19

I get a connection failure when I try to connect to my MySQL server in Azure from my app/client, which does not have SSL enabled. The error message is as follows:

SSL connection is required. Please specify SSL options and retry.

Is SSL mandatory when connecting to a MySQL server in Azure? Is there a way I can circumvent this requirement?

Shantanu
  • 2,871
  • 4
  • 24
  • 38
  • To add to Joice Josephs answer option 2 is probably the best approach in terms of security. Here is an article which should help https://medium.com/@jkudo/how-to-connection-from-wordpress-installed-on-azure-app-service-to-azure-database-for-mysql-via-2b2c37c4a7de – David Sakaria May 27 '19 at 21:56

5 Answers5

18

By default, Azure Database for MySQL enforces SSL connections between your server and your client applications to protect against MITM (man in the middle) attacks. This is done to make the connection to your server as secure as possible.

Although not recommended, you have the option to disable requiring SSL for connecting to your server if your client application does not support SSL connectivity. Please check How to Configure SSL Connectivity for your MySQL server in Azure for more details. You can disable requiring SSL connections from either the portal or using CLI. Note that Azure does not recommend disabling requiring SSL connections when connecting to your server.

Shantanu
  • 2,871
  • 4
  • 24
  • 38
  • 3
    As of right now, disable SSL does not seem to work. It may change, but the CLI and Portal don't seem to have any affect on it. See screenshot: http://imagizer.imageshack.com/img923/9818/dAKYHX.png – CarComp Dec 15 '17 at 16:20
  • @CarComp this still seems to be the case, I just disabled it and when trying to connect I still get told I am required to use SSL – Tom Doodler Jul 26 '19 at 09:24
  • 1
    FYI: In the Flexible Server pricing model, SSL is forced (can't be disabled) – Simeon Nov 12 '20 at 13:05
14

Option 1 In Azure portal under"Azure Database for MySQL servers"

  1. Choose the MySql server
  2. Go to Server parameters -> Select require_secure_transport parameter and update value to OFF -> save

Option 2

  1. Download the certifccate from https://www.digicert.com/CACerts/BaltimoreCyberTrustRoot.crt.pem

  2. Connect to MySql server with these certificate

    mysql -h mydemoserver.mysql.database.azure.com -u Username@mydemoserver -p --ssl-ca=/opt/ssl/BaltimoreCyberTrustRoot.crt.pem

Philippe
  • 103
  • 1
  • 1
  • 8
Joice Joseph
  • 336
  • 3
  • 9
  • 8
    seems a bit suspect to download a certificate from someone off the internet, but this is actually described in documentation here: https://learn.microsoft.com/en-us/azure/mysql/howto-configure-ssl :-D – James Burke Aug 05 '19 at 12:15
  • 2
    "Enforce SSL connection and select DISABLED" is in "Connection Settings", not "Pricing Tier". – Sophie Coyne Mar 26 '21 at 00:42
  • 1
    @JamesBurke because its a public certificate. – Jignesh Rawal Sep 20 '21 at 20:32
  • 2
    for me just adding `--ssl` works. I assume the command takes then the cert from the default location. – sschoof Mar 18 '22 at 11:08
0

From Docker Container to Azure MYSQL connection over SSL:

My case was slightly different but I am writing it here because the azure document https://learn.microsoft.com/en-us/azure/mysql/howto-configure-ssl doesn't tell in detail actually how the application talks to MYSQL from a docker container.

In my case I was connecting to Azure MYSQL with a docker container. I enabled the SSL setting on my MYSQL server and verified the connection using sql workbench and I was able to connect it from my local using BaltimoreCyberTrustRoot.crt.pem over SSL. But my application was throwing error message -

SSL connection is required. Please specify SSL options and retry.

I was passing the DATABASE_SSL_CERT: /etc/ssl/certs/BaltimoreCyberTrustRoot.crt.pem in my docker compose yml file.

I got to know that there are \n in the pem file that sometimes are interpreted as something else in the docker environment var. \n can be seen in each line if you open in notepad++

enter image description here

What I did to fix that is I converted the pem file to base64 and updated the same in yml file. Something like -

DATABASE_SSL_CA: LS0tLS1CRUdJTiBDRVJUSUZ...=

In some cases it also needs- DATABASE_SSL_ENABLE: "true" to force SSL connection to MYSQL.

My new yml looks like-

version: "2.2"
services:
  redis:
    image: redis:3.2.6

  ckeditor-cs:
    image: docker.cke-cs.com/cs:3.9.1
    depends_on:
      - redis
    ports:
      - "8000:8000"
    restart: always
    init: true
    environment:
      DATABASE_DRIVER: mysql
      DATABASE_HOST: efg.mysql.database.azure.com
      DATABASE_USER: user@db
      DATABASE_PASSWORD: PASS
      DATABASE_PORT: 3306
      DATABASE_SSL_CA: LS0tLS1CRUdJTiB............S0=
      DATABASE_SSL_ENABLE: "true"
      REDIS_HOST: redis
      ENVIRONMENTS_MANAGEMENT_SECRET_KEY: ABC
      LICENSE_KEY: XYZ
    volumes:
      - ~/ckeditor-cloudservice/easyimage_files:/var/cs/easyimage

Now everything is working as expected.

Aatif Akhter
  • 2,126
  • 1
  • 25
  • 46
0

The reason is the SSL settings is ENABLED in the setting of Azure Database of MySQL Servers

You can choose to disable it as below:

  1. Go to Azure portal under "Azure Database for MySQL servers"
  2. Choose the MySql server
  3. Go to the Connection security menu
  4. Go to the SSL Settings section
  5. Enforce SSL connection and select DISABLED option
  6. Click the Save button at the top of the page
bluetata
  • 577
  • 7
  • 12
0

Though it is not recommended, here is complete detail How to disable ssl

but in short. choose "server parameters" and serach for require_secure_transport and set the value to off.

you also configure ssl in simple steps as mentioned here.

ajay_full_stack
  • 494
  • 7
  • 13