Err ssl version or cipher mismatch unsupported protocol

BlogDocsGet SupportContact SalesFeatured ProductsDropletsScalable virtual machinesKubernetesScale more effectivelyAI / MLBuild and scale AI modelsCloudwaysManaged cloud hostingApp PlatformGet apps to market fasterSee all productsOur CommunityCommunity HomeDevOps and development guidesCSS-TricksAll things web designThe WaveContent to level up your business.ResourcesTutorialsQuestions and AnswersMarketplaceToolsWrite for DOnationsCloud ChatsCustomer StoriesDigitalOcean BlogPricing CalculatorDigitalOcean Partner ProgramsBecome a PartnerPartner Services ProgramMarketplaceHatch Partner ProgramConnect with a PartnerFeatured Partner ArticlesCloud cost optimization best practicesRead moreHow to choose a cloud providerRead moreDigitalOcean vs. AWS Lightsail: Which Cloud Platform is Right for You?Read morePricingBlogDocsGet SupportContact SalesTutorialsQuestionsProduct DocsCloud ChatsQuestionAfter I added a custom domain to my app, when I visit that domain it shows me a SSL version or cipher mismatch error.This site can’t provide a secure my-website.com uses an unsupported protocol.ERR_SSL_VERSION_OR_CIPHER_MISMATCHSubmit an answerThis textbox defaults to using Markdown to format your answer.You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!Sign In or Sign Up to AnswerThese answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Are configured. For example, negotiation order is the same regardless of whether tls_version has a value of TLSv1,TLSv1.1,TLSv1.2,TLSv1.3 or TLSv1.3,TLSv1.2,TLSv1.1,TLSv1. TLSv1.2 does not work with all ciphers that have a key size of 512 bits or less. To use this protocol with such a key, set the ssl_cipher system variable on the server side or use the --ssl-cipher client option to specify the cipher name explicitly: AES128-SHAAES128-SHA256AES256-SHAAES256-SHA256CAMELLIA128-SHACAMELLIA256-SHADES-CBC3-SHADHE-RSA-AES256-SHARC4-MD5RC4-SHASEED-SHA For better security, use a certificate with an RSA key size of at least 2048 bits. If the server and client do not have a permitted protocol in common, and a protocol-compatible cipher in common, the server terminates the connection request. Examples: If the server is configured with tls_version=TLSv1.1,TLSv1.2: Connection attempts fail for clients invoked with --tls-version=TLSv1, and for older clients that support only TLSv1. Similarly, connection attempts fail for replicas configured with MASTER_TLS_VERSION = 'TLSv1', and for older replicas that support only TLSv1. If the server is configured with tls_version=TLSv1 or is an older server that supports only TLSv1: Connection attempts fail for clients invoked with --tls-version=TLSv1.1,TLSv1.2. Similarly, connection attempts fail for replicas configured with MASTER_TLS_VERSION = 'TLSv1.1,TLSv1.2'. MySQL permits specifying a list of protocols to support. This list is passed directly down to the underlying SSL library and is ultimately up to that library what protocols it actually enables from the supplied list. Please refer to the MySQL source code and the OpenSSL SSL_CTX_new() documentation for information about how the SSL library handles this.Monitoring Current Client Session TLS Protocol and Cipher To determine which encryption TLS protocol and cipher the current client session uses, check the session values of the Ssl_version and Ssl_cipher status variables: mysql> SELECT * FROM performance_schema.session_status WHERE VARIABLE_NAME IN ('Ssl_version','Ssl_cipher');+---------------+---------------------------+| VARIABLE_NAME | VARIABLE_VALUE |+---------------+---------------------------+| Ssl_cipher | DHE-RSA-AES128-GCM-SHA256 || Ssl_version | TLSv1.2 |+---------------+---------------------------+ If the connection is not

