Re: "ssl_choose_client_version:unsupported protocol" when connecting to MariaDB

Wed, 20 Jul 2022 13:38:48 -0700 

On Wed, Jul 20, 2022 at 04:14:44PM -0400, Ben Johnson wrote:

> postfix/proxymap[3378003]: warning: connect to mysql server 127.0.0.1: 
>   SSL connection error: error:1425F102:SSL 
> routines:ssl_choose_client_version:unsupported protocol

These error messages are from the MySQL library, Postfix is just the
messenger.

> Ultimately, I cannot seem to determine why Postfix is trying to use TLS 
> when connecting to a local MariaDB instance that resides on the same 
> server, particularly when I have not configured Postfix to do so (at 
> least not knowingly).

MySQL has a default ("my.cnf") client configuration file.  The TLS
settings are likely there.

> Postfix's MYSQL_TABLE(5) documentation doesn't seem to contain anything 
> relevant to this issue, and in fact, I'm struggling to find any 
> documentation that describes how Postfix implements TLS when connecting 
> to MySQL/MariaDB.

Postfix doesn't implement MySQL over TLS, that's the job of the MySQL
client library.

> I'm happy to provide my postfinger output if it seems relevant, but it's 
> voluminous, so I figured I'd refrain unless it's requested.

It is not relevant.

> # postconf -d | grep tls_high_cipherlist
> tls_high_cipherlist = aNULL:-aNULL:HIGH:@STRENGTH

Not relevant.

> 1.) Can Postfix be instructed explicitly to use (or not to use) TLS when 
> connecting to MySQL/MariaDB over TCP? If so, how?

The only relevant MySQL table defintion setting is "tls_verify_cert",
along with "tls_CAfile" and "tls_CApath".  The default for the first
is "no".

> 2.) If not, how does Postfix decide whether or not to use TLS when 
> connecting to MySQL/MariaDB?

Postfix does not make this is decision.

> 3.) If there is no way to prevent Postfix from trying to use TLS when 
> connecting to MySQL/MariaDB over a TCP connection (assume for the sake 
> of argument that a socket is not an option, or the database host is 
> remote), is there a mechanism by which to specify which 
> ciphers/cipher-suites to use?

Adjust "my.cnf" accordingly, or use "option_file" and/or "option_group"
to give the table a non-default set of parameters.

https://www.postfix.org/mysql_table.5.html

-- 
    Viktor.

Reply via email to