How to fix MariaDB 3201 Replica does not support caching_sha2_password authentication?

Enable SSL for replication: caching_sha2_password requires a secure channel for full authentication.

Change replication user to mysql_native_password: mysql_native_password does not require TLS for replication auth.

3201

MariaDBERRORCommonReplicationHIGH confidence

Replica does not support caching_sha2_password authentication

Production Risk

Critical — replication cannot establish connection.

Why it happens

1Replica is connecting to a primary that requires caching_sha2_password but the replica client library does not support it.
2SSL/TLS not configured when caching_sha2_password requires a secure channel for the first authentication.

How to reproduce

trigger — this will error

CHANGE MASTER TO MASTER_USER='repl', MASTER_PASSWORD='secret';

expected output

ERROR 3201 (HY000): The replication channel is using caching_sha2_password which is not supported.

Fix 1

Enable SSL for replication

CHANGE MASTER TO MASTER_SSL=1;

Why this works

caching_sha2_password requires a secure channel for full authentication.

Fix 2

Change replication user to mysql_native_password

ALTER USER 'repl'@'%' IDENTIFIED WITH mysql_native_password BY 'secret';

Why this works

mysql_native_password does not require TLS for replication auth.

Fix 3

Upgrade replica MySQL version

-- Upgrade replica to MySQL 8.0.4+ which supports caching_sha2_password natively.

Why this works

Newer versions support the default auth plugin.

What not to do

Sources

MySQL 8.0 — 3201 ER_SLAVE_CACHING_SHA2_PASSWORD_IS_NOT_SUPPORTED

Content generated with AI assistance and reviewed for accuracy. Found an error? hello@errcodes.dev

At a glance

PlatformMariaDB Error Codes

Code3201

ClassReplication

SeverityERROR

TierCommon

ConfidenceHIGH