Jump to content

Leaderboard

Popular Content

Showing content with the highest reputation on 05/13/2021 in all areas

  1. Awesome. Thanks for sharing your results. There might be other people who have this same issue.
    1 point
  2. Yes, the java 8 version we're using now on Tommy was released April 21st and I upgraded it just a few days ago. Reading through that stackoverflow it looks like java-1.8.0-openjdk-1.8.0.292.b10-1.el7_9 disabled TLSv1, and TLSv1.1 which is a good thing because those protocols are no longer considered secure. Mysql still supports TLSv1, TLSv1.1, and TLSv1.2. mysql> show global variables like 'tls_version'; +---------------+-----------------------+ | Variable_name | Value | +---------------+-----------------------+ | tls_version | TLSv1,TLSv1.1,TLSv1.2 | +---------------+-----------------------+ 1 row in set (0.01 sec) I'm going to leave TLSv1, and TLSv1.1 enabled in mysql for now even though they aren't secure anymore because it would likely break a lot of people's websites if I disabled them. Disabling them probably wouldn't get your app working again anyways. And here are the algorithms that are disabled in the /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.292.b10-1.el7_9.x86_64/jre/lib/security/java.security from latest version of java 8 jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \ DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \ include jdk.disabled.namedCurves As you can see TLSv1.2 is enabled in both java and mysql so they should be able to communicate using that algorithm. My guess is your app is trying to use TLSv1.1 or even worse TLSv1. Honestly at this point using those isn't much better than using an unencrypted connection. Reading through that stackoverflow it looks like most people are just switching back to an unsecure algorithm, but I think the best way to fix this would be to have your app use TLSv1.2 since both java and mysql support it. Check out these options jdk.tls.client.protocols="TLSv1.2" https.protocols="TLSv1.2" https://www.ibm.com/support/pages/how-do-i-change-default-ssl-protocol-my-java-client-application-will-useTry adding those options to your app, or if they are already present and forcing your app to use TLSv1 or TLSv1.1 you should update them to use TLSv1.2 instead. Let us know if it works.
    1 point
×
×
  • Create New...