The defaults for initiating a connection to a MySQL server were changed in the recent past, and (from a quick look through the most popular questions and answers on stack overflow) the new values are causing a lot of confusion. What is worse is that the standard advice seems to be to disable SSL altogether, which is a bit of a disaster in the making.
Now, if your connection is genuinely not exposed to the network (localhost only) or you are working in a non-production environment with no real data, then sure: there's no harm in disabling SSL by including the option useSSL=false
.
For everyone else, the following set of options are required to get SSL working with certificate and host verification:
As an added bonus, seeing as you're already playing with the options, it is simple to disable the weak SSL protocols too:
So as a working example you'll need to follow the following broad steps:
First, make sure you have a valid certificate generated for the MySQL server host, and that the CA certificate is installed onto the client host (if you are using self-signed, then you'll likely need to do this manually, but for the popular public CAs it'll already be there).
Next, make sure that the java keystore contains all the CA certificates. On Debian/Ubuntu this is achieved by running:
update-ca-certificates -f
chmod 644 /etc/ssl/certs/java/cacerts
Then finally, update the connection string to include all the required options, which on Debian/Ubuntu would be something a bit like (adapt as required):
jdbc:mysql://{mysql_server}/confluence?useSSL=true&sslMode=VERIFY_IDENTITY&trustCertificateKeyStoreUrl=file%3A%2Fetc%2Fssl%2Fcerts%2Fjava%2Fcacerts&trustCertificateKeyStorePassword=changeit&enabledTLSProtocols=TLSv1.2&useUnicode=true&characterEncoding=utf8
Reference: https://beansandanicechianti.blogspot.com/2019/11/mysql-ssl-configuration.html