Environment
- Java 8
- MySQL
- JDBC driver
Issue
- Java updates disable TLSv1 and TLSv1.1 by default
- SSL/TLS connections are not successful to MySQL utilizing JDBC driver
Caused by: javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
at sun.security.ssl.HandshakeContext.<init>(HandshakeContext.java:171)
at sun.security.ssl.ClientHandshakeContext.<init>(ClientHandshakeContext.java:98)
at sun.security.ssl.TransportContext.kickstart(TransportContext.java:220)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:428)
at com.mysql.jdbc.ExportControlled.transformSocketToSSLSocket(ExportControlled.java:188)
... 54 moreResolution
- This is not a StreamSets issue. This is a compatibility issue between Java and the MySQL JDBC driver
- Choose the most appropriate solution from below for your situation
Solution #1: Add "enabledTLSProtocols=TLSv1.2" to JDBC connection string
- Verify MySQL supports TLSv1.2
mysql> show variables like 'tls_version';
+---------------+---------------------+
| Variable_name | Value |
+---------------+---------------------+
| tls_version | TLSv1,TLSv1.1,TLSv1.2 |
+---------------+---------------------+
1 row in set (0.00 sec)- Update JDBC connection string
jdbc:mysql://[hostname]:[port]/[databaseName]?enabledTLSProtocols=TLSv1.2Solution #2: Enable TLSv1 and TLSv1.1
- File: $JAVA_HOME/jre/lib/security/java.security
- Old configuration:
jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL- New configuration:
jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
EC keySize < 224, 3DES_EDE_CBC, anon, NULLSolution #3: Upgrade the MySQL database
- The TLS version is automatically selected by the JDBC driver depending on the database version.
- TLSv1 and TLSv1.1 will be used for versions below: 8.0, 5.7.28, 5.6.46
Additional Information
- A recent Java update, specifically Red Hat/CentOS, disables TLSv1 and TLSv1.1 by default for Java 8
- The MySQL JDBC driver will attempt to use TLSv1 and/or TLSv1.1 if the MySQL database version is below one of the following: 8.0, 5.7.28, 5.6.46
References
- https://dev.mysql.com/doc/connector-j/8.0/en/connector-j-reference-using-ssl.html
- https://dev.mysql.com/doc/connector-j/8.0/en/connector-j-usagenotes-known-issues-limitations.html
August 07, 2021 00:57