Connections that use TLS.v1.3, MySQL uses the SSL library default ciphersuite list. For encrypted connections that use TLS protocols up through TLSv1.2, MySQL passes the following default cipher list to the SSL library. ECDHE-ECDSA-AES128-GCM-SHA256ECDHE-ECDSA-AES256-GCM-SHA384ECDHE-RSA-AES128-GCM-SHA256ECDHE-RSA-AES256-GCM-SHA384ECDHE-ECDSA-CHACHA20-POLY1305ECDHE-RSA-CHACHA20-POLY1305ECDHE-ECDSA-AES256-CCMECDHE-ECDSA-AES128-CCMDHE-RSA-AES128-GCM-SHA256DHE-RSA-AES256-GCM-SHA384DHE-RSA-AES256-CCMDHE-RSA-AES128-CCMDHE-RSA-CHACHA20-POLY1305 These cipher restrictions are in place: As of MySQL 8.0.35, the following ciphers are deprecated and produce a warning when used with the server system variables --ssl-cipher and --admin-ssl-cipher: ECDHE-ECDSA-AES128-SHA256ECDHE-RSA-AES128-SHA256ECDHE-ECDSA-AES256-SHA384ECDHE-RSA-AES256-SHA384DHE-DSS-AES128-GCM-SHA256DHE-RSA-AES128-SHA256DHE-DSS-AES128-SHA256DHE-DSS-AES256-GCM-SHA384DHE-RSA-AES256-SHA256DHE-DSS-AES256-SHA256ECDHE-RSA-AES128-SHAECDHE-ECDSA-AES128-SHAECDHE-RSA-AES256-SHAECDHE-ECDSA-AES256-SHADHE-DSS-AES128-SHADHE-RSA-AES128-SHATLS_DHE_DSS_WITH_AES_256_CBC_SHADHE-RSA-AES256-SHAAES128-GCM-SHA256DH-DSS-AES128-GCM-SHA256ECDH-ECDSA-AES128-GCM-SHA256AES256-GCM-SHA384DH-DSS-AES256-GCM-SHA384ECDH-ECDSA-AES256-GCM-SHA384AES128-SHA256DH-DSS-AES128-SHA256ECDH-ECDSA-AES128-SHA256AES256-SHA256DH-DSS-AES256-SHA256ECDH-ECDSA-AES256-SHA384AES128-SHADH-DSS-AES128-SHAECDH-ECDSA-AES128-SHAAES256-SHADH-DSS-AES256-SHAECDH-ECDSA-AES256-SHADH-RSA-AES128-GCM-SHA256ECDH-RSA-AES128-GCM-SHA256DH-RSA-AES256-GCM-SHA384ECDH-RSA-AES256-GCM-SHA384DH-RSA-AES128-SHA256ECDH-RSA-AES128-SHA256DH-RSA-AES256-SHA256ECDH-RSA-AES256-SHA384ECDHE-RSA-AES128-SHAECDHE-ECDSA-AES128-SHAECDHE-RSA-AES256-SHAECDHE-ECDSA-AES256-SHADHE-DSS-AES128-SHADHE-RSA-AES128-SHATLS_DHE_DSS_WITH_AES_256_CBC_SHADHE-RSA-AES256-SHAAES128-SHADH-DSS-AES128-SHAECDH-ECDSA-AES128-SHAAES256-SHADH-DSS-AES256-SHAECDH-ECDSA-AES256-SHADH-RSA-AES128-SHAECDH-RSA-AES128-SHADH-RSA-AES256-SHAECDH-RSA-AES256-SHADES-CBC3-SHA The following ciphers are permanently restricted: !DHE-DSS-DES-CBC3-SHA!DHE-RSA-DES-CBC3-SHA!ECDH-RSA-DES-CBC3-SHA!ECDH-ECDSA-DES-CBC3-SHA!ECDHE-RSA-DES-CBC3-SHA!ECDHE-ECDSA-DES-CBC3-SHA The following categories of ciphers are permanently restricted: !aNULL!eNULL!EXPORT!LOW!MD5!DES!RC2!RC4!PSK!SSLv3 If the server is started with the ssl_cert system variable set to a certificate that uses any of the preceding restricted ciphers or cipher categories, the server starts with support for encrypted connections disabled.Connection TLS Protocol Negotiation Connection attempts in MySQL negotiate use of the highest TLS protocol version available on both sides for which a protocol-compatible encryption cipher is available on both sides. The negotiation process depends on factors such as the SSL library used to compile the server and client, the TLS protocol and encryption cipher configuration, and which key size is used: For a connection attempt to succeed, the server and client TLS protocol configuration must permit some protocol in common. Similarly, the server and client encryption cipher configuration must permit some cipher in common. A given cipher may work only with particular TLS protocols, so a protocol available to the negotiation process is not chosen unless there is also a compatible cipher. If TLSv1.3 is available, it is used if possible. (This means that server and client configuration both must permit TLSv1.3, and both must also permit some TLSv1.3-compatible encryption cipher.) Otherwise, MySQL continues through the list of available protocols, using TLSv1.2 if possible, and so forth. Negotiation proceeds from more secure protocols to less secure. Negotiation order is independent of the order in which protocols

