2

I'm seeing an odd error in the mysqld.service status notes...

The syntax '--ssl=off' is deprecated and will be removed in a future release. Please use --tls-version=invalid instead.

The thing is I've disabled SSL using skip_ssl in the /etc/my.cnf and I don't see any vars relating to SSL defined in /etc/my.cnf.d/*. I've also checked in /etc/systemd/system/mysqld.service.d/override.conf and the only thing I've set is LimitNOFILE.

The --ssl=off setting is a command line start up variable, so where could this error be coming from? Is there a new way to disable SSL other than skip_ssl?

I'm on Rockly Linux 8, and MySQL 8.0.26.


The pertaining documentation, including the deprecation note can be found here: https://dev.mysql.com/doc/refman/8.0/en/server-options.html

oucil
  • 445
  • 3
  • 16

1 Answers1

2

I found in the docs finally that the skip_ssl is actually the same variable in cnf format that --ssl is in command line, so it was the error message ambiguity that led to my confusion.

The fix for this is to replace skip_ssl with tls_version='' as the former is now deprecated as of MySQL 8.0.26.

This has led to a number of new ssl related errors in the status so I'll post any notes I can after I solve them, hopefully this helps alleviate any confusion and saves you some time.


With regard to the new errors when using tls_version=''...

[Warning] ... [Server] Failed to initialize TLS for channel: mysql_main. See below for the description of exact issue.
[Warning] ... [Server] Failed to set up SSL because of the following SSL library error: TLS version is invalid
[Warning] ... [Server] Plugin mysqlx reported: 'Failed at SSL configuration: "SSL context is not usable without certificate and private key"'

There is an open bug report at oracle outlining this behaviour, which I've added my voice to.

oucil
  • 445
  • 3
  • 16
  • According to your original error message, your solution `--tls-version=''` should be replaced by `--tls-version=invalid`. Perhaps that will avoid running into another deprecated parameter message in the future. – Ned64 Jan 14 '22 at 16:15
  • @Ned64 thanks for the suggestion, but that's the command line option, the documentation indicates `tls_version=''` be used in the `my.cnf` format. https://dev.mysql.com/doc/refman/8.0/en/server-options.html – oucil Jan 14 '22 at 16:20
  • OK, thanks, I didn't know. Perhaps link the documentation in your Answer. – Ned64 Jan 14 '22 at 16:22
  • I doesn't matter if you're using underscores or dashes, and it also doesn't make a difference if the value is empty or "invalid". It always results in the server not starting with a log message of "Option --tls-version or --admin-tls-version is set to an invalid value", so I would stay with `skip-ssl` for the time being. I guess it's a bug or some MySQL developer is a real idiot. They also consider "default_authentication_plugin" deprecated, yet it's still the only way to set a default, if the first method in "authentication_policy" is "*" while deprecated things should in fact be dispensable. – Bachsau Jan 23 '22 at 01:35