MySQL ERROR 2026 - SSL connection error - Ubuntu 20.04

Question

I've recently upgraded my local machine OS from Ubuntu 18.04 to 20.04, I'm running my MySQL-server on CentOS (AWS). Post upgrade whenever I'm trying to connect to MySQL server it is throwing SSL connection error.

$ mysql -u yamcha -h database.yourproject.com -p --port 3309

ERROR 2026 (HY000): SSL connection error: error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol

But if I pass --ssl-mode=disabled option along with it, I'm able to connect remotely.

$ mysql -u yamcha -h database.yourproject.com -p --port 3309 --ssl-mode=disabled

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 22158946
Server version: 5.7.26 MySQL Community Server (GPL)

Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>

Queries:

How to connect without passing --ssl-mode=disabled

How to pass this --ssl-mode=disabled option in my Django application, currently I've defined it as shown below, but I'm still getting the same error.

DATABASES = {
    'default': {
        'ENGINE': 'django.db.backends.mysql',
        'NAME': 'yamcha',
        'USER': 'yamcha',
        'PASSWORD': 'xxxxxxxxxxxxxxx',
        'HOST': 'database.yourproject.com',
        'PORT': '3309',
        'OPTIONS': {'ssl': False},
    }

The best solution would be to upgrade the version of mySQL being used in RDS. I have this issue with engine version `5.6.44` but not with `8.0.17` . TLS 1.0 is no longer considered secure so enforcing it to be used seems like a hacky solution to me. — mRyan, Jul 24 '20 at 08:34

score 64 · Answer 1 · edited Apr 03 '22 at 14:46

64

Ubuntu 20 has improved the security level. The only way i could connect was allowing the tls 1 .

Edit this file:

/usr/lib/ssl/openssl.cnf

And put at the beginning of file:

openssl_conf = default_conf

And in the end of that file too:

[ default_conf ]

ssl_conf = ssl_sect

[ssl_sect]

system_default = ssl_default_sect

[ssl_default_sect]
MinProtocol = TLSv1
CipherString = DEFAULT:@SECLEVEL=1

It help me a lot: https://askubuntu.com/questions/1233186/ubuntu-20-04-how-to-set-lower-ssl-security-level

edited Apr 03 '22 at 14:46

danronmoon

3,814
5
34
56

answered May 21 '20 at 12:07

ClaudioC

1,505
13
10

2

I did followed the steps and still the same issue, I'm only able to connect when I pass --ssl-mode=disabled – johnny Jun 27 '20 at 17:42
Where you 2 days ago ;-) Thx! – Hal Burgiss Mar 09 '21 at 15:30
Thanks a lot, that helped me a lot – licer93 Mar 10 '21 at 16:56
Instead of downgrading your ssl and potentially security level, you may also simply upgrade mysqld to ssl 1.2. See [this answer](https://stackoverflow.com/a/64971233) below. – wlnirvana Apr 18 '21 at 01:42
this is a dangerous solution, TLS 1.0 has been deprecated due to significant security flaws. https://blog.cdnsun.com/tls-1-0-what-is-it-and-why-are-we-deprecating-it/ much better to upgrade your cryptography library to keep your database secure. – northben Feb 15 '23 at 17:43

score 57 · Answer 2 · answered Jan 27 '21 at 09:37

57

For anyone googling, you can use this flag in mysql cmd: --ssl-mode=DISABLED. I.E:

mysql -uuser -p'myPassw0rd!' -hmysql.company.com --ssl-mode=DISABLED

answered Jan 27 '21 at 09:37

Moshe

4,635
6
32
57

7

I think this is the best answer for me because I would not like to edit global settings to connect to a single SQL instance. This gives the perfect temp solution without affecting anything else. – JohnathanKong Apr 12 '21 at 14:53
3

