cridus Posted May 12, 2021 Posted May 12, 2021 Hello, I'm on Tommy and my java application won't deploy because it fails to connect to the MySQL database on startup.By looking up the error that I have in the logs, it seems related to the TLS implementation used by the client.Have you guys updated Java recently, by chance? Maybe now I need to update it too and re-build my app. Here's the error:Caused by: javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)And here's a StackOverflow question about it: https://stackoverflow.com/questions/38205947/sslhandshakeexception-no-appropriate-protocol Quote
cridus Posted May 12, 2021 Author Posted May 12, 2021 Edit: disregard this post (not the entire thread, just this one post). Quote
Krydos Posted May 12, 2021 Posted May 12, 2021 Yes, the java 8 version we're using now on Tommy was released April 21st and I upgraded it just a few days ago. Reading through that stackoverflow it looks like java-1.8.0-openjdk-1.8.0.292.b10-1.el7_9 disabled TLSv1, and TLSv1.1 which is a good thing because those protocols are no longer considered secure. Mysql still supports TLSv1, TLSv1.1, and TLSv1.2.mysql> show global variables like 'tls_version'; +---------------+-----------------------+ | Variable_name | Value | +---------------+-----------------------+ | tls_version | TLSv1,TLSv1.1,TLSv1.2 | +---------------+-----------------------+ 1 row in set (0.01 sec)I'm going to leave TLSv1, and TLSv1.1 enabled in mysql for now even though they aren't secure anymore because it would likely break a lot of people's websites if I disabled them. Disabling them probably wouldn't get your app working again anyways. And here are the algorithms that are disabled in the /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.292.b10-1.el7_9.x86_64/jre/lib/security/java.security from latest version of java 8jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \ DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \ include jdk.disabled.namedCurvesAs you can see TLSv1.2 is enabled in both java and mysql so they should be able to communicate using that algorithm. My guess is your app is trying to use TLSv1.1 or even worse TLSv1. Honestly at this point using those isn't much better than using an unencrypted connection. Reading through that stackoverflow it looks like most people are just switching back to an unsecure algorithm, but I think the best way to fix this would be to have your app use TLSv1.2 since both java and mysql support it. Check out these optionsjdk.tls.client.protocols="TLSv1.2" https.protocols="TLSv1.2"https://www.ibm.com/support/pages/how-do-i-change-default-ssl-protocol-my-java-client-application-will-useTry adding those options to your app, or if they are already present and forcing your app to use TLSv1 or TLSv1.1 you should update them to use TLSv1.2 instead. Let us know if it works. 1 Quote
cridus Posted May 12, 2021 Author Posted May 12, 2021 Ok thanks, I'll try to switch to TLS 1.2, later today. Quote
cridus Posted May 12, 2021 Author Posted May 12, 2021 Done, I've updated the app's main framework, added two configs for TLS 1.2 and now it works. It deployed. Quote
Krydos Posted May 13, 2021 Posted May 13, 2021 Awesome. Thanks for sharing your results. There might be other people who have this same issue. 1 Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.