skip to Main Content

I’ve recently upgraded my local machine OS from Ubuntu 18.04 to 20.04, I’m running my MySQL-server on CentOS (AWS). Post upgrade whenever I’m trying to connect to MySQL server it is throwing SSL connection error.

$ mysql -u yamcha -h database.yourproject.com -p --port 3309

ERROR 2026 (HY000): SSL connection error: error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol

But if I pass --ssl-mode=disabled option along with it, I’m able to connect remotely.

$ mysql -u yamcha -h database.yourproject.com -p --port 3309 --ssl-mode=disabled

Welcome to the MySQL monitor.  Commands end with ; or g.
Your MySQL connection id is 22158946
Server version: 5.7.26 MySQL Community Server (GPL)

Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or 'h' for help. Type 'c' to clear the current input statement.

mysql> 

Queries:

  1. How to connect without passing --ssl-mode=disabled
  2. How to pass this --ssl-mode=disabled option in my Django application, currently I’ve defined it as shown below, but I’m still getting the same error.
DATABASES = {
    'default': {
        'ENGINE': 'django.db.backends.mysql',
        'NAME': 'yamcha',
        'USER': 'yamcha',
        'PASSWORD': 'xxxxxxxxxxxxxxx',
        'HOST': 'database.yourproject.com',
        'PORT': '3309',
        'OPTIONS': {'ssl': False},
    }

7

Answers


  1. Ubuntu 20 has improved the security level.
    The only way i could connect was allowing the tls 1 .

    Edit this file:

    /usr/lib/ssl/openssl.cnf
    

    And put at the beginning of file:

    openssl_conf = default_conf
    

    And in the end of that file too:

    [ default_conf ]
    
    ssl_conf = ssl_sect
    
    [ssl_sect]
    
    system_default = ssl_default_sect
    
    [ssl_default_sect]
    MinProtocol = TLSv1
    CipherString = DEFAULT:@SECLEVEL=1
    

    It help me a lot: https://askubuntu.com/questions/1233186/ubuntu-20-04-how-to-set-lower-ssl-security-level

    Login or Signup to reply.
  2. Add this to your mysql 5.7 server config file and then restart your mysql service

    [mysqld]
    tls_version=TLSv1.2
    

    Now you should be able to connect to it using tls 1.2, which is the default in Ubuntu 20.04


    For the sake of completeness, in Ubuntu 20.04 actually my.cnf and mysql.cnf are actually the same file. So editing either one will work.

    $ readlink -f /etc/mysql/my.cnf
    /etc/mysql/mysql.cnf
    
    Login or Signup to reply.
  3. Bump mysqlclient to v2.X, which added ssl_mode option, https://github.com/PyMySQL/mysqlclient-python/blob/main/HISTORY.rst

    DATABASES = {
        'default': {
            'ENGINE': 'django.db.backends.mysql',
            'NAME': 'yamcha',
            'USER': 'yamcha',
            'PASSWORD': 'xxxxxxxxxxxxxxx',
            'HOST': 'database.yourproject.com',
            'PORT': '3309',
            'OPTIONS': {'ssl_mode': 'DISABLED'},
        }
    }
    
    Login or Signup to reply.
  4. For anyone googling, you can use this flag in mysql cmd: --ssl-mode=DISABLED. I.E:

    mysql -uuser -p'myPassw0rd!' -hmysql.company.com --ssl-mode=DISABLED
    
    Login or Signup to reply.
  5. If You are using MYSQL Workbench :

    Just Disable the SSL by editing the connection.

    1. Go to edit Connection in connection panel

    2. Select SSL in options after parameter as given in screenshot
      On connection

    enter image description here

    1. Select Use SSL : NO

    enter image description here

    1. Finally it would look like this.

    enter image description here

    On clients other than Mysql workbench also you can try disabling SSL

    Login or Signup to reply.
  6. If you still want the upgraded security features then you can consider upgrading your mysql server to 5.7.

    Login or Signup to reply.
  7. I encoutered same question as well. Combine the idea from above and documents.
    https://dev.mysql.com/doc/refman/5.7/en/encrypted-connection-protocols-ciphers.html#encrypted-connection-supported-protocols

    Here is my thought

    1. Check os system openssl version and its support ssl/tls version by $ openssl version. Check the system settings /etc/ssl/openssl.cnf as well.
    2. Check MySQL support TLS version by SHOW GLOBAL VARIABLES LIKE 'tls_version';
    3. Check your python mysql client TLS version. For my experience I am using mysql-connector-python. Document said since 8.0.28 would not support TLS 1.1 and below. That’s why I cannot connect to MySQL. https://dev.mysql.com/doc/connector-python/en/connector-python-connectargs.html

    In MySQL document, it mentioned TLS version which client could use should be the union set of host os TLS version and MySQL TLS version.
    For example, your host only support TLS 1.1 / 1.2 and MySQL setting si TLS 1.0. There is no compatible TLS version for client.

    Hope these tips could help.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search