Value "*" (default) picks the default SSL providerdefined in the system. Note: On Windows systems, the default SSL Provider is "Microsoft Unified Security Protocol Provider" and cannot be changed .SSLSecurityFlags: Flags that control certificate verification.The following flags are defined (specified in hexadecimalnotation). They can be or-ed together to exclude multipleconditions:0x00000001Ignore time validity status of certificate.0x00000002Ignore time validity status of CTL.0x00000004Ignore non-nested certificate times.0x00000010Allow unknown Certificate Authority.0x00000020Ignore wrong certificate usage.0x00000100Ignore unknown certificate revocation status.0x00000200Ignore unknown CTL signer revocation status.0x00000400Ignore unknown Certificate Authority revocation status.0x00000800Ignore unknown Root revocation status.0x00008000Allow test Root certificate.0x00004000Trust test Root certificate.0x80000000Ignore non-matching CN (certificate CN not-matching server name).This functionality is currently not available when the provider is OpenSSL.SSLCACerts: A newline separated list of CA certificate to use during SSL client authentication.This setting specifies one or more CA certificates to be included in the request when performing SSL client authentication. Some servers require the entire chain, including CA certificates, to be presentedwhen performing SSL client authentication. The value of this setting is a newline (CrLf) separated list of certificates. For instance:-----BEGIN CERTIFICATE-----MIIEKzCCAxOgAwIBAgIRANTET4LIkxdH6P+CFIiHvTowDQYJKoZIhvcNAQELBQAw...eWHV5OW1K53o/atv59sOiW5K3crjFhsBOd5Q+cJJnU+SWinPKtANXMht+EDvYY2wF0I1XhM+pKj7FjDr+XNj-----END CERTIFICATE-----\r \n-----BEGIN CERTIFICATE-----MIIEFjCCAv6gAwIBAgIQetu1SMxpnENAnnOz1P+PtTANBgkqhkiG9w0BAQUFADBp..d8q23djXZbVYiIfE9ebr4g3152BlVCHZ2GyPdjhIuLeH21VbT/dyEHHA-----END CERTIFICATE-----SSLEnabledCipherSuites: The cipher suite to be used in an SSL negotiation.The enabled cipher suites to be used in SSL negotiation.By default, the enabled cipher suites will include all available ciphers ("*").The special value "*" means that the control will pick all of the supported cipher suites.If SSLEnabledCipherSuites is set to any other value, only the specified cipher suites will be considered.Multiple cipher suites are separated by semicolons.Example values are:obj.config("SSLEnabledCipherSuites=*");obj.config("SSLEnabledCipherSuites=CALG_AES_256");obj.config("SSLEnabledCipherSuites=CALG_AES_256;CALG_3DES");Possible values include:CALG_3DESCALG_3DES_112CALG_AESCALG_AES_128CALG_AES_192CALG_AES_256CALG_AGREEDKEY_ANYCALG_CYLINK_MEKCALG_DESCALG_DESXCALG_DH_EPHEMCALG_DH_SFCALG_DSS_SIGNCALG_ECDHCALG_ECDH_EPHEMCALG_ECDSACALG_ECMQVCALG_HASH_REPLACE_OWFCALG_HUGHES_MD5CALG_HMACCALG_KEA_KEYXCALG_MACCALG_MD2CALG_MD4CALG_MD5CALG_NO_SIGNCALG_OID_INFO_CNG_ONLYCALG_OID_INFO_PARAMETERSCALG_PCT1_MASTERCALG_RC2CALG_RC4CALG_RC5CALG_RSA_KEYXCALG_RSA_SIGNCALG_SCHANNEL_ENC_KEYCALG_SCHANNEL_MAC_KEYCALG_SCHANNEL_MASTER_HASHCALG_SEALCALG_SHACALG_SHA1CALG_SHA_256CALG_SHA_384CALG_SHA_512CALG_SKIPJACKCALG_SSL2_MASTERCALG_SSL3_MASTERCALG_SSL3_SHAMD5CALG_TEKCALG_TLS1_MASTERCALG_TLS1PRFSSLEnabledCipherSuites is used together