TLSv1.2 enabled by default in 21.8

  • 2 June 2021
  • 5 replies

Userlevel 2

Starting in Looker 21.8, we are now updating the default TLS option for connections using the MariaDB JDBC driver. The change will now enable the following three protocols: TLSv1, TLSv1.1, TLSv1.2. Previously, only TLSv1 and TLSv1.1 were enabled by default.

This affects the following dialects: 

  • MySQL

  • MariaDB

  • Google Cloud MySQL

  • Amazon Aurora MySQL

  • Clustrix

  • MemSQL

  • MongoDB Connector for BI.


Identifying if your database does not support TLSv1.2


To check if your database’s SSL library supports TLS 1.2, you can run the following against the database:SHOW GLOBAL VARIABLES LIKE 'tls_version';

Disabling TLSv1.2


In order to disable TLSv1.2 for database connections from Looker, a parameter must be added to the jdbc string.  This is done differently depending on whether the connection is an analytics database or Looker’s backend database.


Analytics database connection


In the “Additional Params” section of the connection’s edit page, you can add the following:


Looker backend database connection


NOTE: This section only applies to Looker instances that are deployed on-prem, and use MySQL with SSL enabled for the backend database. 


In the credentials file for the connection to your backend database, you can add the following to disable TLSv1.2:

jdbc_additional_params: enabledSslProtocolSuites=TLSv1,TLSv1.1


Also check out the rest of the 21.8 release notes!

5 replies

Userlevel 1

We’ve had some questions from folks about whether or not they will be affected by this - To clarify, this will only affect your database connection if it utilizes SSL. Connections that do not utilize SSL will not need to make any changes.

Hi.  Looks like this impacts MS SQL Analytics connections as well.


I did attempt to add the “enabledSslProtocolSuites=TLSv1,TLSv1.1” to Additional Params with no effect.


Is there a solution for MS SQL JDBC?

Userlevel 3

hey @wweils, we don’t use the MariaDB driver for MSSQL, so this wouldn’t be the same issue. `Connection refused...` could be quite a few different things, but usually network layer issue. Would need more detail to be of more help.

I am trying to use google’s Cloud SQL database(MySQL) as a looker internal DB. SSL is enabled on Cloud SQL DB. As per looker documentation, just adding ssl: true on db.yml file is sufficient. But thats not working. I am trying to find options to mention DB SSL certificate paths on “jdbc_additional_params” string.


Looking for additional options on this parameter(jdbc_additional_params)?



Userlevel 2

Hey @vnag28-1626985459 

Looker uses the MariaDB JDBC. The additional JDBC params can generally be any that the MariaDB JDBC supports. From their docs, the `trustStore` param sounds like it could work to specify the cert path.