Summary

After upgrade of Jira from a lower version to 8.20, the node does not come up and fails with a error such as below.

2022-11-09 12:18:07,729-0500 JIRA-Bootstrap ERROR      [c.a.config.bootstrap.DefaultAtlassianBootstrapManager] Could not successfully test your database: 
com.mysql.jdbc.exceptions.jdbc4.CommunicationsException: Communications link failureThe last packet successfully received from the server was 17 milliseconds ago.  The last packet sent successfully to the server was 6 milliseconds ago.
.......
    at com.mysql.jdbc.SQLError.createCommunicationsException(SQLError.java:990)
    at com.mysql.jdbc.JDBC4Connection.<init>(JDBC4Connection.java:47)
......
com.atlassian.jira.startup.DefaultJiraLauncher.start(DefaultJiraLauncher.java:100)
com.atlassian.jira.startup.LauncherContextListener.initSlowStuff(LauncherContextListener.java:154)
    at java.base/java.lang.Thread.run(Unknown Source)
Caused by: javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
    at java.base/sun.security.ssl.HandshakeContext.<init>(Unknown Source)
    at java.base/sun.security.ssl.ClientHandshakeContext.<init>(Unknown Source)
    at java.base/sun.security.ssl.TransportContext.kickstart(Unknown Source)
    at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
    at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
    ... 46 more
2022-11-09 12:18:07,746-0500 JIRA-Bootstrap ERROR      [c.a.jira.health.HealthChecks] JIRA couldn't connect to your database 

Environment

8.20.11

Diagnosis

The error originates during the SSL handshake using the current Mysql JDBC driver carried over from the older version of Jira. The error does not explicitly call out the jdbc driver but rather complains of inappropriate protocol with the relevant error in the stack as below. The jdbc version currently is found to be mysql-connector-java-5.1.48 which is lower than the recommended version for 8.20 Jira version.

Caused by: javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
    at java.base/sun.security.ssl.HandshakeContext.<init>(Unknown Source) 

Cause

Whenever newer versions of Jira is released it would be packaged with the higher version of the jre and also the updated security policy file found under $JAVA_HOME/lib/security/java.security. Also later versions of the supported AdoptopenJDK have security policy files which do not support TLSv1 and TLSv1.1. On the other hand, Mysql jdbc versions below 5.6.46 will use TLSv1 and TLSv1.1. So the incompatibility between the underlying java security policy and the mysql jdbc driver would cause such an error to be thrown.

To get to the root cause verify the following :
1. Have you upgraded your mysql JDBC connector to 5.7 or 8 as recommended under Supported Platforms.
2. Verify the supported TLS version in the database by running the command below. It should show what TLS versions are supported by the database and the corresponding drivers that can be used.

mysql> show variables like 'tls_version';

Solution

The issue is resolved by performing one of the following :

1. By updating the mysql JDbc driver jconnector to version 8.0 or above.
2. By updating the Java security policy to support lower TLS versions.

You can make the JDK/JRE to accept the TLSv1.0 and TLSv1.1 protocol by going to your $JAVA_HOME/lib/security/java.security and remove them from the following parameter (you can either comment it out or remove those protocols from the list)

jdk.tls.disabledAlgorithms=SSLv3, TLSv1, RC4, DES, MD5withRSA, DH keySize < 1024, \
EC keySize < 224, 3DES_EDE_CBC, anon, NULL

We would highly recommend to utilize the first resolution to upgrade the jconnector to resolve the problem.