TLSv1.2 enabled by default in 21.8

  • 2 June 2021
  • 3 replies
  • 258 views

Userlevel 2

Starting in Looker 21.8, we are now updating the default TLS option for connections using the MariaDB JDBC driver. The change will now enable the following three protocols: TLSv1, TLSv1.1, TLSv1.2. Previously, only TLSv1 and TLSv1.1 were enabled by default.

This affects the following dialects: 

  • MySQL

  • MariaDB

  • Google Cloud MySQL

  • Amazon Aurora MySQL

  • Clustrix

  • MemSQL

  • MongoDB Connector for BI.

 

Identifying if your database does not support TLSv1.2

 

To check if your database’s SSL library supports TLS 1.2, you can run the following against the database:SHOW GLOBAL VARIABLES LIKE 'tls_version';
 

Disabling TLSv1.2

 

In order to disable TLSv1.2 for database connections from Looker, a parameter must be added to the jdbc string.  This is done differently depending on whether the connection is an analytics database or Looker’s backend database.

 

Analytics database connection

 

In the “Additional Params” section of the connection’s edit page, you can add the following:

enabledSslProtocolSuites=TLSv1,TLSv1.1
 

Looker backend database connection

 

NOTE: This section only applies to Looker instances that are deployed on-prem, and use MySQL with SSL enabled for the backend database. 

 

In the credentials file for the connection to your backend database, you can add the following to disable TLSv1.2:

jdbc_additional_params: enabledSslProtocolSuites=TLSv1,TLSv1.1

 

Also check out the rest of the 21.8 release notes!


3 replies

We’ve had some questions from folks about whether or not they will be affected by this - To clarify, this will only affect your database connection if it utilizes SSL. Connections that do not utilize SSL will not need to make any changes.

Hi.  Looks like this impacts MS SQL Analytics connections as well.

 

I did attempt to add the “enabledSslProtocolSuites=TLSv1,TLSv1.1” to Additional Params with no effect.

 

Is there a solution for MS SQL JDBC?

Userlevel 3

hey @wweils, we don’t use the MariaDB driver for MSSQL, so this wouldn’t be the same issue. `Connection refused...` could be quite a few different things, but usually network layer issue. Would need more detail to be of more help.

Reply