iCompaas Support

Profile Applicability:

• Level 1
  

Description:
 TLS version 1.2 or higher should be enforced for MySQL flexible servers to ensure secure data encryption in transit. Enforcing the latest TLS versions protects data from vulnerabilities and man-in-the-middle attacks.

Rationale:
 Transport Layer Security (TLS) provides a secure channel over which data can be transmitted, and using the latest version of TLS helps to prevent attacks associated with older versions (TLS 1.0 and TLS 1.1) which have known vulnerabilities.

Impact:

• Pros:
  

  • Enhances data security by enforcing encryption during data transmission.
    

  • Helps mitigate man-in-the-middle attacks.
    

  • Complies with modern security standards.
    

• Cons:
  

  • Older clients or systems that do not support TLS 1.2 might face compatibility issues.
    

Default Value:

By default, TLS 1.2 is enforced for MySQL flexible servers.

Pre-requisites:
 Ensure that all clients interacting with the database server support TLS 1.2 or higher.

Remediation

Test Plan:

Using Azure Portal:

1. Log in to the Azure Portal: https://portal.azure.com.
   

2. Navigate to Azure Database for MySQL flexible servers.
   

3. For each database, click on Server parameters under Settings.
   

4. In the search box, type tls_version.
   

5. Ensure tls_version is set to TLSV1.2 (or higher).
   

Using Azure CLI:
 1. Run the following command to verify the TLS version:

az mysql flexible-server parameter show --name tls_version --resource-group <resourceGroupName> --server-name <serverName>

• The output should return TLSv1.2 or higher.
  

Implementation Plan:

Using Azure Portal:

1. Log in to Azure Portal.
   

2. Navigate to Azure Database for MySQL flexible servers.
   

3. Click on the server and go to Server parameters.
   

4. Search for tls_version and set the value to TLSV1.2 or higher.
   

Using Azure CLI:
 1. To configure the TLS version to TLS 1.2, run:

az mysql flexible-server parameter set --name tls_version --resource-group <resourceGroupName> --server-name <serverName> --value TLSV1.2

Backout Plan:

Using Azure Portal:

1. Log in to Azure Portal.
   

2. Navigate to Azure Database for MySQL flexible servers.
   

3. Change the tls_version parameter to a lower version, such as TLSv1.1 or TLSv1.0, if necessary.
   

Using Azure CLI:
 1. To revert the TLS version, run:

az mysql flexible-server parameter set --name tls_version --resource-group <resourceGroupName> --server-name <serverName> --value TLSv1.1

References:

• Azure MySQL Flexible Server - TLS Version Configuration
  

• Azure MySQL SSL and TLS Configuration