When setting up new MySQL or MariaDB servers, I am much more concerned about security than performance. The MySQL and MariaDB documentation use the words "allow" and "permit" around all the SSL options, where I would much rather see "require".
I am looking for something like, "mysqld –ssl-mode=REQUIRE" but that apparently doesn't work [anymore?] because the logs say that's a bad option. I am not looking to do this per-user, I'm looking to do it for the whole system, no matter what.
I should point out that all of my certificates are working fine, and I've verified that all of that works. It's just that now, I would like to REQUIRE it be used, always, by everyone, period, strictly, no exceptions, no, not even that one, yes really. Remote? Encrypt. Localhost? Encrypt. Root? Encrypt. Somebody else? Encrypt. In short: connected to anything at all for any reason? Encrypt.
Does anybody know of a master switch to require this all the time, period?
Again, I am not looking for per-user options– that's exactly what I'm hoping to avoid. This is for an embedded device that may be in service for an extended period of time, and the less branching logic, the better. "Always" tends to have fewer edge cases.
Thanks!
Best Answer
As of MySQL 5.7, it does not seem to be possible to force SSL from the server side, without specifying it for each user.
https://dev.mysql.com/doc/refman/5.7/en/encrypted-connection-options.html#option_general_ssl-mode
BOO. You can only force SSL from the client side. Opposite of what you want to do. This is likely why you're getting "bad option" trying to use it as a server setting.
Also:
Enforcing users to Require SSL by routinely checking the users table for
REQUIRE SSL
seems hacky, but it might be your best option.