[Solved] Tommy Java TLS problem when connecting to MySQL

[cridus]

Hello, I'm on Tommy and my java application won't deploy because it fails to connect to the MySQL database on startup.

By looking up the error that I have in the logs, it seems related to the TLS implementation used by the client.

Have you guys updated Java recently, by chance? Maybe now I need to update it too and re-build my app.

 

Here's the error:

Caused by: javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)

And here's a StackOverflow question about it: https://stackoverflow.com/questions/38205947/sslhandshakeexception-no-appropriate-protocol

[cridus]

Edit: disregard this post (not the entire thread, just this one post).

[Krydos]

Yes, the java 8 version we're using now on Tommy was released April 21st and I upgraded it just a few days ago.

 

Reading through that stackoverflow it looks like java-1.8.0-openjdk-1.8.0.292.b10-1.el7_9 disabled TLSv1, and TLSv1.1 which is a good thing because those protocols are no longer considered secure. Mysql still supports TLSv1, TLSv1.1, and TLSv1.2.

mysql> show global variables like 'tls_version';
+---------------+-----------------------+
| Variable_name | Value                 |
+---------------+-----------------------+
| tls_version   | TLSv1,TLSv1.1,TLSv1.2 |
+---------------+-----------------------+
1 row in set (0.01 sec)

I'm going to leave TLSv1, and TLSv1.1 enabled in mysql for now even though they aren't secure anymore because it would likely break a lot of people's websites if I disabled them. Disabling them probably wouldn't get your app working again anyways. And here are the algorithms that are disabled in the /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.292.b10-1.el7_9.x86_64/jre/lib/security/java.security from latest version of java 8

jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
    DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
    include jdk.disabled.namedCurves

As you can see TLSv1.2 is enabled in both java and mysql so they should be able to communicate using that algorithm. My guess is your app is trying to use TLSv1.1 or even worse TLSv1. Honestly at this point using those isn't much better than using an unencrypted connection. Reading through that stackoverflow it looks like most people are just switching back to an unsecure algorithm, but I think the best way to fix this would be to have your app use TLSv1.2 since both java and mysql support it. Check out these options

jdk.tls.client.protocols="TLSv1.2"
https.protocols="TLSv1.2"

https://www.ibm.com/support/pages/how-do-i-change-default-ssl-protocol-my-java-client-application-will-use

Try adding those options to your app, or if they are already present and forcing your app to use TLSv1 or TLSv1.1 you should update them to use TLSv1.2 instead. Let us know if it works.

[cridus]

Ok thanks, I'll try to switch to TLS 1.2, later today.

[cridus]

Done, I've updated the app's main framework, added two configs for TLS 1.2 and now it works. It deployed.

[Krydos]

Awesome. Thanks for sharing your results. There might be other people who have this same issue.