mysql jdbc connection with SSL fails at tls handshake level

Asked 12/3, 2019 at 19:59 Answered 20/8, 2021 at 3:3

Solved mysql ssl jdbc tls1.2 mysql-connector

Our mysql server is configured to accept only connection with ssl cipher DHE-RSA-AES256-GCM-SHA384.

I am using java mysql-connector-java (8.0.15) and java 8 (openjdk version "1.8.0_191" OpenJDK Runtime Environment (build 1.8.0_191-8u191-b12-2ubuntu0.16.04.1-b12)

When I list the available ciphers using the below program I get the TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 cipher as available.

Below is the program to list the ciphers available https://confluence.atlassian.com/stashkb/files/679609085/679772359/1/1414093373406/Ciphers.java

But when I enable debug mode on ssl I get Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384.

and with below message

upcoming handshake states: server_hello[2]

*** ClientHello, TLSv1.1 RandomCookie: GMT: 1535642319 bytes = { 168, 0, 213, 212, 68, 19, 189, 131, 12, 147, 76, 108, 65, 77, 56, 170, 35, 147, 119, 196, 102, 161, 241, 133, 49, 97, 153, 200 } Session ID: {} Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV] Compression Methods: { 0 }

Here the client starts communicating through TLSv1.1 when the server is using TLSv1.2

I also noticed that the ExportControlled.java (package com.mysql.cj.protocol;) creates SSLContext as (line 563)

try{
        SSLContext sslContext = SSLContext.getInstance("TLS");
        sslContext.init(kms, tms.toArray(new TrustManager[tms.size()]), null);
        return sslContext;

    }

Please help me understand why the available cipher is ignored and what should I do to connect to the server

Kylakylah answered 12/3, 2019 at 19:59 Comment(0)

It is very simple, I just had to add the enabledTLSProtocols parameter to the jdbc url

Eg:-

jdbc:mysql://<hostname>:3115/<schema>?enabledTLSProtocols=TLSv1.2

Kylakylah answered 22/3, 2019 at 12:4 Comment(1)

Right, TLSv1.2 is not enabled by default in the Connector/J as noted in the documentation: dev.mysql.com/doc/connector-j/8.0/en/… There are also some notes about TLS support here: dev.mysql.com/doc/connector-j/8.0/en/… – Turnip 30/5, 2021 at 14:23

I got this working, I have to set and enable TLS protocol version in connection property with mysql-connector-java-8.0.26.jar while in SSL mode. props.setProperty("enabledTLSProtocols", "TLSv1.2")

Properties props = new Properties();
props.setProperty("user", USER_SSL);
props.setProperty("password", PASS_SSL);
props.setProperty("useSSL", "true");
props.setProperty("requireSSL", "true");
props.setProperty("verifyServerCertificate", "true");
props.setProperty("sslMode", "VERIFY_CA");
props.setProperty("javax.net.debug", "all");
props.setProperty("enabledTLSProtocols", "TLSv1.2");
props.setProperty("zeroDateTimeBehavior", "convertToNull");

// Setting the truststore
props.setProperty("trustCertificateKeyStoreUrl", TRUST_STORE_URL);
props.setProperty("trustCertificateKeyStorePassword", TRUST_STORE_PASSWORD);

// Setting the keystore
props.setProperty("clientCertificateKeyStoreUrl", KEYSTORE_URL);
props.setProperty("clientCertificateKeyStorePassword", KEYSTORE_PASSWORD);
try {
conn = DriverManager.getConnection(DB_URL, props);
} catch (Exception ex) 
{
Logger.debug(ex);
}

Archlute answered 20/8, 2021 at 3:3 Comment(0)

Recommended topics

Hot tags