Azure MySQL SSL Connection is Required Please Specify SSL Options

You get a connection failure when you try to connect to your MySQL server in Azure from your app/client, which does not have SSL enabled. The error message is as follows: SSL connection is required. Please specify SSL options and retry.

mysql -h westus-mysql1.mysql.database.azure.com -u sqladmin@westus-mysql1 -p
Enter password: 
ERROR 9002 (28000): SSL connection is required. Please specify SSL options and retry.

Disable requiring SSL for connecting to Azure MySQL database

By default, Azure Database for MySQL enforces SSL connections between your server and your client applications to protect against MITM (man in the middle) attacks. This is done to make the connection to your server as secure as possible.

Although not recommended, you have the option to disable requiring SSL for connecting to your server if your client application does not support SSL connectivity. You can disable requiring SSL connections from either the portal or using CLI.

Note Note that Azure does not recommend disabling requiring SSL connections when connecting to your server.

You can enable or disable the ssl-enforcement parameter by using Enabled or Disabled values respectively in Azure CLI.

az mysql server update --resource-group myresource --name mydemoserver --ssl-enforcement Enabled

Disable requiring SSL for connecting to Azure MySQL database using Azure portal.

Now, connect to the MySQL server without SSL:

mysql -h westus-mysql1.mysql.database.azure.com -u sqladmin@westus-mysql1 -p

Once you’ve connected, you can run status command to check the SSL configuration of the MySQL server.

mysql -h westus-mysql1.mysql.database.azure.com -u sqladmin@westus-mysql1 -p                                         
Enter password: 

Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MySQL connection id is 64355
Server version: 5.6.47.0 MySQL Community Server (GPL)

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MySQL [(none)]> status
--------------
/usr/bin/mysql  Ver 15.1 Distrib 10.3.34-MariaDB, for debian-linux-gnu (x86_64) using readline 5.2

Connection id:          64355
Current database:
Current user:           [email protected]
SSL:                    Not in use
Current pager:          stdout
Using outfile:          ''
Using delimiter:        ;
Server:                 MySQL
Server version:         5.6.47.0 MySQL Community Server (GPL)
Protocol version:       10
Connection:             westus-mysql1.mysql.database.azure.com via TCP/IP
Server characterset:    latin1
Db     characterset:    latin1
Client characterset:    utf8mb4
Conn.  characterset:    utf8mb4
TCP port:               3306
Uptime:                 31 min 8 sec

Threads: 11  Questions: 861  Slow queries: 0  Opens: 55  Flush tables: 2  Open tables: 25  Queries per second avg: 0.460
--------------

Configure SSL to connect to Azure Database for MySQL

1. Download the certificate needed to communicate over SSL with your Azure Database for MySQL server from https://www.digicert.com/CACerts/BaltimoreCyberTrustRoot.crt.pem and save the certificate file to your local drive.

In this post, we’re using Azure Cloud Shell to connect to Microsoft Azure. So, we’ll upload the certificate to azure storage account.

2. Connect to the MySQL database on Azure with –ssl-ca parameter. If you using Azure PowerShell module to connect to Azure, let’s enter the local path of the downloaded certificate file.

Connect using Azure PowerShell:

mysql -h westus-mysql1.mysql.database.azure.com `
-u sqladmin@westus-mysql1 -p `
--ssl-ca=C:\Scripts\BaltimoreCyberTrustRoot.crt.pem

Connect using Azure Cloud Shell:

mysql -h westus-mysql1.mysql.database.azure.com `
-u sqladmin@westus-mysql1 -p `
--ssl-ca=BaltimoreCyberTrustRoot.crt.pem

Once done, you can see you’ve connected to the database. Let’s run status command to get the SSL configuration.

mysql -h westus-mysql1.mysql.database.azure.com -u sqladmin@westus-mysql1 -p --ssl-ca=BaltimoreCyberTrustRoot.crt.pem                    
Enter password:            
                
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MySQL connection id is 64428 
Server version: 5.6.47.0 MySQL Community Server (GPL)
                   
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MySQL [(none)]> status
--------------
/usr/bin/mysql  Ver 15.1 Distrib 10.3.34-MariaDB, for debian-linux-gnu (x86_64) using readline 5.2

Connection id:          64428
Current database:
Current user:           [email protected]
SSL:                    Cipher in use is ECDHE-RSA-AES256-GCM-SHA384
Current pager:          stdout
Using outfile:          ''
Using delimiter:        ;
Server:                 MySQL
Server version:         5.6.47.0 MySQL Community Server (GPL)
Protocol version:       10
Connection:             westus-mysql1.mysql.database.azure.com via TCP/IP
Server characterset:    latin1
Db     characterset:    latin1
Client characterset:    utf8mb4
Conn.  characterset:    utf8mb4
TCP port:               3306
Uptime:                 29 min 4 sec

Threads: 15  Questions: 816  Slow queries: 0  Opens: 55  Flush tables: 2  Open tables: 25  Queries per second avg: 0.467
--------------