I cannot connect to MySQL 5.7.27 running on CentOS 7 server after upgrade of my workstation to Ubuntu 20.04 LTS. I am connecting using command mysql -h <server_ip> -u <user_name> -p
and after entering the password I get error 2026:
ERROR 2026 (HY000): SSL connection error: error:1425F102:SSL
routines:ssl_choose_client_version:unsupported protocol
I have also tried to get database data using mysqldump and it ends up with similar error. I thought that maybe after workstation upgrade mysql client doesn't support older protocols so, I have logged into server using ssh, accessed mysql from server's shell and looked to which protocols are supported
mysql> SHOW GLOBAL VARIABLES LIKE 'tls_version';
+---------------+---------------+
| Variable_name | Value |
+---------------+---------------+
| tls_version | TLSv1,TLSv1.1 |
+---------------+---------------+
1 row in set (0,00 sec)
With this information I have tried to connect from workstation again, this time with TLS version specified
mysql -h <server_ip> --tls-version=TLSv1.1 -u <user_name> -p
mysql -h <server_ip> --tls-version=TLSv1 -u <user_name> -p
And both commands ended up with
ERROR 2026 (HY000): SSL connection error: error:141E70BF:SSL routines:tls_construct_client_hello:no protocols available
Only workaround I have found so for is to disable SSL using mysql -h <server_ip> --ssl-mode=DISABLED -u <user_name> -p
Am I missing something or is it some bug ? Thank you for your answers.
As a temporary solution you could disable ssl from the command line
or by creating a my.cnf file
Apologies for leaving what should be a comment as an answer (not enough rep), but:
I have no evidence of this other than
openssl s_client -tls1 -connect <some TLSv1-enabled host>:443
doesn't work, and neither cannginx
support TLS 1.0 and 1.1 as a server (even being configured correctly) :/.TLS versions before 1.2 are generally considered unsafe enough to be avoided, which is probably why this has been done.
I'm afraid this only provides half the answer; I hope someone will chime in with a solution to re-enable TLS 1.0 and/or 1.1.
I have found a solution assuming your MySQL is using OpenSSL and not yaSSL.
Refer to the ssl_cipher configuration variable of MySQL.
Configure a list of ciphers that includes the pseudocipher
@SECLEVEL=1
.For example,
If you need a more permissive but still secure cipherlist,
taken from cipherlist.eu might do the job.
What worked for me was as described here mysql 5.7 ciphers to enable TLS 1.2:
After restarting I was able to import again.
Open
/usr/lib/ssl/openssl.cnf
using your favourite editor:At the top of the file, add the following line:
At the bottom of the file, add the following lines:
If TLSv1.1 does not work for you, you might want to change it to TLSv1 and try.