Reputation: 651
I've recently upgraded my local machine OS from Ubuntu 18.04 to 20.04, I'm running my MySQL-server on CentOS (AWS). Post upgrade whenever I'm trying to connect to MySQL server it is throwing SSL connection error.
$ mysql -u yamcha -h database.yourproject.com -p --port 3309
ERROR 2026 (HY000): SSL connection error: error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol
But if I pass --ssl-mode=disabled
option along with it, I'm able to connect remotely.
$ mysql -u yamcha -h database.yourproject.com -p --port 3309 --ssl-mode=disabled
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 22158946
Server version: 5.7.26 MySQL Community Server (GPL)
Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql>
Queries:
- How to connect without passing
--ssl-mode=disabled
- How to pass this
--ssl-mode=disabled
option in my Django application, currently I've defined it as shown below, but I'm still getting the same error.
DATABASES = {
'default': {
'ENGINE': 'django.db.backends.mysql',
'NAME': 'yamcha',
'USER': 'yamcha',
'PASSWORD': 'xxxxxxxxxxxxxxx',
'HOST': 'database.yourproject.com',
'PORT': '3309',
'OPTIONS': {'ssl': False},
}
Upvotes: 55
Views: 112134
Reputation: 5139
For anyone googling, you can use this flag in mysql
cmd: --ssl-mode=DISABLED
. I.E:
mysql -uuser -p'myPassw0rd!' -hmysql.company.com --ssl-mode=DISABLED
Or in mariadb client use --skip-ssl
flag.
For example:
$ mariadb --defaults-extra-file=secret.cnf --skip-ssl
Upvotes: 67
Reputation: 1245
Using mariadb from 11.4.2-MariaDB, client 15.2 for Linux, it looks like the argument --ssl-mode=disabled
is not supported.
You can currently use --skip-ssl-verify-server-cert
instead.
Upvotes: 0
Reputation: 1647
I encoutered same question as well. Combine the idea from above and documents. https://dev.mysql.com/doc/refman/5.7/en/encrypted-connection-protocols-ciphers.html#encrypted-connection-supported-protocols
Here is my thought
$ openssl version
. Check the system settings /etc/ssl/openssl.cnf
as well.SHOW GLOBAL VARIABLES LIKE 'tls_version';
mysql-connector-python
. Document said since 8.0.28 would not support TLS 1.1 and below. That's why I cannot connect to MySQL. https://dev.mysql.com/doc/connector-python/en/connector-python-connectargs.htmlIn MySQL document, it mentioned TLS version which client could use should be the union set of host os TLS version and MySQL TLS version.
For example, your host only support TLS 1.1 / 1.2 and MySQL setting si TLS 1.0. There is no compatible TLS version for client.
Hope these tips could help.
Upvotes: 0
Reputation: 1545
Ubuntu 20 has improved the security level. The only way i could connect was allowing the tls 1 .
Edit this file:
/usr/lib/ssl/openssl.cnf
And put at the beginning of file:
openssl_conf = default_conf
And in the end of that file too:
[ default_conf ]
ssl_conf = ssl_sect
[ssl_sect]
system_default = ssl_default_sect
[ssl_default_sect]
MinProtocol = TLSv1
CipherString = DEFAULT:@SECLEVEL=1
It help me a lot: https://askubuntu.com/questions/1233186/ubuntu-20-04-how-to-set-lower-ssl-security-level
Upvotes: 65
Reputation: 663
Bump mysqlclient
to v2.X, which added ssl_mode
option, https://github.com/PyMySQL/mysqlclient-python/blob/main/HISTORY.rst
DATABASES = {
'default': {
'ENGINE': 'django.db.backends.mysql',
'NAME': 'yamcha',
'USER': 'yamcha',
'PASSWORD': 'xxxxxxxxxxxxxxx',
'HOST': 'database.yourproject.com',
'PORT': '3309',
'OPTIONS': {'ssl_mode': 'DISABLED'},
}
}
Upvotes: 10
Reputation: 11
If you still want the upgraded security features then you can consider upgrading your mysql server to 5.7.
Upvotes: 1
Reputation: 129
If You are using MYSQL Workbench :
Just Disable the SSL by editing the connection.
Go to edit Connection in connection panel
Select SSL in options after parameter as given in screenshot On connection
On clients other than Mysql workbench also you can try disabling SSL
Upvotes: 8
Reputation: 2047
Add this to your mysql 5.7 server config file and then restart your mysql service
[mysqld]
tls_version=TLSv1.2
Now you should be able to connect to it using tls 1.2, which is the default in Ubuntu 20.04
For the sake of completeness, in Ubuntu 20.04 actually my.cnf
and mysql.cnf
are actually the same file. So editing either one will work.
$ readlink -f /etc/mysql/my.cnf
/etc/mysql/mysql.cnf
Upvotes: 14