EE_SSL_ERROR (error 60) signals a MySQL SSL/TLS handshake failure between client and server.
MySQL Error 60: EE_SSL_ERROR occurs when the SSL or TLS handshake between client and server fails. Verify certificates, enable TLS variables, and reload or restart MySQL with valid keys to resolve the issue.
SSL error: %s. EE_SSL_ERROR was added in 8.0.13.
MySQL throws EE_SSL_ERROR when the server or client cannot complete an SSL or TLS handshake. The error message is "SSL error: %s. EE_SSL_ERROR was added in 8.0.13." It appears in logs or client output during connection setup.
The issue indicates that MySQL’s underlying OpenSSL or yaSSL layer detected a certificate, key, or protocol problem serious enough to abort the secure channel.
Connections fall back to plaintext only if configured, otherwise they fail.
Handshake failures originate from mismatched TLS versions, expired or self-signed certificates, missing CA files, unsupported ciphers, or wrong private-key permissions. Network appliances that intercept TLS can also corrupt the handshake.
In MySQL 8.0.13 and later, the error is global and may surface even before authentication.
Client-side parameters such as --ssl-mode=REQUIRED or VERIFY_IDENTITY intensify checks and often surface this error when validation fails.
First confirm that SSL is enabled: SHOW VARIABLES LIKE 'have_ssl'; should return YES. Next ensure the server has valid ssl_ca, ssl_cert, and ssl_key files with correct permissions. Reload certificates with ALTER INSTANCE RELOAD TLS or restart mysqld.
On the client, point to the same CA file and match protocol versions with --tls-version.
If you use VERIFY_IDENTITY, be sure the certificate Common Name matches the host you connect to. After synchronizing certificates, reconnect to verify the error disappears.
Upgrading MySQL without updating outdated certificates triggers EE_SSL_ERROR. Replace certs and reload TLS. Using a load balancer that downgrades TLS also causes failures. Enable pass-through TLS or install matching certificates on the proxy.
Docker or Kubernetes deployments often mount secrets with root-only permissions.
Give mysqld read access to /etc/ssl or secret volumes to resolve the error quickly.
Automate certificate rotation and monitor expiry dates. Enforce consistent TLS versions across clients. Store keys with 600 permissions and certificates with 644 permissions.
Use ALTER INSTANCE RELOAD TLS for zero-downtime updates.
Galaxy’s SQL editor flags connection errors in-line and lets teams share fixed connection strings, reducing the chance of EE_SSL_ERROR resurfaces in production.
Error 2026 "SSL connection error" appears on the client when EE_SSL_ERROR is raised on the server side. Fixing certificates resolves both.
Error 1045 (access denied) can follow if the handshake completes but authentication fails.
Error 2055 "Lost connection to MySQL server at handshake" sometimes masks EE_SSL_ERROR when verbose logging is off. Enable --log-error-verbosity=3 to reveal the underlying problem.
.
When the server certificate is invalid or outdated, TLS validation fails and triggers EE_SSL_ERROR.
Client forcing TLS 1.3 against a server compiled without it will break the handshake.
mysqld needs read access to ssl_ca, ssl_cert, and ssl_key. Wrong Unix permissions cause silent handshake failures.
Middleboxes that terminate or tamper with TLS packets corrupt the handshake and raise error 60.
VERIFY_IDENTITY mode checks the certificate CN against the host.
A mismatch produces immediate failure.
.
No. The error indicates the secure channel was not established, so MySQL aborts the connection to protect data.
Yes, setting --ssl-mode=DISABLED allows plaintext connections, but this exposes credentials in transit and is discouraged.
Use ALTER INSTANCE RELOAD TLS in MySQL 8.0.16 or later. It refreshes keys without restarting the server.
Galaxy validates connection parameters, surfaces SSL errors instantly, and lets teams share corrected connection profiles to prevent future failures.
.avif)
.avif){kind=logo}
