8.2 Ensure 'ssl_type' is Set to 'ANY', 'X509', or 'SPECIFIED' for All Remote Users

Information

All network traffic must use SSL/TLS when traveling over untrusted networks.

SSL/TLS should be enforced on a per-user basis for users which enter the system through the network.

Rationale:

The SSL/TLS-protected MySQL protocol helps to prevent eavesdropping and man-in-the-middle attacks.

Impact:

When SSL/TLS is enforced then clients which do not use SSL will not be able to connect. If the server is not configured for SSL/TLS then accounts for which SSL/TLS is mandatory will not be able to connect.

Solution

Use the ALTER USER statement to require the use of SSL:

ALTER USER 'my_user'@'app1.example.com' REQUIRE X509;

Note: REQUIRE SSL only enforces SSL. There are additional options REQUIRE ISSUER, REQUIRE SUBJECT which can be used to further restrict the connection.

Default Value:

On the server-side SSL is ON by default --ssl (permits but does not require secure connections) and require_secure_transport is OFF (turning ON allows only secure connections)

See Also

https://workbench.cisecurity.org/files/3855

Item Details

Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-17(2), 800-53|IA-5, 800-53|IA-5(1), 800-53|SC-8, 800-53|SC-8(1), CSCv7|14.4

Plugin: MySQLDB

Control ID: ae4bc72180887dde5b1aed16993f6d8211621c7fa5d7ab3cf4fbb8562bb887d6