154