Description:
When trying to connect to a MySQL Server using OpenJDK 1.8.0_292, we get this exception:

com.mysql.cj.exceptions.CJCommunicationsException: Communications link failure

The last packet sent successfully to the server was 0 milliseconds ago. The driver has not received any packets from the server.
	at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
...
Caused by: javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)

It seems that this is due to the disabling of the insecure TLSv1 and TLSv1.1 in Java 8u292 (https://bugs.java.com/bugdatabase/view_bug.do?bug_id=JDK-8202343).

Shouldn't the default be TLSv1.2 on the driver so that we dont have to override the TLS protocol in the JDBC URL?

Thanks.

How to repeat:
Connect to a MySQL Server using a JDBC driver (Connector/J 8.0.18+) using OpenJDK 1.8.0_292.

Which is the MySQL server version are you trying to connect?. Thanks.

Hi Guihon Mendy,

Thank you for your interest in Connector/J.

Connector/J enables all TLS versions by default. Theoretically, the TLS negotiation phase should pick the highest version possible, which is TLSv1.3 when you use Java 11 and above.

It seems that although TLSv1.8 is supported in Java 8 since build 261, it is still not immediately enabled by default. And now with the deprecation of TLSv1 and TLSv1.1 in build 291, it seems that the TLS version negotiation may have some issues. Mind that all this happens in a lower layer in Java and Connector/J only has limited influence over it.

I wasn't able to verify this behavior, though. In my setup, with default settings, connections always picked TLSv1.2. I'm able to reproduce the behavior you described only if I set the connection option "enabledTLSProtocols=TLSv1.3", which, I guess, it is not what you are doing.

For now, I have a couple of suggestions for you:

1. Force TLSv1.2 in the connection string "enabledTLSProtocols=TLSv1.2". This is what you ended up doing, right?

2. Keep Connector/J defaults and enable TLSv1.3 for client applications by initiating your application with the option -Djdk.tls.client.protocols="TLSv1.3,TLSv1.2"

Please tell us what works best for you. In the meantime we'll keep this under close watch to see what else we can do.

Hi Filipe Silva,

Thanks for your answer.
Yes, I ended up adding enabledTLSProtocols=TLSv1.2 to the connection string but this is just a temporary workaround, right?
By the way I'm using MySQL 5.7.22.

I asked for server version regarding the below Note on Connector/J Manual:

Note
For Connector/J 8.0.18 and earlier when connecting to MySQL Community
Server 5.6 and 5.7 using the JDBC API: Due to compatibility issues with
MySQL Server compiled with yaSSL, Connector/J does not enable connections
with TLSv1.2 and higher by default. When connecting to servers that restrict
connections to use those higher TLS versions, enable them explicitly by setting
the Connector/J connection property enabledTLSProtocols (e.g., set
enabledTLSProtocols=TLSv1,TLSv1.1,TLSv1.2).

Setting 'enabledTLSProtocols=TLSv1.2' may not be a temporary workaround. As Miguel mentioned, there are cases were this is required in order to use higher TLS versions.

Please read carefully all the information in https://dev.mysql.com/doc/connector-j/8.0/en/connector-j-reference-using-ssl.html.

MySQL 5.7.22? Is this a community or commercial edition?

I'd recommend upgrading to latest MySQL 8.0 anyway.

No feedback was provided for this bug for over a month, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".