How to Configure MySQL to Use TLS 1.3

Securing database communication is critical for protecting sensitive data from interception and tampering. This article provides a direct guide on how to configure a MySQL instance to exclusively use TLS 1.3 for all incoming client connections. You will learn the required prerequisites, the specific configuration file changes needed to enforce TLS 1.3, and how to verify that your database is successfully restricting older, less secure protocols.

Prerequisites

To enforce TLS 1.3, your environment must meet the following requirements: * MySQL Server version: 8.0.16 or higher (TLS 1.3 support is not available in older versions). * OpenSSL version: MySQL must be compiled with OpenSSL 1.1.1 or higher. * SSL Certificates: You must have valid CA, server certificate, and server private key files.


Step 1: Locate and Edit the MySQL Configuration File

Open your MySQL configuration file (typically my.cnf on Linux/macOS or my.ini on Windows) using an administrative text editor. Common paths include /etc/mysql/my.cnf, /etc/my.cnf, or /etc/mysql/mysql.conf.d/mysqld.cnf.

Under the [mysqld] section, specify the paths to your SSL certificates and set the tls_version system variable to strictly allow TLSv1.3:

[mysqld]
# Specify the paths to your SSL certificates
ssl-ca=/var/lib/mysql/ca.pem
ssl-cert=/var/lib/mysql/server-cert.pem
ssl-key=/var/lib/mysql/server-key.pem

# Restrict incoming connections to TLS 1.3 only
tls_version=TLSv1.3

(Note: If you want to allow TLS 1.2 alongside TLS 1.3 as a transition phase, you can write tls_version=TLSv1.2,TLSv1.3 instead.)


Step 2: Restart the MySQL Service

To apply the changes, restart the MySQL database service. Run the appropriate command for your operating system:

For systemd-based Linux systems (Ubuntu, Debian, CentOS, RHEL):

sudo systemctl restart mysql

(On some systems, the service may be named mysqld)

For Windows systems:

net stop MySQL80 && net start MySQL80

Step 3: Verify TLS 1.3 Enforcement

Log into your MySQL instance using the MySQL command-line client to confirm that the server is successfully running TLS 1.3.

mysql -u root -p

Once logged in, execute the following SQL query to check the active TLS versions supported by the server:

SHOW VARIABLES LIKE 'tls_version';

The output should display:

+---------------+---------+
| Variable_name | Value   |
+---------------+---------+
| tls_version   | TLSv1.3 |
+---------------+---------+

Next, verify the encryption status of your current active connection by running:

\s

Look for the SSL line in the output. It should specify that the connection is active and utilizes a TLS 1.3 cipher suite, for example:

SSL: Cipher in use is TLS_AES_256_GCM_SHA384

Step 4: Enforce TLS 1.3 for Specific Users (Optional)

To ensure that specific database users are strictly required to use secure connections, you can alter their user profiles to require encrypted connections:

ALTER USER 'username'@'host' REQUIRE SSL;