MySQL The client and server cannot communicate, because they do not possess a common algorithm

Question

I'm running the following code on a AWS server, trying to connect to a mysql service provided by AWS:

String conn = buildConnString(dc);
MySqlConnection connection = new MySqlConnection(conn);
connection.Open();

I'm getting the following exception message and stack trace:

Exception: The client and server cannot communicate, because they do not possess a common algorithm 
StackTrace: at System.Net.SSPIWrapper.AcquireCredentialsHandle(SSPIInterface SecModule, String package, CredentialUse intent, SecureCredential scc)
   at System.Net.Security.SecureChannel.AcquireCredentialsHandle(CredentialUse credUsage, SecureCredential& secureCredential)
   at System.Net.Security.SecureChannel.AcquireClientCredentials(Byte[]& thumbPrint)
   at System.Net.Security.SecureChannel.GenerateToken(Byte[] input, Int32 offset, Int32 count, Byte[]& output)
   at System.Net.Security.SecureChannel.NextMessage(Byte[] incoming, Int32 offset, Int32 count)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
   at System.Net.Security.SslStream.AuthenticateAsClient(String targetHost, X509CertificateCollection clientCertificates, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation)
   at MySql.Data.MySqlClient.NativeDriver.StartSSL()
   at MySql.Data.MySqlClient.NativeDriver.Open()
   at MySql.Data.MySqlClient.Driver.Open()
   at MySql.Data.MySqlClient.Driver.Create(MySqlConnectionStringBuilder settings)
   at MySql.Data.MySqlClient.MySqlPool..ctor(MySqlConnectionStringBuilder settings)
   at MySql.Data.MySqlClient.MySqlPoolManager.GetPool(MySqlConnectionStringBuilder settings)
   at MySql.Data.MySqlClient.MySqlConnection.Open()

I'm running .Net 4.6.2 and TLS 1.2 is enabled on the server: OS Windows Server 2008 R2 Datacenter, what can I try to overcome this issue?

EDIT:

I finally solved the issue by adding SslMode=None in the connection string

Answer 1

I think that the encryption used by the client and the server might be different. Check the encryption used by default by mysql on aws and try to use the same in your software. Then we will see if I'm right...

Answer 2

.NET 4.5.1 is no longer supported. End of support was January 12, 2016. This was announced two years ago. TLS 1.2 was added in .NET 4.5.2, which means you can't expect support to be added to unsupported versions.

In order to use TLS 1.2 you'll have to upgrade your projects to the minimum supported .NET version, although it would be better to target the latest one (4.6.2) to avoid running in other similar situations.

A lot of providers dropped support for anything less than TLS 1.2 last year, not just Amazon. There was quite a scramble this time last year as companies that delayed upgrades for fear of incompatibilities had to upgrade in panic mode.

Answer 3

From AWS documentation:

Two common causes of connection failures to a new DB instance are:

1. The DB instance was created using a security group that does not authorize connections from the device or Amazon EC2 instance where the MySQL application or utility is running. If the DB instance was created in a VPC, it must have a VPC security group that authorizes the connections. If the DB instance was created outside of a VPC, it must have a DB security group that authorizes the connections.

2. The DB instance was created using the default port of 3306, and your company has firewall rules blocking connections to that port from devices in your company network. To fix this failure, recreate the instance with a different port.

You can use SSL encryption on connections to an Amazon RDS MySQL DB instance. For information, see Using SSL with a MySQL DB Instance.

While I would confirm that option 1 and 2 are not the case before proceeding, once you've discounted the obvious, check you permissions by accessing the MySQL server directly, and typing:

SHOW GRANTS FOR 'myuser'@'localhost'

If something relating to SSL shows up, then one of two things are happening:

1. You are not properly including an SSL certificate in your code

2. You are not including the correct part of the SSL certificate in your code.

Follow this tutorial and ensure you are running the right SSL certificate. You should be able to rebuild your certificate and run successfully.

From the link above, if you have SSL encryption, your end code should look something like this:

using (MySqlConnection connection = new MySqlConnection(
  "database=test;user=sslclient;" +
  "CertificateFile=H:\\bzr\\mysql-trunk\\mysql-test\\std_data\\client.pfx" +
  "CertificatePassword=pass;" +
  "SSL Mode=Required "))
{
    connection.Open();
}

Where the \path\to\client.pfx is the path to your .pfx file.

If nothing shows up or you receive the error explained in the comments Error Code: 1141 There is no such grant defined for user '***' on host '***.***.***', you can check your user permissions another way.

On the MySQL shell:

select * from mysql.user where User='<myuser>';

If you see a wildcard in the host, it means that a user can log in from anywhere. While horribly insecure, this may be what you're looking for. You can then go back and use SHOW GRANTS mirroring the host name exactly as it shows up in your return query.

Please note that you may see something like this:

Host
-----
%.myhostname.tld

If your domain is subdomain.myhostname.tld then this wildcard matches, and you would use:

SHOW GRANTS FOR 'myuser'@'%.myhostname.tld';

If you don't have a user with any matching permissions

You will be unable to connect to your MySQL instance at all. You will need to create a user that matches your host.

CREATE USER 'myuser'@'myhost' IDENTIFIED BY '<password>';

GRANT ALL ON <database>.* TO 'myuser'@'myhost';

If you want SSL:

GRANT ALL ON <database>.* TO 'myuser'@'myhost' REQUIRE SSL;

Answer 4

I had this exact same issue. I fixed it by adding "SslMode = none" to the connection string. Most likely many things can cause this but this is what I did to resolve the issue.