Restricting MySQL Connections to Secure Transport

MySQLMySQLi Database

MySQL will make secure connections easier when it has streamlined key generation for both MySQL Community and MySQL Enterprise. This way, the security is improved by expanding support for TLSv1.1 and TLSv1.2. This also helps administrators determine if clients are connecting securely or not with enhanced visibility into connection types.

Extending this importance on secure connections, MySQL server introduced a new server-side configuration option that allows MySQL administrators to restrict connections to clients who use secure transport. When we say about the connection needing secure transport, the first question that needs to be addressed is the kind of transport it uses.

Secure Transports

Let us see the kinds of transport that are considered secure −

  • SSL/TLS

  • Socket

  • Shared Memory

In particular, connections on Windows machines that use the named pipe transport are not considered to be secure. These connections are usually made locally, and named pipe connections can be made remotely. But they also lack data encryption that would protect payloads which are sent over the wire.

The - -require_secure_transport configuration option was newly added. Here, the boolean option default is OFF. This means that connections that use any of the above mentioned supported

protocols are accepted, if they are consistent with legacy behaviour. Setting -- require_secure_transport=ON makes the server reject new connections which don’t use one of the connection types shown above.

Insecure Connection

Clients that are rejected due to insecure connections would receive the below mentioned error −

Example

D:\mysql-advanced-5.7.10-winx64>bin\mysql -uroot -P3310 --skip-ssl

Output

ERROR 3159 (HY000): Connections using insecure transport are prohibited while
--require_secure_transport=ON.

Example

D:\mysql-advanced-5.7.10-winx64>bin\mysql -uroot -P3310 --skip-ssl

Output

ERROR 3159 (HY000): Connections using insecure transport are prohibited while
--require_secure_transport=ON.

Interaction with account-level requirements

MySQL also supports requiring TLS for specific accounts. This is done by including the REQUIRE SSL clause in CREATE or ALTER USER commands. The new --require_secure_transport option will add these account-level requirements by enforcing secure transport at a global level.

raja
Published on 09-Mar-2021 13:54:59
Advertisements