cridus Posted May 12, 2021 Posted May 12, 2021 Hello, I'm on Tommy and my java application won't deploy because it fails to connect to the MySQL database on startup.By looking up the error that I have in the logs, it seems related to the TLS implementation used by the client.Have you guys updated Java recently, by chance? Maybe now I need to update it too and re-build my app. Here's the error:Caused by: javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)And here's a StackOverflow question about it: https://stackoverflow.com/questions/38205947/sslhandshakeexception-no-appropriate-protocol
cridus Posted May 12, 2021 Author Posted May 12, 2021 Edit: disregard this post (not the entire thread, just this one post).
Krydos Posted May 12, 2021 Posted May 12, 2021 Yes, the java 8 version we're using now on Tommy was released April 21st and I upgraded it just a few days ago. Reading through that stackoverflow it looks like java-1.8.0-openjdk-1.8.0.292.b10-1.el7_9 disabled TLSv1, and TLSv1.1 which is a good thing because those protocols are no longer considered secure. Mysql still supports TLSv1, TLSv1.1, and TLSv1.2.mysql> show global variables like 'tls_version'; +---------------+-----------------------+ | Variable_name | Value | +---------------+-----------------------+ | tls_version | TLSv1,TLSv1.1,TLSv1.2 | +---------------+-----------------------+ 1 row in set (0.01 sec) I'm going to leave TLSv1, and TLSv1.1 enabled in mysql for now even though they aren't secure anymore because it would likely break a lot of people's websites if I disabled them. Disabling them probably wouldn't get your app working again anyways. And here are the algorithms that are disabled in the /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.292.b10-1.el7_9.x86_64/jre/lib/security/java.security from latest version of java 8jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \ DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \ include jdk.disabled.namedCurves As you can see TLSv1.2 is enabled in both java and mysql so they should be able to communicate using that algorithm. My guess is your app is trying to use TLSv1.1 or even worse TLSv1. Honestly at this point using those isn't much better than using an unencrypted connection. Reading through that stackoverflow it looks like most people are just switching back to an unsecure algorithm, but I think the best way to fix this would be to have your app use TLSv1.2 since both java and mysql support it. Check out these optionsjdk.tls.client.protocols="TLSv1.2" https.protocols="TLSv1.2" https://www.ibm.com/support/pages/how-do-i-change-default-ssl-protocol-my-java-client-application-will-useTry adding those options to your app, or if they are already present and forcing your app to use TLSv1 or TLSv1.1 you should update them to use TLSv1.2 instead. Let us know if it works. 1
cridus Posted May 12, 2021 Author Posted May 12, 2021 Ok thanks, I'll try to switch to TLS 1.2, later today.
cridus Posted May 12, 2021 Author Posted May 12, 2021 Done, I've updated the app's main framework, added two configs for TLS 1.2 and now it works. It deployed.
Krydos Posted May 13, 2021 Posted May 13, 2021 Awesome. Thanks for sharing your results. There might be other people who have this same issue. 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now