Hi there, we are using version 14.1 and building it in docker and deploying through to Kubernetes, however the problem we are facing is both in our QA environment and locally using docker compose.
All of a sudden last Friday when we build the docker image we are getting SSL handshake errors and cannot connect to Azure My SQL. I can connect locally but that does not use SSL. the build server is a dynamic hosted pipeline in Azure Devops so does not cache any base images at all.
The last successful build was on Thursday.
We use the default base image
FROM ${docker.brxm.base.image} which in turn uses a base image as defined by bloomreach
tomcat:9-jdk8-openjdk-slim
“Docker Hub”
Image id = 09cde8da31fa
and we are now getting ssl handshake errors
Caused by: javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
web_1 | at sun.security.ssl.HandshakeContext.(HandshakeContext.java:171)
web_1 | at sun.security.ssl.ClientHandshakeContext.(ClientHandshakeContext.java:98)
web_1 | at sun.security.ssl.TransportContext.kickstart(TransportContext.java:220)
web_1 | at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:428)
web_1 | at com.mysql.cj.protocol.ExportControlled.performTlsHandshake(ExportControlled.java:316)
web_1 | at com.mysql.cj.protocol.StandardSocketFactory.performTlsHandshake(StandardSocketFactory.java:188)
web_1 | at com.mysql.cj.protocol.a.NativeSocketConnection.performTlsHandshake(NativeSocketConnection.java:99)
web_1 | at com.mysql.cj.protocol.a.NativeProtocol.negotiateSSLConnection(NativeProtocol.java:352)
This is kinda urgent as we are completely blocked and cannot deploy any changes to our website…
Any thoughts?
I love it when you solve your own problem
There is clearly an SSL certificate issue in the latest Tomcat image. We overrode the default image in the pom properties, and specified the previous image and we are up and running again.
<docker.brxm.base.image>tomcat:9.0.39-jdk8-openjdk-slim</docker.brxm.base.image>
Will raise an issue in the tomcat git hub anyway.
So it turns out they have removed TLS 1.0 and 1.1 support from the tomcat image.
Azure MySql will accept connections from 1.0, 1.1 and 1.2 I enforced 1.2 but it still failed.
Does this then require a change to the Bloomreach application?
I believe tomcat is not involved there. It is MySQL client which connects to server with SSL/TSL. It completely has nothing to do with Tomcat serving https. Just JDK and MySQL.
Not quite sure what you are suggesting??
We use the tomcat base docker image as per the defaults from bloomreach. Obviously its not tomcat its self, it’s the MySQL Driver being used by the bloomreach code that is added to the base image, and the MySQL driver is supplied by the base image that potentially the code needs a tweak so that it uses TLS 1.2?
Or Not… Is mysql driver added in as part of the bloomreach war file?
Is MySQL server SSL configured ? This exception is AFAIK also thrown also when trying SSL connection to not encrypted endpoint. By default MySQL server is not SSL configured. Can you connect SSL to MySQL server from different client ?
Hi, sorry perhaps I am not clear, hopefully this will help.
We use Microsoft Azure My SQL and it is configured to enforce SSL connections only. It currently allows TLS 1.0, 1.1 and 1.2 and all was working fine up until last week.
Last week there was an update to the base image that is used by bloomreach, tomcat:9-jdk8-openjdk-slim, which is the default image used when bloomreach is built for docker, and they have removed support for TLS 1.0 and 1.1.
It would seem that somewhere when the driver is initialised to connect to the database a change is needed to ensure that it uses TLS 1.2
Is this Bloomreach level code, or deeper? or is it configuration on the connection settings in the context.xml?
Does that help?
Thanks
John
I’m not expert on Docker. However any app must be configured to use proper data source (I believe that Jackrabbit can be configured to use Datasource from Tomcat - that is DS configured in context.xml) . Are you sure that CMS before have been connected to Azure instance ?