Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Configure TLS Version for MySQL Flexible Database Servers

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: MySQL-002

Ensure that your Azure MySQL flexible database servers are using the latest version of TLS encryption protocol (i.e. TLS version 1.2 or TLS version 1.3) in order to secure the connection between your MySQL database servers and their clients/applications.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

When working with production data, it is strongly recommended to enable in-transit encryption by enforcing Transport Layer Security (TLS) connections between MySQL database servers and database applications. However, using an outdated version of the TLS protocol such as TLS version 1.0, known to be susceptible to certain Common Vulnerabilities and Exposures (CVE) weaknesses, can expose your database to different types of attacks. To protect your data against cyber attacks such as Man-In-the-Middle (MITM) attacks and fulfill compliance requirements for in-transit encryption within your organization, ensure that the 'tls_version' parameter is set to 'TLSV1.2' or 'TLSV1.3' for all your MySQL flexible database servers.

Audit

To determine the TLS version configured for your Azure MySQL flexible database servers, perform the following operations:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure cloud resources.

03 From the Type filter box, select Equals, choose Azure Database for MySQL flexible server, and select Apply to list the MySQL flexible servers available within your Azure account.

04 Click on the name (link) of the MySQL flexible database server that you want to examine.

05 In the navigation panel, under Settings, select Server parameters to access the configuration parameters available for the selected MySQL server.

06 On Server parameters page, find the tls_version parameter entry using the Search to filter items… search box. Once the tls_version parameter is found, check its configuration value available within the Value column. If the server parameter value is different than TLSV1.2 or TLSV1.3, the selected Azure MySQL flexible database server does not use the latest available version of the TLS protocol (i.e. TLS version 1.2 or TLS version 1.3).

07 Repeat steps no. 4 – 6 for each MySQL flexible database server provisioned in the current Azure subscription.

08 Repeat steps no. 3 – 7 for each subscription created in your Microsoft Azure cloud account.

Using Azure PowerShell

01 Run mysql flexible-server list command (Windows/macOS/Linux) using custom query filters to list the name of each MySQL flexible database server (and the name of the associated resource group) available within the current Azure subscription: 

az mysql flexible-server list
  --output table
  --query '[*].{name:name, resourceGroup:resourceGroup}'
  —-subscription <subscription-id>

02 The command output should return a table with requested MySQL server information: 

Name                      ResourceGroup
------------------------  ------------------------------
cc-mysql-flexible-server  cloud-shell-storage-westeurope

03 Run mysql flexible-server parameter show command (Windows/macOS/Linux) using the name of the MySQL flexible database server that you want to examine and its associated resource group as the identifier parameters, to describe the "tls_version" parameter value configured for the selected database server: 

az mysql flexible-server parameter show
  --server-name cc-mysql-flexible-server
  --resource-group cloud-shell-storage-westeurope
  --name tls_version
  --query 'value'

04 The command output should return the requested server parameter value: 

"TLSV1.1"

If the value returned by the mysql flexible-server parameter show command output is different than "TLSV1.2" or "TLSV1.3", as shown in the output example above, the selected Azure MySQL flexible database server does not use the latest available version of the TLS protocol (i.e. TLS version 1.2 or TLS version 1.3).

05 Repeat steps no. 3 and 4 for each MySQL flexible database server available in the selected Azure subscription.

06 Repeat steps no. 1 – 5 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To update the "tls_version" parameter value for your MySQL flexible database servers in order to enable the latest version of the TLS protocol (i.e. TLS 1.2 or TLS 1.3), perform the following operations:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure cloud resources.

03 From the Type filter box, select Equals, choose Azure Database for MySQL flexible server, and select Apply to list the MySQL flexible servers available within your Azure account.

04 Click on the name (link) of the MySQL flexible database server that you want to reconfigure.

05 In the navigation panel, under Settings, select Server parameters to access the configuration parameters available for the selected MySQL server.

06 On Server parameters page, find the tls_version parameter entry using the Search to filter items… search box.

07 Once the tls_version server parameter is found, set the parameter value to TLS version 1.2 (or 1.3) by selecting TLSV1.2 from the VALUE column dropdown list.

08 Choose Save to apply the changes.

09 Repeat steps no. 4 – 8 for each MySQL flexible database server provisioned in the selected subscription.

10 Repeat steps no. 3 – 9 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI and PowerShell

01 Run mysql flexible-server parameter set command (Windows/macOS/Linux) using the name of the MySQL flexible database server that you want to reconfigure as the identifier parameter, to update the "tls_version" configuration parameter in order to enforce the latest version of the TLS protocol (i.e. TLS 1.2 or TLS 1.3) on the selected database server: 

az mysql flexible-server parameter set
  --server-name cc-mysql-flexible-server
  --resource-group cloud-shell-storage-westeurope
  --name tls_version
  --value TLSV1.2

02 The command output should return the information available for the reconfigured server parameter: 

{
  "allowedValues": "TLSv1,TLSv1.1,TLSv1.2",
  "dataType": "Set",
  "defaultValue": "TLSv1.2",
  "description": "Which protocols the server permits for encrypted connections. By default, TLS 1.2 is enforced",
  "id": "/subscriptions/abcdabcd-abcd-1234-abcd-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.DBforMySQL/flexibleServers/cc-mysql-flexible-server/configurations/tls_version",
  "isConfigPendingRestart": "True",
  "isDynamicConfig": "False",
  "isReadOnly": "False",
  "name": "tls_version",
  "resourceGroup": "cloud-shell-storage-westeurope",
  "source": "user-override",
  "systemData": null,
  "type": "Microsoft.DBforMySQL/flexibleServers/configurations",
  "value": "TLSV1.2"
}

03 Repeat steps no. 1 and 2 for each MySQL flexible database server available in the selected subscription.

04 Repeat steps no. 1 – 3 for each subscription created within your Microsoft Azure cloud account.

References

Publication date Aug 4, 2022

Related MySQL rules