Comment 25 for bug 1872541

Hi,

The default is --ssl-mode=PREFERRED, so the SSL connection is not forced, but if the server offers it then the client will use it [1]:

PREFERRED: Establish an encrypted connection if the server supports encrypted connections, falling back to an unencrypted connection if an encrypted connection cannot be established.

IIUC things do not work nicely as the client/server SSL versions are not compatible. In this case it is not possible to simply make the client fallback to a non-encrypted connection if SSL is available but the connection fails, as this mechanism would allow for an easy downgrade attack. There has to be some level of enforcement.

I understand the situation is not optimal, but having new security standards requires deprecating the old ones at some point, and when servers and clients are too much out of sync problems arise. I don't see a way out here which does not compromise on security.

[1] https://dev.mysql.com/doc/refman/5.7/en/connection-options.html#option_general_ssl-mode