MySQL rejects the session because require_secure_transport=ON and the client is not using SSL, Unix socket, or shared memory.
ER_SECURE_TRANSPORT_REQUIRED appears when require_secure_transport=ON and a MySQL client connects over plain TCP. Solve it by enabling SSL parameters in the client, connecting via a Unix socket on the same host, or toggling the variable off for trusted networks.
ER_SECURE_TRANSPORT_REQUIRED
MySQL raises ER_SECURE_TRANSPORT_REQUIRED (error 3159, SQLSTATE HY000) when the require_secure_transport system variable is ON and the client attempts to connect over an insecure network transport. The server immediately terminates the handshake, returning this security error.
The check was introduced in MySQL 5.7.8. Only connections that use SSL/TLS, the local Unix socket, or Windows shared memory qualify as secure transports.
The variable require_secure_transport enforces encrypted or local connections. Any client session that lacks --ssl-mode options, or uses hostname/IP based TCP without SSL, triggers the error during authentication.
User accounts that explicitly REQUIRE SSL can also surface this error if the client ignores SSL parameters even when the global variable is OFF.
Enable SSL on the client by adding --ssl-mode=REQUIRED or equivalent connector flags. Provide the correct CA, client certificate, and key files if the server uses a custom certificate authority.
For local automation, connect through the Unix socket (Unix) or shared memory (Windows) by omitting the host parameter or using localhost with --protocol=SOCKET.
In development environments where encryption is unnecessary, set SET GLOBAL require_secure_transport = OFF after authentication as a privileged user. Persist the change in my.cnf only on secured networks.
Dockerised apps often hit the error when connecting to the host MySQL instance via 127.0.0.1. Mount the client certificates inside the container and pass --ssl-mode=REQUIRED to mysql or your ORM.
Older JDBC or Python connectors might default to DISABLED SSL. Upgrade the connector or override defaults with useSSL=true or ssl_mode=REQUIRED respectively.
Always generate and deploy valid server and client certificates during installation. Script your CI/CD pipeline to include the CA bundle path in application configuration files.
Use Galaxy’s modern SQL editor which automatically negotiates SSL when available and surfaces connection warnings, reducing the risk of this error reaching production.
ER_OPTION_PREVENTS_STATEMENT (1290) appears when the server option log_bin_trust_function_creators blocks unsafe functions. It differs by focusing on binary logging, not connection transport.
ER_PLUGIN_IS_NOT_LOADED (1122) signals that an authentication plugin is missing. While both errors occur early in the connection flow, ER_SECURE_TRANSPORT_REQUIRED is strictly transport related.
The DBA set require_secure_transport=ON in my.cnf or via SET GLOBAL, forcing every session to use SSL or a local socket.
Applications omit --ssl-mode, useSSL, or ssl_mode flags, so MySQL defaults to an unencrypted TCP handshake that the server rejects.
The account was created with REQUIRE SSL or X509, and the connecting program does not supply matching certificates.
Old MySQL client libraries default to DISABLED SSL, silently attempting insecure transport unless explicitly configured.
Raised when the server cannot load the authentication plugin requested by the client.
Occurs when the connection handshake fails for reasons like bad TLS versions or mismatched credentials.
Client-side error indicating the SSL handshake itself failed, as opposed to being outright disallowed.
Yes. Turning the variable off allows plaintext credentials on the network. Only do this on isolated, trusted networks such as local development machines.
No. The server treats any TCP connection, even on localhost, as insecure transport. Use the Unix socket or enable SSL.
The client must trust the server certificate. Provide the correct CA file or set --ssl-mode=VERIFY_CA/VERIFY_IDENTITY to prevent hostname mismatch.
Galaxy detects server SSL capabilities during connection setup and automatically negotiates encrypted sessions, warning users if SSL cannot be established.
.avif)
.avif){kind=logo}
