Amazon mysql rds refusing to accept credentials after upgrade

Question

I have an old RDS database that was on 5.6_MySql_1.23.0, being used by a Java application running:

        <dependency>
            <groupId>mysql</groupId>
            <artifactId>mysql-connector-java</artifactId>
            <version>5.1.47</version>
            <scope>compile</scope>
        </dependency>

I've been refactoring old code, and part of that is upgrading from java 8 to 11. According to this post Java 11 doesn't support TLS=v1.0 & v1.1 anymore.

So I upgraded the cluster instance to 5.6_MySql_1.23.1 which does support TLS=v1.2 And I upgraded mysql connector to:

       <dependency>
            <groupId>mysql</groupId>
            <artifactId>mysql-connector-java</artifactId>
            <version>5.1.49</version>
            <scope>compile</scope>
        </dependency>

Running SHOW GLOBAL VARIABLES LIKE 'tls_version'; seems to return a TLSv1.2 enabled cluster:

TLSv1,TLSv1.1,TLSv1.2

However, since the upgrade my username and password are constantly getting rejected:

Caused by: java.sql.SQLSyntaxErrorException: Access denied for user 'user'@'%' to database 'dba'
    at com.mysql.cj.jdbc.exceptions.SQLError.createSQLException(SQLError.java:120)
    at com.mysql.cj.jdbc.exceptions.SQLExceptionsMapping.translateException(SQLExceptionsMapping.java:122)
    at com.mysql.cj.jdbc.ConnectionImpl.createNewIO(ConnectionImpl.java:828)
    at com.mysql.cj.jdbc.ConnectionImpl.<init>(ConnectionImpl.java:448)
    at com.mysql.cj.jdbc.ConnectionImpl.getInstance(ConnectionImpl.java:241)
    at com.mysql.cj.jdbc.NonRegisteringDriver.connect(NonRegisteringDriver.java:198)
    at java.sql/java.sql.DriverManager.getConnection(DriverManager.java:677)
    at java.sql/java.sql.DriverManager.getConnection(DriverManager.java:251)
    at medispan.foundation.dataaccess.providers.sql.SQLProvider.createProviderConnection(SQLProvider.java:227)
    at medispan.foundation.dataaccess.providers.sql.SQLProvider.createConnection(SQLProvider.java:205)
    at medispan.foundation.dataaccess.providers.sql.SQLProvider.openConnection(SQLProvider.java:841)
    at medispan.foundation.dataaccess.providers.sql.SQLProvider.executeForResults(SQLProvider.java:1489)
    at medispan.foundation.dataaccess.providers.sql.SQLDataAccessProvider.innerExecuteForCollection(SQLDataAccessProvider.java:515)
    ... 120 common frames omitted

Here's my JDBC string that worked in my java 8 service:

jdbc:mysql://test-aurora-sdt-c1-0.cpdk4xuooxvm.us-east-1.rds.amazonaws.com:3306?user=[user]&password=[password]&verifyServerCertificate=false&useSSL=true&sslca=rds-combined-ca-bundle.pem&serverTimezone=PST

Here's my updated url for all the errors I've had to fix with the mysql changes since the two versions:

jdbc:mysql://test-aurora-sdt-c1-0.cpdk4xuooxvm.us-east-1.rds.amazonaws.com:3306/dba?user=[user]&password=[password]&verifyServerCertificate=false&useSSL=true&enabledTLSProtocols=TLSv1.2&sslca=rds-combined-ca-bundle.pem&serverTimezone=America/Los_Angeles

Did I miss a step database version migration to enable tls? Do I have to do something with my cert bundle that I'm just not aware of coming from a dynamo background?