themrinalsinha
themrinalsinha

Reputation: 651

MySQL ERROR 2026 - SSL connection error - Ubuntu 20.04

I've recently upgraded my local machine OS from Ubuntu 18.04 to 20.04, I'm running my MySQL-server on CentOS (AWS). Post upgrade whenever I'm trying to connect to MySQL server it is throwing SSL connection error.

$ mysql -u yamcha -h database.yourproject.com -p --port 3309

ERROR 2026 (HY000): SSL connection error: error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol

But if I pass --ssl-mode=disabled option along with it, I'm able to connect remotely.

$ mysql -u yamcha -h database.yourproject.com -p --port 3309 --ssl-mode=disabled

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 22158946
Server version: 5.7.26 MySQL Community Server (GPL)

Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> 

Queries:

  1. How to connect without passing --ssl-mode=disabled
  2. How to pass this --ssl-mode=disabled option in my Django application, currently I've defined it as shown below, but I'm still getting the same error.
DATABASES = {
    'default': {
        'ENGINE': 'django.db.backends.mysql',
        'NAME': 'yamcha',
        'USER': 'yamcha',
        'PASSWORD': 'xxxxxxxxxxxxxxx',
        'HOST': 'database.yourproject.com',
        'PORT': '3309',
        'OPTIONS': {'ssl': False},
    }

Upvotes: 55

Views: 112134

Answers (8)

Moshe
Moshe

Reputation: 5139

For anyone googling, you can use this flag in mysql cmd: --ssl-mode=DISABLED. I.E:

mysql -uuser -p'myPassw0rd!' -hmysql.company.com --ssl-mode=DISABLED

Or in mariadb client use --skip-ssl flag.

For example:

$ mariadb --defaults-extra-file=secret.cnf --skip-ssl

Upvotes: 67

Antonio Romero Oca
Antonio Romero Oca

Reputation: 1245

Using mariadb from 11.4.2-MariaDB, client 15.2 for Linux, it looks like the argument --ssl-mode=disabled is not supported.

You can currently use --skip-ssl-verify-server-cert instead.

Upvotes: 0

鄭元傑
鄭元傑

Reputation: 1647

I encoutered same question as well. Combine the idea from above and documents. https://dev.mysql.com/doc/refman/5.7/en/encrypted-connection-protocols-ciphers.html#encrypted-connection-supported-protocols

Here is my thought

  1. Check os system openssl version and its support ssl/tls version by $ openssl version. Check the system settings /etc/ssl/openssl.cnf as well.
  2. Check MySQL support TLS version by SHOW GLOBAL VARIABLES LIKE 'tls_version';
  3. Check your python mysql client TLS version. For my experience I am using mysql-connector-python. Document said since 8.0.28 would not support TLS 1.1 and below. That's why I cannot connect to MySQL. https://dev.mysql.com/doc/connector-python/en/connector-python-connectargs.html

In MySQL document, it mentioned TLS version which client could use should be the union set of host os TLS version and MySQL TLS version.
For example, your host only support TLS 1.1 / 1.2 and MySQL setting si TLS 1.0. There is no compatible TLS version for client.

Hope these tips could help.

Upvotes: 0

ClaudioC
ClaudioC

Reputation: 1545

Ubuntu 20 has improved the security level. The only way i could connect was allowing the tls 1 .

Edit this file:

/usr/lib/ssl/openssl.cnf

And put at the beginning of file:

openssl_conf = default_conf

And in the end of that file too:

[ default_conf ]

ssl_conf = ssl_sect

[ssl_sect]

system_default = ssl_default_sect

[ssl_default_sect]
MinProtocol = TLSv1
CipherString = DEFAULT:@SECLEVEL=1

It help me a lot: https://askubuntu.com/questions/1233186/ubuntu-20-04-how-to-set-lower-ssl-security-level

Upvotes: 65

ImPerat0R_
ImPerat0R_

Reputation: 663

Bump mysqlclient to v2.X, which added ssl_mode option, https://github.com/PyMySQL/mysqlclient-python/blob/main/HISTORY.rst

DATABASES = {
    'default': {
        'ENGINE': 'django.db.backends.mysql',
        'NAME': 'yamcha',
        'USER': 'yamcha',
        'PASSWORD': 'xxxxxxxxxxxxxxx',
        'HOST': 'database.yourproject.com',
        'PORT': '3309',
        'OPTIONS': {'ssl_mode': 'DISABLED'},
    }
}

Upvotes: 10

EAsh Khatri
EAsh Khatri

Reputation: 11

If you still want the upgraded security features then you can consider upgrading your mysql server to 5.7.

Upvotes: 1

Anmol K.
Anmol K.

Reputation: 129

If You are using MYSQL Workbench :

Just Disable the SSL by editing the connection.

  1. Go to edit Connection in connection panel

  2. Select SSL in options after parameter as given in screenshot On connection

enter image description here

  1. Select Use SSL : NO

enter image description here

  1. Finally it would look like this.

enter image description here

On clients other than Mysql workbench also you can try disabling SSL

Upvotes: 8

wlnirvana
wlnirvana

Reputation: 2047

Add this to your mysql 5.7 server config file and then restart your mysql service

[mysqld]
tls_version=TLSv1.2

Now you should be able to connect to it using tls 1.2, which is the default in Ubuntu 20.04


For the sake of completeness, in Ubuntu 20.04 actually my.cnf and mysql.cnf are actually the same file. So editing either one will work.

$ readlink -f /etc/mysql/my.cnf
/etc/mysql/mysql.cnf

Upvotes: 14

Related Questions