57

I've recently upgraded my local machine OS from Ubuntu 18.04 to 20.04, I'm running my MySQL-server on CentOS (AWS). Post upgrade whenever I'm trying to connect to MySQL server it is throwing SSL connection error. 

$ mysql -u yamcha -h database.yourproject.com -p --port 3309

ERROR 2026 (HY000): SSL connection error: error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol

But if I pass --ssl-mode=disabled option along with it, I'm able to connect remotely.

$ mysql -u yamcha -h database.yourproject.com -p --port 3309 --ssl-mode=disabled

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 22158946
Server version: 5.7.26 MySQL Community Server (GPL)

Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>

Queries:

  1. How to connect without passing --ssl-mode=disabled
  2. How to pass this --ssl-mode=disabled option in my Django application, currently I've defined it as shown below, but I'm still getting the same error.
DATABASES = {
    'default': {
        'ENGINE': 'django.db.backends.mysql',
        'NAME': 'yamcha',
        'USER': 'yamcha',
        'PASSWORD': 'xxxxxxxxxxxxxxx',
        'HOST': 'database.yourproject.com',
        'PORT': '3309',
        'OPTIONS': {'ssl': False},
    }
Improve this question
2
  • 2
    The best solution would be to upgrade the version of mySQL being used in RDS. I have this issue with engine version 5.6.44 but not with 8.0.17 . TLS 1.0 is no longer considered secure so enforcing it to be used seems like a hacky solution to me. Commented Jul 24, 2020 at 8:34
  • 1
    @mRyan 's comment is the best answer and it worked for me Commented Oct 30, 2021 at 21:19

9 Answers 9

Reset to default
71

For anyone googling, you can use this flag in mysql cmd: --ssl-mode=DISABLED. I.E:

mysql -uuser -p'myPassw0rd!' -hmysql.company.com --ssl-mode=DISABLED

Or in mariadb client use --skip-ssl flag.

For example:

$ mariadb --defaults-extra-file=secret.cnf --skip-ssl
Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

I think this is the best answer for me because I would not like to edit global settings to connect to a single SQL instance. This gives the perfect temp solution without affecting anything else.
I'm sure this isn't the ideal solution but is a quick way to get working as opposed to editing ssl confs
this advice completely disables ssl and conveniently puts the users password on the wire in plain text with no encryption. anyone who follows this advice should not be surprised when their mysql server is compromised. putting advice like this on stack overflow, without explaining the caveat of being completely insecure, is irresponsible at best.
65

Ubuntu 20 has improved the security level. The only way i could connect was allowing the tls 1 .

Edit this file:

/usr/lib/ssl/openssl.cnf

And put at the beginning of file:

openssl_conf = default_conf

And in the end of that file too:

[ default_conf ]

ssl_conf = ssl_sect

[ssl_sect]

system_default = ssl_default_sect

[ssl_default_sect]
MinProtocol = TLSv1
CipherString = DEFAULT:@SECLEVEL=1

It help me a lot: https://askubuntu.com/questions/1233186/ubuntu-20-04-how-to-set-lower-ssl-security-level

Improve this answer

3 Comments

I did followed the steps and still the same issue, I'm only able to connect when I pass --ssl-mode=disabled
Instead of downgrading your ssl and potentially security level, you may also simply upgrade mysqld to ssl 1.2. See this answer below.
this is a dangerous solution, TLS 1.0 has been deprecated due to significant security flaws. blog.cdnsun.com/… much better to upgrade your cryptography library to keep your database secure.
14

Add this to your mysql 5.7 server config file and then restart your mysql service

[mysqld]
tls_version=TLSv1.2

Now you should be able to connect to it using tls 1.2, which is the default in Ubuntu 20.04

For the sake of completeness, in Ubuntu 20.04 actually my.cnf and mysql.cnf are actually the same file. So editing either one will work.

$ readlink -f /etc/mysql/my.cnf
/etc/mysql/mysql.cnf
Improve this answer

Comments

10

Bump mysqlclient to v2.X, which added ssl_mode option, https://github.com/PyMySQL/mysqlclient-python/blob/main/HISTORY.rst

DATABASES = {
    'default': {
        'ENGINE': 'django.db.backends.mysql',
        'NAME': 'yamcha',
        'USER': 'yamcha',
        'PASSWORD': 'xxxxxxxxxxxxxxx',
        'HOST': 'database.yourproject.com',
        'PORT': '3309',
        'OPTIONS': {'ssl_mode': 'DISABLED'},
    }
}
Improve this answer

2 Comments

For me, just updating my version of mysqlclient did the trick. I did not change the DATABASES dict.
Thank you. This finally did it for me. It was impossible to find the documentation in the Django docs for what the option was actually called.
8

If You are using MYSQL Workbench :

Just Disable the SSL by editing the connection.

  1. Go to edit Connection in connection panel

  2. Select SSL in options after parameter as given in screenshot On connection

enter image description here

  1. Select Use SSL : NO

enter image description here

  1. Finally it would look like this.

enter image description here

On clients other than Mysql workbench also you can try disabling SSL

Improve this answer

1 Comment

Setting this option in workbench doesn't affect data exporting. It still fails with the same error.
1

If you still want the upgraded security features then you can consider upgrading your mysql server to 5.7.

Improve this answer

Comments

0

I encoutered same question as well. Combine the idea from above and documents. https://dev.mysql.com/doc/refman/5.7/en/encrypted-connection-protocols-ciphers.html#encrypted-connection-supported-protocols

Here is my thought

  1. Check os system openssl version and its support ssl/tls version by $ openssl version. Check the system settings /etc/ssl/openssl.cnf as well.
  2. Check MySQL support TLS version by SHOW GLOBAL VARIABLES LIKE 'tls_version';
  3. Check your python mysql client TLS version. For my experience I am using mysql-connector-python. Document said since 8.0.28 would not support TLS 1.1 and below. That's why I cannot connect to MySQL. https://dev.mysql.com/doc/connector-python/en/connector-python-connectargs.html

In MySQL document, it mentioned TLS version which client could use should be the union set of host os TLS version and MySQL TLS version.
For example, your host only support TLS 1.1 / 1.2 and MySQL setting si TLS 1.0. There is no compatible TLS version for client.

Hope these tips could help.

Improve this answer

Comments

0

Using mariadb from 11.4.2-MariaDB, client 15.2 for Linux, it looks like the argument --ssl-mode=disabled is not supported.

You can currently use --skip-ssl-verify-server-cert instead.

Improve this answer

Comments

-2

If you are using a terminal on Ubuntu using MariaDB; just use --skip-ssl at the end, and you will login

mysql -u root -p database_name --skip-ssl

Or use as explained in change the config to login without giving --skip-ssl every time.

If you don't want to type --skip-ssl on the command line every time, you can instead add this to /etc/mysql/mariadb.conf.d/50-client.cnf or ${HOME}/.my.cnf:

[client]
skip-ssl = true
Improve this answer

1 Comment

"If you are using a terminal on Ubuntu" - tht's not what the OP is trying to use, and using --skip-ssl has already been part of another answer. Is there any need to duplicate existing answers?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.