SSL Authentication Error after upgrading to .NET 6 when connecting to MySQL database with TLS 1.1

Question

I have a MySQL database with version 5.7.19 and TLS version 1.1. I'm using the following code snippet to establish a connection in my .NET Core 3.1 application:

string connStr = "server=Myserver;user id=myuser;password=my password;database=db;SslMode=Required;SslCa=D:\\server-ca.pem;SslCert=D:\\client-cert.pem;SslKey=D:\\client-key.pem;";

try
{
    using (MySqlConnection connection = new MySqlConnection(connStr))
    {
        connection.Open();
        connection.Close();
    }
}
catch (Exception ex)
{
    // handle the exception
}

This code works fine with .NET Core 3.1, but after upgrading to .NET 6, it throws the following exceptions:

MySqlConnector.MySqlException(0x80004005): SSL Authentication Error\ r\ n-- - > System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception.\r\ n-- - > System.ComponentModel.Win32Exception(0x8009030E): No credentials are available in the security package at System.Net.SSPIWrapper.AcquireCredentialsHandle(ISSPIInterface secModule, String package, CredentialUse intent, SCH_CREDENTIALS * scc) at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(CredentialUse credUsage, SCH_CREDENTIALS * secureCredential) at System.Net.Security.SslStreamPal.AcquireCredentialsHandleSchCredentials(SslStreamCertificateContext certificateContext, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer) at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(SslStreamCertificateContext certificateContext, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer) -- - End of inner exception stack trace-- - at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(SslStreamCertificateContext certificateContext, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer) at System.Net.Security.SecureChannel.AcquireClientCredentials(Byte[] & thumbPrint) at System.Net.Security.SecureChannel.GenerateToken(ReadOnlySpan1 inputBuffer, Byte[]& output)  at System.Net.Security.SecureChannel.NextMessage(ReadOnlySpan 1 incomingBuffer) at System.Net.Security.SslStream.ProcessBlob(Int32 frameSize) at System.Net.Security.SslStream.ReceiveBlobAsync[TIOAdapter](TIOAdapter adapter) at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm) at System.Net.Security.SslStream.AuthenticateAsClient(SslClientAuthenticationOptions sslClientAuthenticationOptions) at MySqlConnector.Core.ServerSession.InitSslAsync(ProtocolCapabilities serverCapabilities, ConnectionSettings cs, MySqlConnection connection, SslProtocols sslProtocols, IOBehavior ioBehavior, CancellationToken cancellationToken) in / _ / src / MySqlConnector / Core / ServerSession.cs: line 1539 at MySqlConnector.Core.ServerSession.InitSslAsync(ProtocolCapabilities serverCapabilities, ConnectionSettings cs, MySqlConnection connection, SslProtocols sslProtocols, IOBehavior ioBehavior, CancellationToken cancellationToken) in / _ / src / MySqlConnector / Core / ServerSession.cs: line 1569 at MySqlConnector.Core.ServerSession.ConnectAsync(ConnectionSettings cs, MySqlConnection connection, Int32 startTickCount, ILoadBalancer loadBalancer, Activity activity, IOBehavior ioBehavior, CancellationToken cancellationToken) in / _ / src / MySqlConnector / Core / ServerSession.cs: line 539 at MySqlConnector.Core.ConnectionPool.ConnectSessionAsync(MySqlConnection connection, String logMessage, Int32 startTickCount, Activity activity, IOBehavior ioBehavior, CancellationToken cancellationToken) in / _ / src / MySqlConnector / Core / ConnectionPool.cs: line 403 at MySqlConnector.Core.ConnectionPool.ConnectSessionAsync(MySqlConnection connection, String logMessage, Int32 startTickCount, Activity activity, IOBehavior ioBehavior, CancellationToken cancellationToken) in / _ / src / MySqlConnector / Core / ConnectionPool.cs: line 408 at MySqlConnector.Core.ConnectionPool.GetSessionAsync(MySqlConnection connection, Int32 startTickCount, Activity activity, IOBehavior ioBehavior, CancellationToken cancellationToken) in / _ / src / MySqlConnector / Core / ConnectionPool.cs: line 98 at MySqlConnector.Core.ConnectionPool.GetSessionAsync(MySqlConnection connection, Int32 startTickCount, Activity activity, IOBehavior ioBehavior, CancellationToken cancellationToken) in / _ / src / MySqlConnector / Core / ConnectionPool.cs: line 128 at MySqlConnector.MySqlConnection.CreateSessionAsync(ConnectionPool pool, Int32 startTickCount, Activity activity, Nullable1 ioBehavior, CancellationToken cancellationToken) in /_/src/MySqlConnector/MySqlConnection.cs:line 929  at MySqlConnector.MySqlConnection.OpenAsync(Nullable 1 ioBehavior, CancellationToken cancellationToken) in / _ / src / MySqlConnector / MySqlConnection.cs: line 423 at MySqlConnector.MySqlConnection.Open() in / _ / src / MySqlConnector / MySqlConnection.cs: line 382 at WebApplication1.Program.Main(String[] args) in D: \WebApplication1\ WebApplication1\ Program.cs: line 24

Does anyone know if there are any breaking changes in .NET 6 that could be causing this issue? If not, any suggestions on how to handle this error would be greatly appreciated.

Edit: The database version mentioned here is being used by one of the end users, and they are not willing to upgrade. Therefore, I am searching for concrete documentation to confirm that this version is not officially supported for my user.

Thank you in advance!

Answer 1

TLS v1.1 is now basically deprecated and insecure. And the version of MySQL that you have (5.7) only supports TLS v1.2 in certain cases. Please see the documentation, but basically you would need to either build MySQL yourself, or use MySQL Commercial. There are also some other config options you may need.

There are some other options:

• Upgrade to MySQL v8+. I strongly recommend you do this, as you are on the edge of deprecation for 5.7.
• Allow TLS 1.1 in your client machine. I strongly recommend you don't do this, but if you want, you can use the free IIS Crypto app, which works for any version of Windows, including client versions. For Linux, you would need to change the openssl.conf file.
• Disable encryption for this MySQL connection. by using Encrypt=False. I strongly recommend you do not do this over the public internet.