Applications that upgrade to Java Buildpack 4.38 and are connecting to external servers or an external platform service instances using TLS, throw the following error when the server side does not support or have TLS v1.2 enabled.

javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)

This version of the Buildpack contains the following internal configuration change, which disables TLS v1.0 and v1.1: jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA

This change follows the OpenJDK change to disable TLS v1.0 and v1.1: JDK-8202343

Product Version: 2.9

External MySQL Instances

For external MySQL instances, you should ensure that your app is using the MySQL ConnectorJ library to connect to the DB, and not the MariaDB driver, as this uses TLS v1 by default.

When using the MySQL ConnectorJ library, the following MySQL release information applies when negotiating the TLS version:

The allowable versions of TLS protocol used for connecting to the server, when no restrictions have been set using the connection properties enabledTLSProtocols, have been changed to:

• TLSv1, TLSv1.1, TLSv1.2, and TLSv1.3 for MySQL Community Servers 8.0, 5.7.28 and later, and 5.6.46 and later, and for all commercial versions of MySQL Servers.

• TLSv1 and TLSv1.1 for all other versions of MySQL Servers.​​​​​​

If your server version only supports TLS v1 and v1.1, you can specify the enabledTLSProtocols=TLS1.2 property and value in your application's JDBC URI.

Alternatively, you can upgrade your MySQL version to one from the above list that support TLS v1.2+.

Internal MySQL Instances 

For internal service tiles such as the ones below, you should ensure that TLS v1.2 is enabled for the service tile by following the appropriate tile configuration steps:

• VMware Tanzu™ SQL with MySQL for VMs
• VMware Tanzu™ RabbitMQ® for VMs
• Redis for VMware Tanzu™ Application Service™