Cannot conect MySQL (error 2026) after upgrade to Ubuntu 20.04

Question

I cannot connect to MySQL 5.7.27 running on CentOS 7 server after upgrade of my workstation to Ubuntu 20.04 LTS. I am connecting using command mysql -h <server_ip> -u <user_name> -p and after entering the password I get error 2026:

ERROR 2026 (HY000): SSL connection error: error:1425F102:SSL
routines:ssl_choose_client_version:unsupported protocol

I have also tried to get database data using mysqldump and it ends up with similar error. I thought that maybe after workstation upgrade mysql client doesn't support older protocols so, I have logged into server using ssh, accessed mysql from server's shell and looked to which protocols are supported

mysql> SHOW GLOBAL VARIABLES LIKE 'tls_version';
+---------------+---------------+
| Variable_name | Value         |
+---------------+---------------+
| tls_version   | TLSv1,TLSv1.1 |
+---------------+---------------+
1 row in set (0,00 sec)

With this information I have tried to connect from workstation again, this time with TLS version specified

mysql -h <server_ip> --tls-version=TLSv1.1 -u <user_name> -p
mysql -h <server_ip> --tls-version=TLSv1 -u <user_name> -p

And both commands ended up with

ERROR 2026 (HY000): SSL connection error: error:141E70BF:SSL routines:tls_construct_client_hello:no protocols available

Only workaround I have found so for is to disable SSL using mysql -h <server_ip> --ssl-mode=DISABLED -u <user_name> -p

Am I missing something or is it some bug ? Thank you for your answers.

score 18 · Answer 1 · answered Jun 02 '20 at 06:19

18

As a temporary solution you could disable ssl from the command line

$ mysql -h <myserver> -u <myuser> -p --ssl-mode=DISABLED
password:

or by creating a my.cnf file

$ cat /etc/my.cnf  
[client] 
ssl-mode=DISABLED

answered Jun 02 '20 at 06:19

Mohammed Lubbad

181
2

Won't work for me, since my server requires SSL – JavaHead Jun 05 '20 at 13:37
Just try it, I'm sure it will work for you as it worked for me bro. – Mohammed Lubbad Jun 05 '20 at 22:40
1

@MohammedLubbad I don't know how to thank you but this should be the accepted answer. – Rajesh Chaudhary Jun 08 '20 at 04:19
@RajeshChaudhary Glad its worked for you, it should be accepted as an answer for this issue. Please vote it up – Mohammed Lubbad Jun 09 '20 at 09:58
Already did. @MohammedLubbad Cheers. – Rajesh Chaudhary Jun 09 '20 at 12:23
Won't work for me either. Still facing the same problem. – Ashwani Shakya Aug 18 '20 at 04:29

reivilibre · Answer 2 · 2020-05-17T12:06:50.460

Apologies for leaving what should be a comment as an answer (not enough rep), but:

since Ubuntu 20.04, it seems like TLS 1.0 and 1.1 have been disabled system-wide.
I don't know how to re-enable it (that's how I stumbled across this question)

I have no evidence of this other than openssl s_client -tls1 -connect <some TLSv1-enabled host>:443 doesn't work, and neither can nginx support TLS 1.0 and 1.1 as a server (even being configured correctly) :/.

TLS versions before 1.2 are generally considered unsafe enough to be avoided, which is probably why this has been done.

I'm afraid this only provides half the answer; I hope someone will chime in with a solution to re-enable TLS 1.0 and/or 1.1.

Good explanation! Not a full answer but I’ve upvoted anyway. — Timothy Frew, May 17 '20 at 12:58

score 3 · Accepted Answer · answered Jun 30 '20 at 20:33

I have found a solution assuming your MySQL is using OpenSSL and not yaSSL.

Refer to the ssl_cipher configuration variable of MySQL.

Configure a list of ciphers that includes the pseudocipher @SECLEVEL=1.

For example,

ssl_cipher = "DHE-RSA-AES128-GCM-SHA256:AES128-SHA:@SECLEVEL=1"

If you need a more permissive but still secure cipherlist,

"EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4:@SECLEVEL=1"

taken from cipherlist.eu might do the job.

score 2 · Answer 4 · answered Sep 02 '20 at 08:00

2

What worked for me was as described here mysql 5.7 ciphers to enable TLS 1.2:

[mysqld]
tls_version=TLSv1.2

After restarting I was able to import again.

answered Sep 02 '20 at 08:00

IndianerJones

121
1

score 1 · Answer 5 · answered Dec 17 '20 at 06:12

Open /usr/lib/ssl/openssl.cnf using your favourite editor:

vi /usr/lib/ssl/openssl.cnf

At the top of the file, add the following line:

openssl_conf = old_support_conf

At the bottom of the file, add the following lines:

[old_support_conf]
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
MinProtocol = TLSv1.1
CipherString = DEFAULT@SECLEVEL=1

If TLSv1.1 does not work for you, you might want to change it to TLSv1 and try.

Cannot conect MySQL (error 2026) after upgrade to Ubuntu 20.04

5 Answers5