Fixing "TLS/SSL error: SSL is required, but the server does not support it" in MariaDB/MySQL

Problem Statement

When using MariaDB Client versions 11.x (or newer MySQL equivalents), users connecting to older MariaDB 10.4 servers may encounter the following error:

ERROR 2026 (HY000): TLS/SSL error: SSL is required, but the server does not support it

This occurs because:

1. New clients default to SSL: MariaDB 11+ clients automatically enable SSL/TLS encryption
2. Old servers lack SSL support: MariaDB 10.4 servers don't have SSL enabled by default
3. Version mismatch: The client demands encrypted connections the server cannot provide
4. EOL status: MariaDB 10.4 has reached end-of-life (no longer supported as of June 2024)

Recommended Solutions

› Solution 1: Disable SSL in Client Connections (Immediate Fix)

Command Line Option

mariadb --host=server_ip --user=your_user --password --ssl=0

Or equivalently:

mariadb --host=server_ip --user=your_user --password --skip-ssl

Configuration File Option

Add to $HOME/.my.cnf:

[client]
skip-ssl = true

After adding this, all client connections will automatically skip SSL without extra flags.

Verification

Confirm working connection:

mariadb --host=server_ip --user=your_user --password
> STATUS;

Check output line: SSL: Not in use

› Solution 2: Enable Server-Side TLS (Secure Fix)

While client SSL skipping works immediately, enabling server encryption is more secure:

# /etc/mysql/mariadb.conf.d/50-server.cnf
[mysqld]
ssl_cert = /etc/mysql/ssl/server-cert.pem
ssl_key = /etc/mysql/ssl/server-key.pem

Steps to Generate Certificates

sudo mkdir /etc/mysql/ssl
sudo openssl req -newkey rsa:2048 -nodes -keyout server-key.pem -x509 -days 365 -out server-cert.pem
sudo chown -R mysql:mysql /etc/mysql/ssl
sudo systemctl restart mariadb

› Solution 3: Upgrade Server Version (Long-Term Fix)

MariaDB 11.4+ servers auto-configure TLS, eliminating compatibility issues:

# Recommended upgrade path
sudo apt update
sudo apt install mariadb-server-11.4

End-of-Life Notice

MariaDB 10.4 reached EOL on June 24, 2024. Continued use poses security risks. Migration documentation should be consulted.

Security Considerations

Approach	Security	Recommended For
--ssl=0	❌ Unencrypted	Temporary/local testing
Server TLS	✅ Encrypted	Production environments
Server Upgrade	✅ Encrypted	New deployments

Connection Risks

Unencrypted connections transmit credentials and data in plain text. Avoid using --skip-ssl over untrusted networks. Performance impact of modern TLS is negligible (~3% overhead).

Technical Background

• Client Change: MariaDB 11 clients enabled --ssl by default (MDEV-27105)
• Protocol Detection: Clients use CLIENT_SSL flag during handshake
• Server Capabilities: MariaDB 10.4 returns empty SSL_CIPHER unless configured
• Encryption Fallback: Unencrypted connections use authentication packets without TLS wrapping

Summary Recommendations

1. Immediate fix: Use --ssl=0 or configure skip-ssl in client settings
2. Production solution: Enable TLS on server with certificates
3. Permanent resolution: Upgrade MariaDB server to 11.4+ version
4. Best practice: Replace EOL MariaDB 10.4 servers by August 2024

Verify Server TLS Status

SHOW VARIABLES LIKE '%ssl%';
SHOW VARIABLES LIKE 'have_ssl';

-- Expected output when configured:
| Variable_name | Value  |
|---------------|--------|
| have_ssl      | YES    |