WL#7709: Add server-side option to require secure transport
Affects: Server-5.7 — Status: Complete — Priority: Medium
MySQL Server currently provides a mechanism to require SSL for individual user accounts (CREATE USER ... REQUIRE SSL), but no mechanism for a DBA to require secure connections globally. A server option (e.g., --require_secure_transport) should be added which refuses TCP/IP connections without SSL globally, regardless of per-account settings. Because the client may send credentials in the handshake response packet, it is impractical for the server to prevent clients from sending data - including authentication credentials - without SSL. However, the server can and should prohibit further operations when SSL is not enabled, protecting against application data from being exposed on the network. Because SSL checks are done post-authentication and there is no "retry with SSL" mechanism, it is expected that non-SSL connection attempts will be terminated by the server when this option is enabled, rather than attempting to negotiate SSL. User Documentation ================== http://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-8.html http://dev.mysql.com/doc/refman/5.7/en/server-system- variables.html#sysvar_require_secure_transport
FR1 - Implement new server global variable, "require_secure_transport". FR1.1 - Valid values will be standard boolean. FR1.2 - Values may be changed dynamically by users with SUPER privilege. FR1.3 - Explicit values must be provided when specifying the "require_secure_transport" option as a command-line or configuration file option. FR1.4 - Default value will be "OFF" FR1.5 - All per-account configurations requiring SSL or x509 will apply regardless of global variable configuration. FR2 - A value of "OFF" will perform no global checks for secure transport (legacy behavior). FR3 - A value of "ON" will prohibit all connections which are not secure. FR3.1 - A new error code and message will be introduced to indicate rejected connections. FR4 - Only connections of the following types will be considered "secure": * VIO_TYPE_SOCKET * VIO_TYPE_SSL * VIO_TYPE_SHARED_MEMORY FR5 - When no secured transports are available, dynamically setting require_secure_transport=ON will fail with an appropriate error. FR6 - While starting the server, if supplied value for require_secure_transport is ON and no secure transports are available, an error will be printed on log and server startup will be aborted.
MySQL Server provides per-account configuration to require SSL, but has no real concept of "secure" transports or the ability for DBAs to globally configure an instance to only accept secure connections, or to restrict certain (infrequent) administrative operations involving plain-text passwords to secure connections. This WL should allow DBAs to require secure transport for all connections.
Changes will be made as follows: * sql/sys_vars.cc - Add require_secure_transport configuration variable. * sql/sql_authentication.cc - Check require_secure_transport state and throw error if set to ON if not using secure transport. Check to be implemented in a new method for reuse in other situations. * include/mysqld_error.h and sql/share/errmsg-utf8.txt - Add new error codes/messages. New MTR test cases covering the variable basics and functionality will be added.
Copyright (c) 2000, 2019, Oracle Corporation and/or its affiliates. All rights reserved.