8.2 Ensure 'ssl_type' is Set to 'ANY', 'X509', or 'SPECIFIED' for All Remote Users

Information

All network traffic must use SSL/TLS when traveling over untrusted networks.

SSL/TLS should be enforced on a per-user basis for users which enter the system through the network.

Rationale:

The SSL/TLS-protected MySQL protocol helps to prevent eavesdropping and man-in-the-middle attacks.

Impact:

When SSL/TLS is enforced then clients which do not use SSL will not be able to connect. If the server is not configured for SSL/TLS then accounts for which SSL/TLS is mandatory will not be able to connect.

Solution

Use the ALTER USER statement to require the use of SSL:

ALTER USER 'my_user'@'app1.example.com' REQUIRE X509;

Note: REQUIRE SSL only enforces SSL. There are additional options REQUIRE ISSUER, REQUIRE SUBJECT which can be used to further restrict the connection.

Default Value:

On the server-side SSL is ON by default --ssl (permits but does not require secure connections) and require_secure_transport is OFF (turning ON allows only secure connections)

See Also

https://workbench.cisecurity.org/benchmarks/10139

Item Details

Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-17(2), 800-53|IA-5, 800-53|IA-5(1), 800-53|SC-8, 800-53|SC-8(1), CSCv7|14.4

Plugin: MySQLDB

Control ID: 8fc285fc4ca042609dc490e55383748886a31119e9a748fbfb87551682d92f14