MySQL DB server minimum TLS version

Security · Azure Database for MySQL · Rule · 2020_09 · Critical

MySQL DB servers should reject TLS versions older than 1.2.

Description

The minimum version of TLS that MySQL DB servers accept is configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS.

Azure lets you disable outdated protocols and require connections to use a minimum of TLS 1.2. By default, TLS 1.0, TLS 1.1, and TLS 1.2 is accepted.

Recommendation

Consider configuring the minimum supported TLS version to be 1.2.

Examples

Configure with Azure template

To deploy servers that pass this rule:

• Set the properties.minimalTlsVersion property to TLS1_2.

For example:

Azure Template snippet

{
  "type": "Microsoft.DBforMySQL/servers",
  "apiVersion": "2017-12-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "sku": {
    "name": "GP_Gen5_2",
    "tier": "GeneralPurpose",
    "capacity": 2,
    "size": "5120",
    "family": "Gen5"
  },
  "properties": {
    "createMode": "Default",
    "version": "8.0",
    "administratorLogin": "[parameters('administratorLogin')]",
    "administratorLoginPassword": "[parameters('administratorLoginPassword')]",
    "minimalTlsVersion": "TLS1_2",
    "sslEnforcement": "Enabled",
    "publicNetworkAccess": "Disabled",
    "storageProfile": {
      "storageMB": 5120,
      "backupRetentionDays": 7,
      "geoRedundantBackup": "Enabled"
    }
  }
}

Configure with Bicep

To deploy servers that pass this rule:

• Set the properties.minimalTlsVersion property to TLS1_2.

For example:

Azure Bicep snippet

resource singleServer 'Microsoft.DBforMySQL/servers@2017-12-01' = {
  name: name
  location: location
  sku: {
    name: 'GP_Gen5_2'
    tier: 'GeneralPurpose'
    capacity: 2
    size: '5120'
    family: 'Gen5'
  }
  properties: {
    createMode: 'Default'
    version: '8.0'
    administratorLogin: administratorLogin
    administratorLoginPassword: administratorLoginPassword
    minimalTlsVersion: 'TLS1_2'
    sslEnforcement: 'Enabled'
    publicNetworkAccess: 'Disabled'
    storageProfile: {
      storageMB: 5120
      backupRetentionDays: 7
      geoRedundantBackup: 'Enabled'
    }
  }
}

Notes

This rule is only applicable for the Azure Database for MySQL Single Server deployment model.

Links

• SE:07 Encryption
• TLS enforcement in Azure Database for MySQL
• Set TLS configurations for Azure Database for MySQL
• TLS encryption in Azure
• Preparing for TLS 1.2 in Microsoft Azure
• Azure deployment reference

Comments