This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

TLSv1.2 enabled by default in 21.8

Posted on 06-02-2021 02:30 PM
rdunlavy
Staff
Reply posted on --/--/---- --:-- AM

Starting in Looker 21.8, we are now updating the default TLS option for connections using the MariaDB JDBC driver. The change will now enable the following three protocols: TLSv1, TLSv1.1, TLSv1.2. Previously, only TLSv1 and TLSv1.1 were enabled by default.

This affects the following dialects: 

  • MySQL

  • MariaDB

  • Google Cloud MySQL

  • Amazon Aurora MySQL

  • Clustrix

  • MemSQL

  • MongoDB Connector for BI.

Identifying if your database does not support TLSv1.2

To check if your database’s SSL library supports TLS 1.2, you can run the following against the database:SHOW GLOBAL VARIABLES LIKE 'tls_version';
 

Disabling TLSv1.2

In order to disable TLSv1.2 for database connections from Looker, a parameter must be added to the jdbc string.  This is done differently depending on whether the connection is an analytics database or Looker’s backend database.

Analytics database connection

In the “Additional Params” section of the connection’s edit page, you can add the following:

enabledSslProtocolSuites=TLSv1,TLSv1.1
 

Looker backend database connection

NOTE: This section only applies to Looker instances that are deployed on-prem, and use MySQL with SSL enabled for the backend database. 

In the credentials file for the connection to your backend database, you can add the following to disable TLSv1.2:

jdbc_additional_params: enabledSslProtocolSuites=TLSv1,TLSv1.1

Also check out the rest of the 21.8 release notes!

0 5 1,435
Topic Labels
0 Likes
5 REPLIES 5

Posted on --/--/---- --:-- AM
kevin_dunn
Staff
Reply posted on --/--/---- --:-- AM

We’ve had some questions from folks about whether or not they will be affected by this - To clarify, this will only affect your database connection if it utilizes SSL. Connections that do not utilize SSL will not need to make any changes.

0 Likes

Posted on --/--/---- --:-- AM
wweils
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

Hi.  Looks like this impacts MS SQL Analytics connections as well.

I did attempt to add the “enabledSslProtocolSuites=TLSv1,TLSv1.1” to Additional Params with no effect.

Is there a solution for MS SQL JDBC?

0 Likes

Posted on --/--/---- --:-- AM
jamesnestler
Staff
Reply posted on --/--/---- --:-- AM

hey @wweils, we don’t use the MariaDB driver for MSSQL, so this wouldn’t be the same issue. `Connection refused...` could be quite a few different things, but usually network layer issue. Would need more detail to be of more help.

Posted on --/--/---- --:-- AM
vnag28-16269854
New Member
Reply posted on --/--/---- --:-- AM

I am trying to use google’s Cloud SQL database(MySQL) as a looker internal DB. SSL is enabled on Cloud SQL DB. As per looker documentation, just adding ssl: true on db.yml file is sufficient. But thats not working. I am trying to find options to mention DB SSL certificate paths on “jdbc_additional_params” string.

Looking for additional options on this parameter(jdbc_additional_params)?

Regards

Nag

Posted on --/--/---- --:-- AM
rdunlavy
Staff
Reply posted on --/--/---- --:-- AM

Hey @vnag28-16269854 

Looker uses the MariaDB JDBC. The additional JDBC params can generally be any that the MariaDB JDBC supports. From their docs, the `trustStore` param sounds like it could work to specify the cert path.

0 Likes
Top Labels in this Space