Summary

Confluence using Java 11 and connected to Mysql Database. As soon as we start Confluence it gives the below error message which is related to Mysql TLS supported version and not appropriated protocol passed via JDBC URL.

2021-04-26 03:16:06,441 ERROR [Catalina-utility-1] [confluence.impl.setup.DefaultBootstrapDatabaseAccessor] getBootstrapData Unable to open database connection during bootstrap.
com.mysql.jdbc.exceptions.jdbc4.CommunicationsException: Communications link failure

The last packet successfully received from the server was 41 milliseconds ago.  The last packet sent successfully to the server was 30 milliseconds ago.
...
Caused by: javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)

Environment

• Confluence running with Java 11
• Mysql 5.7
• Mysql Driver version 5.1.4 or 5.1.34

Diagnosis

The error seems to be with MySQL and TLS protocols and this error mentioned in the MySQL :: MySQL Connector/J 8.0 Developer Guide :: 16 Known Issues and Limitations:

Connector/J does not enable connections with TLSv1.2 and higher by default due to compatibility issues when connecting to servers that restrict connections to use those higher TLS versions, you might encounter com.mysql.cj.exceptions.CJCommunicationsException: javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate). You need to enable connections with TLSv1.2 and higher versions using the enabledTLSProtocols connection property. See Section 6.8, “Connecting Securely Using SSL” for details.

Java 11 Comes with higher security and the latest TLS versions. 

On the server-side, the value of the tls_version system variable determines which TLS protocols a MySQL server permits for encrypted connections. The tls_version value applies to connections from clients and from replica servers using regular source/replica replication. The variable value is a list of one or more comma-separated protocol versions from this list (not case-sensitive): TLSv1, TLSv1.1, TLSv1.2. By default, this variable lists all protocols supported by the SSL library used to compile MySQL (TLSv1,TLSv1.1,TLSv1.2 for OpenSSL, TLSv1,TLSv1.1 for yaSSL). To determine the value of tls_version at runtime, use this statement:

SHOW GLOBAL VARIABLES LIKE '%ssl%';
SHOW GLOBAL VARIABLES LIKE '%tls%';

Solution

To change the value of tls_version, set it at server startup. For example, to permit connections that use the TLSv1.1 or TLSv1.2 protocol, but prohibit connections that use the less-secure TLSv1 protocol, use these lines in the server my.cnf file:

[mysqld]
tls_version=TLSv1.1,TLSv1.2

Alternatively, we can pass different TLS versions in the JDBC connection URL using enabledTLSProtocols property, like below:

<property name="hibernate.connection.url">jdbc:mysql://localhost:3306/confluencedb?enabledTLSProtocols=TLSv1,TLSv1.1,TLSv1.2</property>

Or Just pass the useSSL=false in the connection string like below to disable SSL on the database connection:

<property name="hibernate.connection.url">jdbc:mysql://localhost:3306/confluencedb?useSSL=false</property>

Or edit my.cnf and add in skip_ssl

[mysqld]
...
skip_ssl