Cant connect to MySQL after mysql8 upgrade, secure...

daniel286 · 02-04-2025 03:13 PM

After upgrading our instances to MySQL 8.4 from 5.7, we are no longer able to logon.

After creating a new user with native database authentication.

To work around this, i connect using the new "cloud sql studio" build into GCP console. From that point on I can connect fine. I cant see any changes to the account in `mysql.user` table.

cloud_sql_proxy -instances=xxxx:australia-southeast1:store-dev2-0-a18cc097=tcp:3307

$ mysql -h 127.0.0.1 --port 3307 -u dantest -p
Enter password: 
ERROR 2061 (HY000): Authentication plugin 'caching_sha2_password' reported error: Authentication requires secure connection.

Then connect with Cloud SQL Studio and try again

$ mysql -h 127.0.0.1 --port 3307 -u dantest -p
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 43136
Server version: 8.4.3-google (Google)

Copyright (c) 2000, 2025, Oracle and/or its affiliates.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> quit

ms4446

After upgrading from MySQL 5.7 to 8.4 in Google Cloud SQL, users may encounter authentication errors when connecting via the MySQL CLI through Cloud SQL Proxy. The error message:

ERROR 2061 (HY000): Authentication plugin 'caching_sha2_password' reported error: Authentication requires secure connection.

indicates that MySQL’s default authentication plugin, caching_sha2_password, requires a secure (TLS/SSL) connection for authentication. While connections through Cloud SQL Studio work seamlessly, command-line connections fail due to the lack of an explicitly enabled secure connection.

There are two primary solutions to this issue. First, users can modify their MySQL client connection command to enforce TLS:

mysql --host=127.0.0.1 --port=3307 --user=dantest --ssl-mode=REQUIRED --password

By specifying --ssl-mode=REQUIRED, the client ensures a secure connection that satisfies the authentication plugin’s security requirements.

Alternatively, users can revert the authentication method for affected accounts to mysql_native_password, which does not require TLS:

ALTER USER 'dantest'@'%' IDENTIFIED WITH mysql_native_password BY 'yourpassword';
FLUSH PRIVILEGES;

This method, while effective, is less secure than the default plugin and should be used with caution.

The reason connections via Cloud SQL Studio work is that the tool enforces a secure connection by default, thereby meeting MySQL’s authentication requirements. This behavior may temporarily allow subsequent command-line connections due to caching mechanisms, but it does not resolve the underlying issue.

MySQL 8.4 introduces stricter authentication policies that require either TLS-secured connections or a compatible authentication plugin. Users must adapt their connection methods accordingly to ensure uninterrupted access to their databases.

daniel286

Thanks, do you know what the equivalent connection properties would be to set, to enable connection using Java JDBC client library in conjunction with googles socket factory driver?

ChieKo

Hi @daniel286,

In addition to @ms4446.

I suggest taking a look at the Google Cloud SQL JDBC documentation for the latest information on how to set up your Java JDBC client with Google's SocketFactory driver for secure connections. You can find the official guide to help you configure your JDBC connection using the Cloud SQL JDBC SocketFactory.

For guidance on how to build and use the JDBC drivers with the Cloud SQL Java Connector, check out the link here.

Was this helpful? If so, please accept this answer as “Solution”. If you need additional assistance, reply here within 2 business days and I’ll be happy to help.

Cant connect to MySQL after mysql8 upgrade, secure connected needed