2.17 Ensure Only Approved Ciphers are Used - ssl_cipher

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

MySQL supports multiple encryption ciphers. Ciphers can vary in strength, speed and overhead.

Rationale:

Requiring clients attempting to connect to MySQL to use strong ciphers protects data in transit.

Impact:

Connections attempting to use an unsupported cipher will fail.

Solution

Set ssl_cipher and tls_ciphersuites in the mysql.conf to an approved cipher suite:

tls_ciphersuites='TLS_AES_256_GCM_SHA384'
ssl_cipher='ECDHE-ECDSA-AES128-GCM-SHA256'

OR
Execute the following commands:

set persist ssl_cipher='ECDHE-ECDSA-AES128-GCM-SHA256';
set persist tls_ciphersuites='TLS_AES_256_GCM_SHA384';

See Also

https://workbench.cisecurity.org/benchmarks/12903