MySQL is not using the latest version of TLS encryption servers
ID |
mysql_server_minimum_tls_version |
Severity |
high |
Vendor |
Azure |
Resource |
MySQL Server |
Tags |
reachable |
Description
MySQL server should use at least TLS 1.2.
Transport Layer Security is a cryptographic protocol designed to provide communications security over a computer network. The protocol is widely used in applications such as email, instant messaging, and voice over IP, but its use in securing HTTPS remains the most publicly visible.
TLS 1.0 is a security protocol first defined in 1999 for establishing encryption channels over computer networks. Evolving regulatory requirements as well as new security vulnerabilities in TLS 1.0 provide corporations with the incentive to disable TLS 1.0 entirely.
Microsoft recommends customers to go ahead and disable TLS 1.0. TLS 1.2 should be used instead.
See Deprecating weak cryptographic standards (TLS 1.0 and 1.1) in Azure DevOps Services and more specifically TLS enforcement in Azure Database for MySQL to learn more about this flaw.
Examples
ARM
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.DBforMySQL/servers",
"name": "bad", (1)
"apiVersion": "2017-12-01",
"location": "[parameters('location')]",
"properties": {
"minimalTlsVersion": "TLS1_0"
}
}
]
}| 1 | MySQL server does not use TLS minimal version 1.2. |
Mitigation / Fix
Buildtime
ARM
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.DBforMySQL/servers",
"name": "good", (1)
"apiVersion": "2017-12-01",
"location": "[parameters('location')]",
"properties": {
"minimalTlsVersion": "TLS1_2"
}
}
]
}| 1 | MySQL server uses TLS minimal version 1.2. |