Description
Ensure tls_version on MySQL flexible servers is set to TLS version 1.2 or higher.
Rationaleβ
TLS connectivity provides an additional layer of security by connecting the database server to client applications using Transport Layer Security (TLS). Enforcing TLS connections between the database server and client applications helps protect against "man in the middle" attacks by encrypting the data stream between the server and application.
Auditβ
From Azure Portalβ
- Log in to Azure Portal using https://portal.azure.com.
- Go to
Azure Database for MySQL flexible servers. - For each database, under
Settings, clickServer parameters. - In the filter bar, type
tls_version. - Ensure
tls_versionis set toTLSv1.2(or higher).
From Azure CLIβ
Ensure the value of the following command contains TLSv1.2 or higher, and does not contain anything lower than TLSv1.2:
az mysql flexible-server parameter show \
--resource-group {{resource-group-name}} \
--server-name {{server-name}} \
--name tls_version
Example output:
"allowedValues": "TLSv1,TLSv1.1,TLSv1.2",
"dataType": "Set",
"defaultValue": "TLSv1.2",
"description": "Which protocols the server permits for encrypted connections. By default, TLS 1.2 is enforced",
"id": "/subscriptions/<subscriptionId>/resourceGroups/<resourceGroupName>/providers/Microsoft.DBforMySQL/flexibleServers/<serverName>/configurations/tls_version",
"isConfigPendingRestart": "False",
"isDynamicConfig": "False",
"isReadOnly": "False",
"name": "tls_version",
"resourceGroup": "<resourceGroupName>",
"source": "system-default",
"systemData": null,
"type": "Microsoft.DBforMySQL/flexibleServers/configurations",
"value": "TLSv1.2"
From PowerShellβ
Ensure the Value of the following command contains TLSv1.2 or higher, and does not contain anything lower than TLSv1.2:
Get-AzMySqlFlexibleServerConfiguration `
-ResourceGroupName {{resource-group-name}} `
-ServerName {{server-name}} `
-Name tls_version
Default Valueβ
By default, TLS is set to v1.2 for MySQL flexible servers.