Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-13362

implement –require_secure_transport option like in MySQL 5.7

    XMLWordPrintable

    Details

      Description

      Some users would like us to port the require_secure_transport system variable from MySQL 5.7:

      Whether client connections to the server are required to use some form of secure transport. When this variable is enabled, the server permits only TCP/IP connections that use SSL, or connections that use a socket file (on Unix) or shared memory (on Windows). The server rejects nonsecure connection attempts, which fail with an ER_SECURE_TRANSPORT_REQUIRED error.

      This capability supplements per-account SSL requirements, which take precedence. For example, if an account is defined with REQUIRE SSL, enabling require_secure_transport does not make it possible to use the account to connect using a Unix socket file.

      It is possible for a server to have no secure transports available. For example, a server on Windows supports no secure transports if started without specifying any SSL certificate or key files and with the shared_memory system variable disabled. Under these conditions, attempts to enable require_secure_transport at startup cause the server to write a message to the error log and exit. Attempts to enable the variable at runtime fail with an ER_NO_SECURE_TRANSPORTS_CONFIGURED error.

      https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_require_secure_transport

      Currently, if a user wants to require TLS for every connection made over the network, then every user account on the system needs to be created with "REQUIRE SSL" or one of the other TLS options. Porting this system variable would make it a lot easier to require TLS system-wide.

      https://mariadb.com/kb/en/library/securing-connections-for-client-and-server/#requiring-tls

      https://mariadb.com/kb/en/library/create-user/#tls-options

        Attachments

          Activity

            People

            Assignee:
            sysprg Julius Goryavsky
            Reporter:
            rdyas Robert Dyas
            Votes:
            3 Vote for this issue
            Watchers:
            11 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: