Mysql – Is it impossible to force MariaDB users to SSL

etlmariadbMySQLssl

First of all, my english is really bad, so sorry for my english mistakes.
I have a MariaDB 10.2.15. I installed SSL, and its working fine, but I cant force use SSL to users.

my.cnf:

[mysqld]
ssl
ssl-ca=/etc/mariadb/ssl/ca.pem
ssl-cert=/etc/mariadb/ssl/server-cert.pem
ssl-key=/etc/mariadb/ssl/server-key.pem
ssl-cipher = AES128+EECDH:AES128+EDH

ssl variables:

+---------------------+----------------------------------+
| Variable_name       | Value                            |
+---------------------+----------------------------------+
| have_openssl        | YES                              |
| have_ssl            | YES                              |
| ssl_ca              | /etc/mariadb/ssl/ca.pem          |
| ssl_capath          |                                  |
| ssl_cert            | /etc/mariadb/ssl/server-cert.pem |
| ssl_cipher          | AES128+EECDH:AES128+EDH          |
| ssl_crl             |                                  |
| ssl_crlpath         |                                  |
| ssl_key             | /etc/mariadb/ssl/server-key.pem  |
| version_ssl_library | OpenSSL 1.0.1e-fips 11 Feb 2013  |
+---------------------+----------------------------------+

I found this variable:

require_secure_transport

and I also found this:

MySQL-only variable determining whether client to server connections
need to be secure.

So, can I do anything else? Cause now, the users can connect without SSL. I feel its really unnecessary without forcing.

UPDATE for clear:
SHOW GRANTS:

GRANT ALL PRIVILEGES ON *.* TO 'denes'@'%' IDENTIFIED BY PASSWORD '*SOMETHINGPASSWORD' REQUIRE SSL WITH GRANT OPTION

Login Panel - HeidiSQL

SSL Turned off as u can see

And I still can login to MariaDB over TCP without SSL

Best Answer

REQUIRE SSL grant option on users is what you need. It works for me as intended:

MariaDB [(none)]> CREATE USER testssl@localhost;
Query OK, 0 rows affected (0.001 sec)

MariaDB [(none)]> GRANT USAGE ON *.* TO testssl@localhost REQUIRE SSL;
Query OK, 0 rows affected (0.001 sec)

MariaDB [(none)]> Bye

$ sudo mysql -u testssl --ssl
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 11
Server version: 10.3.7-MariaDB MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> show grants;
+---------------------------------------------------------+
| Grants for testssl@localhost                            |
+---------------------------------------------------------+
| GRANT USAGE ON *.* TO 'testssl'@'localhost' REQUIRE SSL |
+---------------------------------------------------------+
1 row in set (0.000 sec)

MariaDB [(none)]> Bye

$ sudo mysql -u testssl --skip-ssl
ERROR 1045 (28000): Access denied for user 'testssl'@'localhost' (using password: NO)

$ grep ssl /etc/my.cnf
ssl-ca = /etc/mysql/ca.pem # [client]
ssl-cert = /etc/mysql/client-cert.pem
ssl-key = /etc/mysql/client-key.pem
ssl-ca = /etc/mysql/ca.pem # [server]
ssl-cert = /etc/mysql/server-cert.pem
ssl-key = /etc/mysql/server-key.pem

You can see how workbench works with SSL, but fails to connect if I force it to not use SSL:

Works Doesn't work

require_secure_transport is MySQL 5.7+ only, and while it has something to do with forcing TLS, it also considers secure local unencrypted connections.

Related Question