We are using AWS RDS for for our persistent store and using secretmanager for password rotation and storage. It is also encrypted with KMS.
We have a spring boot app which is deployed on ECS fargate and using following dependency :-
<!-- https://mvnrepository.com/artifact/com.amazonaws.secretsmanager/aws-secretsmanager-jdbc -->
<dependency>
<groupId>com.amazonaws.secretsmanager</groupId>
<artifactId>aws-secretsmanager-jdbc</artifactId>
<version>1.0.5</version>
</dependency>
And using following properties :-
# datasource.username=secretId
datasource.driverClass=com.amazonaws.secretsmanager.sql.AWSSecretsManagerPostgreSQLDriver
# datasource.jdbcUrl=jdbc-secretsmanager:postgresql://example.com:5432/database
Note :- we are using jdeps and jlink to create our custom runtime
And following are the modules that we are using :
Java.base,java.desktop,java.instrument,java.management.rmi,java.naming,java.prefs, java.scripting,java.security.jgss,java.sql,jdk.httpserver,jdk.jfr,jdk.unsupported
Now with this configuration it has worked fine for months and we also took it to production. But from this month we started getting ssl handshake issue, we haven't updated spring boot or secretmanager jdbc version
Not sure what caused it but either adding **jdk.crypto.ec** or adding -Djdk.tls.client.protocols=TLSv1,TLSv1.1,TLSv1.2 solved the issue.
Please help me that why this issue started occuring as we haven't done any changes and why the above fixes solved it. Thanks
With investigation in cloudtrail, we found that the ciphersuite got changed on 26th February from "AES-GCM-SHA256" to "ECDHE-RSA-AES128-GCM-SHA256". As we were using Java modules for creating our custom hre. We haven't included jdk.crypto.ec explicitly as secretmanager was working fine without it.