Cannot to connect to MariaDB using TLS

[lapo-luchini]

I have a mariadb server configured to accept TLS connections, but they are only mandatory for some specific users.

[mariadb]
ssl_cert = <file>.cer
ssl_key = <file>.key
ssl_ca = <ca>.cer
tls_version = TLSv1.2,TLSv1.3
require_secure_transport = yes

The protocol use is thus starttls, to connect in cleartext and upgrade later.
It can be succesfully tested using:
openssl s_client -starttls mysql -connect <host>:3306 -showcerts
Using this exporter, I can either connect in cleartext (mysql_global_status_ssl_verify_depth 0) but if I enable ssl-ca in .my.cnf or use --tls.insecure-skip-verify I get a Error opening connection to database" err="remote error: tls: handshake failure and on the server side I see a Oct 13 21:41:49 VT0CLDWTSDB01C mariadbd[1566]: 2025-10-13 21:41:49 2036401 [Warning] Aborted connection 2036401 to db: 'unconnected' user: 'unauthenticated' host: '<host>' (This connection closed normally without authentication).

How can I debug the connection furhter?

[lapo-luchini]

Connecting to MariaDB 10.5.6, using Wireshark I see that "Client Hello" is quite different:

	exporter	mariadb
SNI	yes	no
Cipher Suites	13	26
Supported versions	TLS 1.3, TLS 1.2	TLS 1.3, TLS 1.2
Server response	Alert "Handshake Failure"	Server Hello with TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)

[lapo-luchini]

I guess the problem is that the server is an old RedHat 7 with openssl 1.0.2k and it doesn't support any protocol in common with the go tls implementation. 🤔
(even tough I see that the client hello also asks for TLS_AES_128_GCM_SHA256 and that should be pretty old)

Edit: I stand corrected, openssl 1.0.2k does support the requested ECDHE ciphers:

# openssl ciphers -V ECDHE | fgrep 2F
          0xC0,0x2F - ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD