2.10 Limit Accepted Transport Layer Security (TLS) Versions

Information

MariaDB supports multiple versions of TLS. The higher the version the stronger the security and/or better the performance.

Rationale:

Requiring clients attempting to connect to MariaDB to use higher versions of TLS to better protect data in transit.

Impact:

Connections attempting to use an unsupported version of TLS will fail.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Set the version(s) of TLS you wish to accept by setting the tls_version option to a comma-separated (no whitespace) string in MariaDB configuration files.
For example, to only accept TLS 1.2 or 1.3 connections, set tls_version likeso:

tls_version=TLSv1.2,TLSv1.3

Note: with this setting, only clients that support the specified TLS version(s) are able to establish an encrypted connection to the server.

Default Value:

TLSv1.1,TLSv1.2,TLSv1.3

See Also

https://workbench.cisecurity.org/benchmarks/16527

Item Details

Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-17(2), 800-53|IA-5, 800-53|IA-5(1), 800-53|SA-15, 800-53|SC-8, 800-53|SC-8(1), CSCv7|14.4, CSCv7|18.5

Plugin: Unix

Control ID: 712296d1ada111342c821683fa2ec67409bc563c8ca1466da856e4fbb6dfe7ba