How to verify MySQL server refuses TLS 1 and TLS 1.1
Article ID: 293304
Updated On:
Products
VMware Tanzu SQL
Issue/Introduction
Since MySQL 2.10, there is an option to restrict MySQL client connections to TLS 1.2.
When TLS is enabled, operators can choose to enforce TLS 1.2 as the minimum TLS version for client connections. Connections that use the TLS 1.1 protocol (or older versions) are then rejected by the MySQL server.
When TLS is enabled, operators can choose to enforce TLS 1.2 as the minimum TLS version for client connections. Connections that use the TLS 1.1 protocol (or older versions) are then rejected by the MySQL server.
Environment
Product Version: 2.9
Resolution
Once we have restricted access from TLS 1.1 protocol (or older versions), there is a quick way to verify that. The MySQL client has an option "--tls-version=" which allows us to specify the TLS version to use. The permitted values are TLSv1, TLSv1.1, and TLSv1.2.
Here is an example:
When this option is on, the SSL handshake will be rejected when TLSv1.1 is used. If the error looks like the one below, then we know that the TLS 1.1 protocol (or older versions) are then rejected by the MySQL server.
Checklist:
Once we have restricted access from TLS v1.1 protocol (or older versions), there is a quick way to verify that. The mysql client has an option "--tls-version=" which allows us to specify the TLS version to use. The permitted values are: TLSv1, TLSv1.1, TLSv1.2.
Here is an example:
When this option is on, the SSL handshake will be rejected when TLSv1.1 is used. If the error looks like the one below, then we will know that the TLS v1.1 protocol (or older versions) are then rejected by the MySQL server.
Here is an example:
mysql -h mysql_host_name -u user_name --tls-version=TLSv1.1 -p mysql -h mysql_host_name -u user_name --tls-version=TLSv1.2 -p
When this option is on, the SSL handshake will be rejected when TLSv1.1 is used. If the error looks like the one below, then we know that the TLS 1.1 protocol (or older versions) are then rejected by the MySQL server.
jump-user@linux-jump-box-1804:~# mysql -h xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.mysql.service.internal -u xxxxxxxx --tls-version=TLSv1.1 -p Enter password: ERROR 2026 (HY000): SSL connection error: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
Checklist:
Once we have restricted access from TLS v1.1 protocol (or older versions), there is a quick way to verify that. The mysql client has an option "--tls-version=" which allows us to specify the TLS version to use. The permitted values are: TLSv1, TLSv1.1, TLSv1.2.
Here is an example:
mysql -h mysql_host_name -u user_name --tls-version=TLSv1.1 -p mysql -h mysql_host_name -u user_name --tls-version=TLSv1.2 -p
When this option is on, the SSL handshake will be rejected when TLSv1.1 is used. If the error looks like the one below, then we will know that the TLS v1.1 protocol (or older versions) are then rejected by the MySQL server.
jump-user@linux-jump-box-1804:~# mysql -h xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.mysql.service.internal -u xxxxxxxx --tls-version=TLSv1.1 -p Enter password: ERROR 2026 (HY000): SSL connection error: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
Feedback
Yes
No
Powered by
