Confluence is not starting with Mysql and Confluence Java 11
Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
Confluence using Java 11 and connected to Mysql Database. As soon as we start Confluence it gives the below error message which is related to Mysql TLS supported version and not appropriated protocol passed via JDBC URL.
2021-04-26 03:16:06,441 ERROR [Catalina-utility-1] [confluence.impl.setup.DefaultBootstrapDatabaseAccessor] getBootstrapData Unable to open database connection during bootstrap.
com.mysql.jdbc.exceptions.jdbc4.CommunicationsException: Communications link failure
The last packet successfully received from the server was 41 milliseconds ago. The last packet sent successfully to the server was 30 milliseconds ago.
...
Caused by: javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
Environment
- Confluence running with Java 11
- Mysql 5.7
- Mysql Driver version 5.1.4 or 5.1.34
Diagnosis
The error seems to be with MySQL and TLS protocols and this error mentioned in the MySQL :: MySQL Connector/J 8.0 Developer Guide :: 16 Known Issues and Limitations:
Connector/J does not enable connections with TLSv1.2 and higher by default due to compatibility issues when connecting to servers that restrict connections to use those higher TLS versions, you might encounter com.mysql.cj.exceptions.CJCommunicationsException: javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate). You need to enable connections with TLSv1.2 and higher versions using the enabledTLSProtocols connection property. See Section 6.8, “Connecting Securely Using SSL” for details.
Java 11 Comes with higher security and the latest TLS versions.
On the server-side, the value of the tls_version
system variable determines which TLS protocols a MySQL server permits for encrypted connections. The tls_version
value applies to connections from clients and from replica servers using regular source/replica replication. The variable value is a list of one or more comma-separated protocol versions from this list (not case-sensitive): TLSv1, TLSv1.1, TLSv1.2. By default, this variable lists all protocols supported by the SSL library used to compile MySQL (TLSv1,TLSv1.1,TLSv1.2
for OpenSSL, TLSv1,TLSv1.1
for yaSSL). To determine the value of tls_version
at runtime, use this statement:
SHOW GLOBAL VARIABLES LIKE '%ssl%';
SHOW GLOBAL VARIABLES LIKE '%tls%';
Solution
To change the value of tls_version
, set it at server startup. For example, to permit connections that use the TLSv1.1 or TLSv1.2 protocol, but prohibit connections that use the less-secure TLSv1 protocol, use these lines in the server my.cnf
file:
[mysqld]
tls_version=TLSv1.1,TLSv1.2
Alternatively, we can pass different TLS versions in the JDBC connection URL using enabledTLSProtocols property, like below:
<property name="hibernate.connection.url">jdbc:mysql://localhost:3306/confluencedb?enabledTLSProtocols=TLSv1,TLSv1.1,TLSv1.2</property>
Or Just pass the useSSL=false in the connection string like below to disable SSL on the database connection:
<property name="hibernate.connection.url">jdbc:mysql://localhost:3306/confluencedb?useSSL=false</property>
Or edit my.cnf and add in skip_ssl
[mysqld]
...
skip_ssl