2.12 Limit Accepted Transport Layer Security (TLS) Versions

Information

MySQL supports multiple protocols of TLS. The higher the version the stronger the security and/or better the performance.

Rationale:

Requiring clients attempting to connect to MySQL to use higher versions of TLS to better protect data in transit.

Impact:

Connections attempting to use an unsupported version of TLS or Cipher will fail.

Solution

Set the version(s) of TLS you wish to accept in mysql.conf specify TLS and Ciphers.

For example to only accept TLS 1.3 set tls_version in my.conf:

tls_version=TLSv1.3

If TLS 1.3 is not supported on the Operating System then set to TLS 1.2:

tls_version=TLSv1.2

Note: with this setting, only clients that support the specified TLS version(s) are able to establish an encrypted connection to the server.

Default Value:

All TLS and cipher versions are enabled by default.

See Also

https://workbench.cisecurity.org/files/3844

Item Details

Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-17(2), 800-53|IA-5, 800-53|IA-5(1), 800-53|SA-15, 800-53|SC-8, 800-53|SC-8(1), CSCv7|14.4, CSCv7|18.5

Plugin: MySQLDB

Control ID: ae69dd02004feea97cc75120ffc96215ac02612e737feb710b52f8d32105938d