When connecting to MySQL 5.7.27 from Ubuntu 20.04, the error occurs during the TLS handshake phase. The modern OpenSSL version in Ubuntu 20.04 (1.1.1) has deprecated older protocols that your MySQL server still supports.
ERROR 2026 (HY000): SSL connection error: error:1425F102:SSL
routines:ssl_choose_client_version:unsupported protocol
The server's TLS configuration shows it only accepts outdated protocols:
mysql> SHOW GLOBAL VARIABLES LIKE 'tls_version';
+---------------+---------------+
| Variable_name | Value |
+---------------+---------------+
| tls_version | TLSv1,TLSv1.1 |
+---------------+---------------+
Several approaches exist to resolve this protocol mismatch:
Option 1: Force specific TLS version (may fail)
mysql -h server_ip --tls-version=TLSv1.1 -u username -pOption 2: Disable SSL (not recommended for production)
mysql -h server_ip --ssl-mode=DISABLED -u username -pServer-Side Upgrade (Recommended): Update MySQL to version 8.0+ which supports TLSv1.2/1.3:
# On CentOS/RHEL:
sudo yum install mysql-community-server
sudo systemctl restart mysqldAlternative: Reconfigure MySQL 5.7 to accept modern protocols
# Add to my.cnf under [mysqld]
tls_version = TLSv1.2,TLSv1.3
ssl-cipher = DHE-RSA-AES256-GCM-SHA384Check current SSL configuration with these SQL commands:
SHOW VARIABLES LIKE '%ssl%';
SHOW STATUS LIKE 'Ssl_cipher';
SHOW VARIABLES LIKE 'have_ssl';For applications, use these connection parameters:
// JDBC example
String url = "jdbc:mysql://host:3306/db?enabledTLSProtocols=TLSv1.2";
# Python MySQL connector
conn = mysql.connector.connect(
ssl_disabled=False,
ssl_ca='/path/to/ca.pem',
tls_versions=['TLSv1.2'])After upgrading to Ubuntu 20.04, many developers encounter MySQL connection failures with error 2026 when trying to connect to older MySQL servers (particularly those running TLSv1 or TLSv1.1). The error message clearly indicates a protocol negotiation failure:
ERROR 2026 (HY000): SSL connection error: error:1425F102:SSL
routines:ssl_choose_client_version:unsupported protocol
Ubuntu 20.04 ships with OpenSSL 1.1.1 which disables older TLS protocols by default for security reasons. Meanwhile, many MySQL 5.7 servers (especially on CentOS/RHEL 7) still use TLSv1 or TLSv1.1 as shown in their configuration:
mysql> SHOW GLOBAL VARIABLES LIKE 'tls_version';
+---------------+---------------+
| Variable_name | Value |
+---------------+---------------+
| tls_version | TLSv1,TLSv1.1 |
+---------------+---------------+
Attempting to force older protocols via --tls-version parameter fails because the client's OpenSSL simply doesn't support them:
mysql -h server_ip --tls-version=TLSv1.1 -u user_name -p
ERROR 2026 (HY000): SSL connection error: error:141E70BF:SSL
routines:tls_construct_client_hello:no protocols available
Option 1: Server-Side Upgrade (Recommended)
Update the MySQL server's TLS configuration in my.cnf:
[mysqld]
tls_version = TLSv1.2,TLSv1.3
Then restart MySQL and verify:
SHOW GLOBAL VARIABLES LIKE 'tls_version';Option 2: Client-Side Configuration
For temporary workarounds, you can modify OpenSSL configuration on Ubuntu 20.04:
sudo nano /etc/ssl/openssl.cnf
# Add or modify:
[system_default_sect]
MinProtocol = TLSv1
CipherString = DEFAULT@SECLEVEL=1
Then reconnect using:
mysql -h server_ip --ssl-mode=REQUIRED -u user_name -pOption 3: Connection Parameters
For application connections, specify SSL parameters in connection strings:
// JDBC example
String url = "jdbc:mysql://server_ip/db?useSSL=true&enabledTLSProtocols=TLSv1.2";
While disabling SSL (--ssl-mode=DISABLED) works, it's not recommended for production. Better approaches include:
- Upgrading MySQL server to 8.0+
- Using SSH tunneling for secure connections
- Implementing VPN for database access
To diagnose SSL issues, use these commands:
openssl s_client -connect server_ip:3306 -starttls mysql
mysql --ssl-mode=VERIFY_IDENTITY --ssl-ca=ca.pem -u user -p