Contrast EOP Server fails to start up when TLSv1 and TLSv1.1 are disabled, server.log shows "Communications link failure" ... Caused by "No appropriate protocol (protocol is disabled or cipher suites are inappropriate)"

  • Updated

Issue

Contrast EOP Server fails to start up when TLSv1 and TLSv1.1 are disabled, and the <CONTRAST_EOP_INSTALL_DIR>/logs/server.log contains this:

250621 23.58.59,697 INFO (Server.java:215) Starting MySql Upgrader
250621 23.58.59,704 INFO (Server.java:232) Connecting to MySql...
250621 23.58.59,955 ERROR (Server.java:149) Error Creating ---------
com.mysql.jdbc.exceptions.jdbc4.CommunicationsException: Communications link failure

The last packet successfully received from the server was 136 milliseconds ago. The last packet sent successfully to the server was 128 milliseconds ago.
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:1.8.0_292]
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:1.8.0_292]
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:1.8.0_292]
at java.lang.reflect.Constructor.newInstance(Constructor.java:423) ~[?:1.8.0_292]
at com.mysql.jdbc.Util.handleNewInstance(Util.java:425) ~[contrast-server-full.jar:?]
at com.mysql.jdbc.SQLError.createCommunicationsException(SQLError.java:989) ~[contrast-server-full.jar:?]
at com.mysql.jdbc.ExportControlled.transformSocketToSSLSocket(ExportControlled.java:203) ~[contrast-server-full.jar:?]
at com.mysql.jdbc.MysqlIO.negotiateSSLConnection(MysqlIO.java:4901) ~[contrast-server-full.jar:?]
at com.mysql.jdbc.MysqlIO.proceedHandshakeWithPluggableAuthentication(MysqlIO.java:1659) ~[contrast-server-full.jar:?]
at com.mysql.jdbc.MysqlIO.doHandshake(MysqlIO.java:1226) ~[contrast-server-full.jar:?]
at com.mysql.jdbc.ConnectionImpl.coreConnect(ConnectionImpl.java:2191) ~[contrast-server-full.jar:?]
at com.mysql.jdbc.ConnectionImpl.connectOneTryOnly(ConnectionImpl.java:2222) ~[contrast-server-full.jar:?]
at com.mysql.jdbc.ConnectionImpl.createNewIO(ConnectionImpl.java:2017) ~[contrast-server-full.jar:?]
at com.mysql.jdbc.ConnectionImpl.<init>(ConnectionImpl.java:779) ~[contrast-server-full.jar:?]
at com.mysql.jdbc.JDBC4Connection.<init>(JDBC4Connection.java:47) ~[contrast-server-full.jar:?]
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:1.8.0_292]
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:1.8.0_292]
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:1.8.0_292]
at java.lang.reflect.Constructor.newInstance(Constructor.java:423) ~[?:1.8.0_292]
at com.mysql.jdbc.Util.handleNewInstance(Util.java:425) ~[contrast-server-full.jar:?]
at com.mysql.jdbc.ConnectionImpl.getInstance(ConnectionImpl.java:389) ~[contrast-server-full.jar:?]
at com.mysql.jdbc.NonRegisteringDriver.connect(NonRegisteringDriver.java:330) ~[contrast-server-full.jar:?]
at java.sql.DriverManager.getConnection(DriverManager.java:664) ~[?:1.8.0_292]
at java.sql.DriverManager.getConnection(DriverManager.java:247) ~[?:1.8.0_292]
at com.contrastsecurity.teamserver.Server.establishDBConnection(Server.java:157) ~[contrast-server-full.jar:?]
at com.contrastsecurity.teamserver.Server.startDatabase(Server.java:233) ~[contrast-server-full.jar:?]
at com.contrastsecurity.teamserver.Server.main(Server.java:113) [contrast-server-full.jar:?]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_292]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_292]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_292]
at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_292]
at com.exe4j.runtime.LauncherEngine.launch(LauncherEngine.java:84) [i4jruntime.jar:?]
at com.install4j.runtime.launcher.UnixLauncher.start(UnixLauncher.java:66) [i4jruntime.jar:?]
at install4j.com.contrastsecurity.teamserver.Server.main(Unknown Source) [launcher172586ef.jar:?]
Caused by: javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
at sun.security.ssl.HandshakeContext.<init>(HandshakeContext.java:171) ~[?:1.8.0_292]
at sun.security.ssl.ClientHandshakeContext.<init>(ClientHandshakeContext.java:98) ~[?:1.8.0_292]
at sun.security.ssl.TransportContext.kickstart(TransportContext.java:220) ~[?:1.8.0_292]
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:428) ~[?:1.8.0_292]
at com.mysql.jdbc.ExportControlled.transformSocketToSSLSocket(ExportControlled.java:188) ~[contrast-server-full.jar:?]
... 27 more

Cause

Note the Caused by: line in the exception

Caused by: javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
      at sun.security.ssl.HandshakeContext.<init>(HandshakeContext.java:171) ~[?:1.8.0_292]

Typically, this problem occurs when:

1.  You have explicitly disabled TLSv1 and TLSv1.1, OR

2.  You are using BYOJ (Bring Your Own Java) with Contrast (versus the Java that comes bundled with Contrast EOP, which resides at <CONTRAST_EOP_INSTALL_DIR>/jre) AND  the version of java you're using has TLSv1 and TLSv1.1 disabled by default (this will be true for newer versions of java such as Java 1.8.0_292).

Note that MySQL 5.7 (which is used by Contrast) requires TLSv1, TLSv1.1, OR TLSv1.2 :

mysql> SHOW GLOBAL VARIABLES LIKE 'tls_version';
+---------------+-----------------------+
| Variable_name | Value |
+---------------+-----------------------+
| tls_version | TLSv1,TLSv1.1,TLSv1.2 |
+---------------+-----------------------+
1 row in set (0.00 sec)

BUT the MySql Connector/J connector [that Contrast EOP Server uses to connect to the database] does not enable TLSv1.2 or higher by default.

As a result, there are no matching protocols, as indicated in the ERROR stack trace in Contrast EOP's server.log.

Resolution

There are 2 different ways you can resolve this problem:

 

1. To use the TLSv1.2 protocol, modify the Contrast jdbc connection string to use TLSv1.2.  Do this by editing the <CONTRAST_INSTALL_DIR>/data/conf/database.properties and modifying the jdbc.url parameter. This file is encrypted and must be modified using the encrypted properties editor

For example:

jdbc.url : jdbc:mysql://localhost:3306/contrast?enabledTLSProtocols=TLSv1.2

or for EOP versions greater than 3.8.10 (which use the mariadb jdbc connector):

jdbc.url : jdbc:mysql://localhost:3306/contrast?enabledSslProtocolsSuites=TLSv1.2

2. If you want to use the TLSv1 or TLSv1.1 protocol, then remove TLSv1 and/or TLSv1.1 from the list of disabled protocols by modifying your $JRE/lib/security/java.security file, remove TLSv1 and/or TLSv1.1 from the list of values for the setting jdk.tls.disabledAlgorithms.

For example:

#jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, \
DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
include jdk.disabled.namedCurves

References

1. https://stackoverflow.com/questions/38205947/sslhandshakeexception-no-appropriate-protocol/57273918#57273918

2. https://stackoverflow.com/questions/67332909/why-can-java-not-connect-to-mysql-5-7-after-the-latest-jdk-update-and-how-should

 

 

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request