Debugging SSL Handshake Issues

In this section, we present an error that a user may encounter regarding SSL and how to fix the error.

Starting with JVM version 1.8.0_292, support for TLS v1.1 and earlier is disabled by default as indicated in the Consolidated Release Notes for JDK 8 and JDK 8 Update Releases under security-libs/

If you encounter the following error in your application:

Example SSL Handshake Exception
Caused by: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
  at<init>( ~[?:1.8.0_292]
  at<init>( ~[?:1.8.0_292]
  at ~[?:1.8.0_292]
  at ~[?:1.8.0_292]
  at com.mysql.cj.protocol.ExportControlled.performTlsHandshake( ~[mysql-connector-java-8.0.23.jar:8.0.23]
  at com.mysql.cj.protocol.StandardSocketFactory.performTlsHandshake( ~[mysql-connector-java-8.0.23.jar:8.0.23]
  at com.mysql.cj.protocol.a.NativeSocketConnection.performTlsHandshake( ~[mysql-connector-java-8.0.23.jar:8.0.23]
  at com.mysql.cj.protocol.a.NativeProtocol.negotiateSSLConnection( ~[mysql-connector-java-8.0.23.jar:8.0.23]
  at com.mysql.cj.protocol.a.NativeAuthenticationProvider.connect( ~[mysql-connector-java-8.0.23.jar:8.0.23]
  at com.mysql.cj.protocol.a.NativeProtocol.connect( ~[mysql-connector-java-8.0.23.jar:8.0.23]
  at com.mysql.cj.NativeSession.connect( ~[mysql-connector-java-8.0.23.jar:8.0.23]
  at com.mysql.cj.jdbc.ConnectionImpl.connectOneTryOnly( ~[mysql-connector-java-8.0.23.jar:8.0.23]
  at com.mysql.cj.jdbc.ConnectionImpl.createNewIO( ~[mysql-connector-java-8.0.23.jar:8.0.23]
  ... 173 more

This means your application is doing a connection with a version prior to TLSv1.2

Please check the documentation of the library performing the connection to see if there’s a way to enforce TLSv1.2 or higher (for example, when using a MySQL JDBC driver you can enforce it by adding the enabledTLSProtocols=TLSv1.2 parameter to your connection string).

If you must use TLSv1 or TLSv1.1, you can re-enable the disabled versions by removing “TLSv1” and/or “TLSv1.1” from the jdk.tls.disabledAlgorithms security property in the configuration file.

Let’s take a look at an example of re-enabling TLSv1 and TLSv1.1.

Look for the file in JDK_INSTALL_HOME/jre/lib/security, and go to the property jdk.tls.disabledAlgorithms:

Example of jdk.tls.disabledAlgorithms property with TLSv1 and TLSV1.1 disabled
jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
  DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
  include jdk.disabled.namedCurves

To re-enable the versions, remove TLSv1 and TLSv1.1 from the property jdk.tls.disabledAlgorithms

Example of re-enabling TLSv1 and TLSV1.1
jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, \
  DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
  include jdk.disabled.namedCurves