MySQL. Accepted a connection with deprecated protocol ‘TLSv1.1’

Posted byVyacheslav Leave a comment on MySQL. Accepted a connection with deprecated protocol ‘TLSv1.1’

One day I noticed warnings in the MySQL logs:

[Warning] Accepted a connection with deprecated protocol ‘TLSv1.1’ for account test@ixnfo.com from host ixnfo.com. Client supplied username test

I looked at the current connections and their protocol version:

SELECT variable_value AS tls_version,processlist_user AS user,processlist_host AS host
FROM performance_schema.status_by_thread sbt
JOIN performance_schema.threads t
ON (t.thread_id = sbt.thread_id)
WHERE variable_name = 'Ssl_version'
ORDER BY tls_version;

I looked at what versions are allowed:

SHOW GLOBAL VARIABLES LIKE 'tls_version';
SHOW VARIABLES LIKE "%version%";

+---------------+-----------------------+
| Variable_name | Value                 |
+---------------+-----------------------+
| tls_version   | TLSv1,TLSv1.1,TLSv1.2 |
+---------------+-----------------------+

If necessary, you can explicitly specify with which minimum version connections can be made, for example:

nano /etc/mysql/mysql.conf.d/mysqld.cnf

[mysqld]
tls_version=TLSv1.2

service mysql restart

SHOW GLOBAL VARIABLES LIKE 'tls_version';

+---------------+-----------------------+
| Variable_name | Value                 |
+---------------+-----------------------+
| tls_version   | TLSv1.2 |
+---------------+-----------------------+

In my case, the connection was made by the “Connector/ODBC” client (different versions) to the MySQL server version 5.7 and it did not want to connect with the new protocol even if I explicitly specified tls-versions=TLSv1.2. It tried to connect with TLSv1.1 and the MySQL logs showed a “Bad Handshake” connection error. Other applications have successfully connected with TLSv1.2.

To solve this problem, I simply upgraded MySQL server to version 8 and after that the “Connector/ODBC” client successfully connected with TLSv1.2.

Note that in MySQL 8 the default is tls_version=TLSv1.2,TLSv1.3.

If I leave the official links to the “Connector/ODBC” and MySQL parameters:
https://dev.mysql.com/doc/connector-odbc/en/connector-odbc-configuration-connection-parameters.html
https://dev.mysql.com/doc/refman/5.7/en/encrypted-connection-protocols-ciphers.html
https://dev.mysql.com/doc/refman/8.0/en/encrypted-connection-protocols-ciphers.html

See also my other articles about MySQL

Leave a comment

Leave a Reply