I'm sure this isn't the ideal solution but is a quick way to get working as opposed to editing ssl confs – shrimpwagon May 12 '21 at 13:30
this advice completely disables ssl and conveniently puts the users password on the wire in plain text with no encryption. anyone who follows this advice should not be surprised when their mysql server is compromised. putting advice like this on stack overflow, without explaining the caveat of being completely insecure, is irresponsible at best. – grenade Aug 15 '23 at 07:00

wlnirvana · Answer 3 · 2021-04-14T09:27:47.690

12

Add this to your mysql 5.7 server config file and then restart your mysql service

[mysqld]
tls_version=TLSv1.2

Now you should be able to connect to it using tls 1.2, which is the default in Ubuntu 20.04

For the sake of completeness, in Ubuntu 20.04 actually my.cnf and mysql.cnf are actually the same file. So editing either one will work.

$ readlink -f /etc/mysql/my.cnf
/etc/mysql/mysql.cnf

edited Apr 14 '21 at 09:27

answered Nov 23 '20 at 15:22

wlnirvana

1,811
20
36

ImPerat0R_ · Answer 4 · 2022-02-18T06:01:55.577

9

Bump mysqlclient to v2.X, which added ssl_mode option, https://github.com/PyMySQL/mysqlclient-python/blob/main/HISTORY.rst

DATABASES = {
    'default': {
        'ENGINE': 'django.db.backends.mysql',
        'NAME': 'yamcha',
        'USER': 'yamcha',
        'PASSWORD': 'xxxxxxxxxxxxxxx',
        'HOST': 'database.yourproject.com',
        'PORT': '3309',
        'OPTIONS': {'ssl_mode': 'DISABLED'},
    }
}

edited Feb 18 '22 at 06:01

answered Nov 27 '20 at 03:25

ImPerat0R_

603
9
8

For me, just updating my version of `mysqlclient` did the trick. I did not change the DATABASES dict. – davjfish Feb 04 '22 at 17:45
Thank you. This finally did it for me. It was impossible to find the documentation in the Django docs for what the option was actually called. – Brodan Jul 12 '22 at 16:02

Anmol K. · Answer 5 · 2021-06-29T18:50:56.570

7

If You are using MYSQL Workbench :

Just Disable the SSL by editing the connection.

Go to edit Connection in connection panel
Select SSL in options after parameter as given in screenshot On connection

Select Use SSL : NO

Finally it would look like this.

On clients other than Mysql workbench also you can try disabling SSL

edited Jun 29 '21 at 18:50

answered Jun 29 '21 at 18:41

Anmol K.

89
1
5

3

Setting this option in workbench doesn't affect data exporting. It still fails with the same error. – quant2016 Aug 24 '21 at 10:18

score 1 · Answer 6 · edited Jan 21 '22 at 10:26

1

If you still want the upgraded security features then you can consider upgrading your mysql server to 5.7.

edited Jan 21 '22 at 10:26

ouflak

2,458
10
44
49

answered Jan 21 '22 at 07:51

EAsh Khatri

11
1

鄭元傑 · Answer 7 · 2022-06-23T09:24:20.483

I encoutered same question as well. Combine the idea from above and documents. https://dev.mysql.com/doc/refman/5.7/en/encrypted-connection-protocols-ciphers.html#encrypted-connection-supported-protocols

Here is my thought

Check os system openssl version and its support ssl/tls version by $ openssl version. Check the system settings /etc/ssl/openssl.cnf as well.
Check MySQL support TLS version by SHOW GLOBAL VARIABLES LIKE 'tls_version';
Check your python mysql client TLS version. For my experience I am using mysql-connector-python. Document said since 8.0.28 would not support TLS 1.1 and below. That's why I cannot connect to MySQL. https://dev.mysql.com/doc/connector-python/en/connector-python-connectargs.html

In MySQL document, it mentioned TLS version which client could use should be the union set of host os TLS version and MySQL TLS version.
For example, your host only support TLS 1.1 / 1.2 and MySQL setting si TLS 1.0. There is no compatible TLS version for client.

Hope these tips could help.

MySQL ERROR 2026 - SSL connection error - Ubuntu 20.04

7 Answers7

Linked