Connecting to a database outside the docker container gives TLS version error

Question

I have a Spring Boot app where it connects to the database which is not inside the container. After I build the image and run I get following exception:

Caused by: javax.net.ssl.SSLHandshakeException: The server selected protocol version TLS10 is not accepted by client preferences [TLS13, TLS12]
    at java.base/sun.security.ssl.Alert.createSSLException(Unknown Source) ~[na:na]
    at java.base/sun.security.ssl.Alert.createSSLException(Unknown Source) ~[na:na]
    at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source) ~[na:na]
    at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source) ~[na:na]
    at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source) ~[na:na]
    at java.base/sun.security.ssl.ServerHello$ServerHelloConsumer.onServerHello(Unknown Source) ~[na:na]
    at java.base/sun.security.ssl.ServerHello$ServerHelloConsumer.consume(Unknown Source) ~[na:na]

In my docker file I tired to updated the https.protocols to TLSv1.2 like below, but is not working as expected:

FROM adoptopenjdk/openjdk11:alpine-jre
ARG JAR_FILE=target/portal-0.0.1-SNAPSHOT.jar
WORKDIR /appPortal
COPY ${JAR_FILE} portal.jar
ENTRYPOINT ["java","-Dcom.ibm.jsse2.overrideDefaultTLS = true","-Djdk.tls.client.protocols = 
TLSv1.2","-Dhttps.protocols = TLSv1.2","-jar","portal.jar"]

maybe I'm trying to set tls versions incorrectly, any advice on this?

score 2 · Accepted Answer · edited May 10 '21 at 12:08

2

I think the problem is that the server is using TLS 1.0 but your jvm is not supporting by default.

Note: You might encounter such issue if you're using openjdk 11.0.11 (since mid-Apr 2021) which has make TLS 1.0 disabled by default.

If you're having no way to setup the db server to support newer TLS version, you may workaround the issue by overriding the default:

find properties file /security/java.security
find the line with "jdk.tls.disabledAlgorithms" property
take out TLSv1

edited May 10 '21 at 12:08

Dharman

30,962
25
85
135

answered May 10 '21 at 12:02

Bee Chow

508
1
4
15

Thanks for the explanation @Bee Chow, I changed the openjdk version in my docker file to: openjdk:11.0.6-jre-slim – Juliyanage Silva May 10 '21 at 12:43
Yup it should work too if you are fine falling back to an older version. – Bee Chow May 11 '21 at 03:13

score 1 · Answer 2 · answered May 10 '21 at 11:24

1

you changed the TLS/SSL protocol in Entrypoint as option but protocol should support at OS(containers level).

If there is no attachment with the image, you can try official openjdk to give a test.

https://hub.docker.com/_/openjdk

answered May 10 '21 at 11:24

Vinod

515
4
11

score 0 · Answer 3 · answered May 10 '21 at 12:50

Just thought of adding a straight forward answer here for future reference. I used the base image as "adoptopenjdk/openjdk11:alpine-jre" for the docker file and it seems the TLS version defaults to TLS10. So as suggested by @Vinod and some other thread different types of openjdk 11 I used openjdk:11.0.6-jre-slim which helped me to omit extra entrypoint options to set TLS versions.

Connecting to a database outside the docker container gives TLS version error

3 Answers3