flyway-docker icon indicating copy to clipboard operation
flyway-docker copied to clipboard

Published 20 hours ago verified publisher icon flyway

7.8.2-alpine breaks connection to Aurora Serverless

Open elopez opened this issue 4 years ago • 1 comments

Hi,

When upgrading 7.8.1-alpine to 7.8.2-alpine, the connection to Aurora Serverless broke:

Flyway Community Edition 7.8.2 by Redgate
--
ERROR:
Unable to obtain connection from database (jdbc:mysql://blahblah.region.rds.amazonaws.com:3306/bar?useSsl=true) for user 'foo': Communications link failure
The last packet sent successfully to the server was 0 milliseconds ago. The driver has not received any packets from the server.
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
SQL State  : 08S01
Error Code : 0
Message    : Communications link failure
The last packet sent successfully to the server was 0 milliseconds ago. The driver has not received any packets from the server.
 
Caused by: com.mysql.cj.jdbc.exceptions.CommunicationsException: Communications link failure
The last packet sent successfully to the server was 0 milliseconds ago. The driver has not received any packets from the server.
Caused by: com.mysql.cj.exceptions.CJCommunicationsException: Communications link failure
The last packet sent successfully to the server was 0 milliseconds ago. The driver has not received any packets from the server.
Caused by: javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)

I found out this is due to the change in jdk.tls.disabledAlgorithms on the base image used for 0.8.2:

diff -uNr out81/opt/java/openjdk/conf/security/java.security out82/opt/java/openjdk/conf/security/java.security
--- out81/opt/java/openjdk/conf/security/java.security  2021-01-20 09:16:57.000000000 -0300
+++ out82/opt/java/openjdk/conf/security/java.security  2021-04-20 18:21:25.000000000 -0300
@@ -725,8 +725,8 @@
 #
 # Example:
 #   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
-jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
-    EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
+jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
+    DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
     include jdk.disabled.namedCurves

 #

For a workaround, you can add the following to the Dockerfile, where flyway.security is a file containing just the previous jdk.tls.disabledAlgorithms=....

COPY flyway.security /
ENV JAVA_ARGS="-Djava.security.properties=/flyway.security"

elopez avatar Apr 28 '21 12:04 elopez

Can also disable ssl if it is not important to you, not recommended but

jdbc:mysql://blahblah.region.rds.amazonaws.com:3306/bar?useSSL=false, case sensitive, so useSsl will not work... At least for me

Does anyone know if flyway support more than just ssl? I am trying to find documentation on this with no success?

thaibt avatar Jul 14 '21 20:07 thaibt

Please create a new issue if this issue is still with standing on the latest flyway docker image

Barry-RG avatar Nov 01 '23 11:11 Barry-RG