SSL Connection Failed Due to Inconsistent TLS Versions

Scenario

A client failed to connect to an RDS for MySQL instance using SSL, but could connect to a self-built MySQL database using SSL.

Possible Causes

Troubleshooting:

1. View error logs of the instance. The following error information was displayed:

   2021-07-09T10:30:58.476586+08:00 212539 [Warning] SSL errno: 337678594, SSL errmsg: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol2021-07-09T10:30:58.476647+08:00 212539 [Note] Bad handshake2021-07-09T10:32:43.535738+08:00 212631 [Warning] SSL errno: 337678594, SSL errmsg: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol2021-07-09T10:32:43.535787+08:00 212631 [Note] Bad handshake2021-07-09T10:50:03.401100+08:00 213499 [Warning] SSL errno: 337678594, SSL errmsg: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol2021-07-09T10:50:03.401161+08:00 213499 [Note] Bad handshake2021-07-09T10:53:44.458404+08:00 213688 [Warning] SSL errno: 337678594, SSL errmsg: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol2021-07-09T10:53:44.458475+08:00 213688 [Note] Bad handshake

2. According to unsupported protocol in the error information, the problem may be related to the TLS version. Run the following command to check the TLS versions of the RDS for MySQL instance and self-built MySQL database:

   show variables like '%tls_version%';

   It was found that the RDS for MySQL instance used TLS v1.2 and the self-built MySQL database used TLS v1.1. The TLS version of the client was the same as that of the self-built MySQL database. Therefore, the self-built MySQL database is successfully connected, but the RDS for MySQL instance failed to be connected.

Solution

Upgrade the TLS version of the client to TLS v1.2.

If the official JDBC driver mysql-connector/J is used, see Connecting Securely Using SSL for the configuration method.