Cannot connect to Amazon RDS with TLSv1.2

Turns out TLS support depends on the exact database engine version you're using on RDS. Aurora mySQL 5.6 has only support for TLSv1.0 until version 1.23.1, at which point TLSv1.1 and 1.2 become available. Our version was 1.22.something, so I had to upgrade the engine.

Even then it won't work though, because Ubuntu 20 also enforces a minimum dhe key length of 2048 bits, which Aurora mysql 5.6 just doesn't deliver, and for all I can tell this cannot be changed. You will find documentation for database parameters thatcan be used to chenge the diffie-helman key langth, but it turns out those are only for SqlServer, not MySQL. So, you still have to go and apply changes to your openssl.cnf as described in the accepted answer here: https://askubuntu.com/questions/1233186/ubuntu-20-04-how-to-set-lower-ssl-security-level THis changes your SECLEVEL to 1, so openssl will accept the shorter DHE-keys.

Even then my spring-boot applications wouldn't connect, although workbench now did. This is because JDBC doesn't tell the server that it can do TLSv1.2 although it totally can (weird decision, that), so the server will never attempt to send a 1.2 handshake even if it could.

In order to tell JDBC to actually use TLSv1.2 you have to append it to the connection string:

jdbc:myslq://<host>/<db>?enabledTLSProtocols=TLSv1.2

Now everything connects.

I would have loved to make aurora deliver a longer key rather than lowering Ubuntu's security, but there seems to be no way. If anybody knows of one, please let me know.