- A.9.1. Where can I find documentation that addresses security issues for MySQL?
- A.9.2. What is the default authentication plugin in MySQL 5.7?
- A.9.3. Does MySQL 5.7 have native support for SSL?
- A.9.4. Is SSL support built into MySQL binaries, or must I recompile the binary myself to enable it?
- A.9.5. Does MySQL 5.7 have built-in authentication against LDAP directories?
- A.9.6. Does MySQL 5.7 include support for Roles Based Access Control (RBAC)?
- A.9.7. Does MySQL 5.7 support TLS 1.0 and 1.1?
Where can I find documentation that addresses security issues for MySQL?
The best place to start is Chapter 6, Security.
Other portions of the MySQL Documentation which you may find useful with regard to specific security concerns include the following:
There is also the Secure Deployment Guide, which provides procedures for deploying a generic binary distribution of MySQL Enterprise Edition Server with features for managing the security of your MySQL installation.
What is the default authentication plugin in MySQL 5.7?
The default authentication plugin in MySQL 5.7 is
Does MySQL 5.7 have native support for SSL?
Most 5.7 binaries have support for SSL connections between the client and server. See Section 6.3, “Using Encrypted Connections”.
You can also tunnel a connection using SSH, if (for example) the client application does not support SSL connections. For an example, see Section 6.3.5, “Connecting to MySQL Remotely from Windows with SSH”.
Is SSL support built into MySQL binaries, or must I recompile the binary myself to enable it?
Most 5.7 binaries have SSL enabled for client/server connections that are secured, authenticated, or both. See Section 6.3, “Using Encrypted Connections”.
Does MySQL 5.7 have built-in authentication against LDAP directories?
The Enterprise edition includes a PAM Authentication Plugin that supports authentication against an LDAP directory.
Does MySQL 5.7 include support for Roles Based Access Control (RBAC)?
Not at this time.
Does MySQL 5.7 support TLS 1.0 and 1.1?
Support for the TLSv1 and TLSv1.1 connection protocols is removed as of MySQL 8.0.28. The protocols were deprecated from MySQL 8.0.26. For the consequences of that removal, see Deprecated TLS Protocols.
Support for TLS versions 1.0 and 1.1 is removed because those protocol versions are old, released in 1996 and 2006, respectively. The algorithms used are weak and outdated.
Unless you are using very old versions of MySQL Server or connectors, you are unlikely to have connections using TLS 1.0 or 1.1. MySQL connectors and clients select the highest TLS version available by default.
When was support for TLS 1.2 added to MySQL Server? MySQL Community Server added TLS 1.2 support when the community server switched to OpenSSL for MySQL 5.6, 5.7, and 8.0 in 2019. For MySQL Enterprise Edition, OpenSSL added TLS 1.2 support in 2015, in MySQL Server 5.7.10.
How can one view which TLS versions are in active use? For MySQL 5.7 or 8.0, review whether TLS 1.0 or 1.1 is in use by running this query:
If a thread using TLSv1.0 or TLSv1.1 is listed, you can determine where this connection is coming from by running this query:
Alternatively, you can run this query:
These queries provide details needed to determine which application is not supporting TLS 1.2 or 1.3, and target upgrades for those.
Are there other options for testing for TLS 1.0 or
1.1? Yes, you can disable those versions prior to
upgrading your server to a newer version. Explicitly specify
which version to use, either in
Do all MySQL Connectors (5.7 and 8.0) support TLS 1.2
and higher? What about C and C++ applications using
On MacOS, use this command:
What about Connector/J? Java 8 moved to TLS 1.2 as the default in January 2014; TLS 1.2 was supported prior to that, so unless you are running a very old version of Connector/J, you have TLS 1.2 support.
What about Connector/NET? For .NET applications, Microsoft stopped support of TLS 1.0 and 1.1 at the end of 2020. Support for TLS 1.2 was added in 2012. You would need to have a very old version of Connector/NET not to have support for TLS 1.2.
What about Connector/Python? It depends on what version of Python you are running. The SSL module in Python 2.6 supports TLS up to version 1.0 only. In that case, you will need to upgrade to Python 2.7.9 or higher, or Python 3.x, both of which support newer versions of TLS. For details, see Connector/Python Versions and https://www.calazan.com/how-to-check-if-your-python-app-supports-tls-12/.
What about Connector/Node.js or Node
MySQL2? TLS comes with
What about PHP? These versions of PHP support TLS 1.2 and higher.