Connection Failure to SQL Server RDS After Enabling Forced SSL

Applies to

• Liquibase Secure (Pro)
• Liquibase Community (Open Source)

Conditions

• SQL Server database hosted on Amazon RDS 
• JTDS driver (net.sourceforge.jtds.jdbc.Driver) 
• Forced SSL connection enabled on the RDS database 
• TLS 1.2 encryption requirement

Issue Summary

Liquibase fails to connect to an Amazon RDS SQL Server database after forced SSL connections are enabled on the database. The connection was previously working but begins failing after the database configuration is changed to require encrypted connections. This issue specifically affects users utilizing the JTDS driver, which does not support TLS 1.2 encryption required by modern SSL implementations.

Error Message

Connection could not be created to jdbc:jtds:sqlserver://<database_url> with driver net.sourceforge.jtds.jdbc.Driver.
I/O Error: DB server closed connection.

Root Cause

The JTDS driver (net.sourceforge.jtds.jdbc.Driver) does not support TLS 1.2, which is required when forced SSL connections are enabled on Amazon RDS SQL Server databases. When the database server enforces SSL/TLS encryption, the JTDS driver cannot establish a secure connection, causing the server to close the connection immediately.

Additionally, the JDBC URL format for JTDS (jdbc:jtds:sqlserver://) is incompatible with the Microsoft SQL Server JDBC driver that ships with Liquibase, which uses a different URL format and connection parameters.

Resolution

To resolve this issue, you need to switch from the JTDS driver to the Microsoft SQL Server JDBC driver and update your JDBC URL format:

1. Remove the JTDS driver from your Liquibase install directory, configuration, or classpath if explicitly added.
2. Update your JDBC URL to use the Microsoft SQL Server driver format with SSL parameters:

   • jdbc:sqlserver://<database_url>:1433;databaseName=<database_name>;encrypt=true;trustServerCertificate=true

   • Replace:
     • <database_url> with your RDS endpoint
     • <database_name> with your database name
3. Remove any explicit driver class references to net.sourceforge.jtds.jdbc.Driver from your configuration files (liquibase.properties, CLI commands, environment variables, or Maven/Gradle configurations).
4. Use the default SQL Server driver that ships with Liquibase, or explicitly specify:

   • driver: com.microsoft.sqlserver.jdbc.SQLServerDriver

   • Note: You do not need to set this driver property if you are using the default SQL Server driver that ships with Liquibase.

Example Configuration:

Before:

url: jdbc:jtds:sqlserver://cf-aw-lamp.dev.example.com:1433/mydb
driver: net.sourceforge.jtds.jdbc.Driver

After:

url: jdbc:sqlserver://cf-aw-lamp.dev.example.com:1433;databaseName=mydb;encrypt=true;trustServerCertificate=true
driver: com.microsoft.sqlserver.jdbc.SQLServerDriver

Note: The trustServerCertificate=true parameter bypasses certificate validation. For production environments, consider using trustServerCertificate=false and properly configuring certificate trust stores for enhanced security.

Related Article(s)

• What support does Liquibase have for Microsoft SQL Server?
• Amazon RDS SQL Server SSL/TLS Connections
• Microsoft SQL Server JDBC Driver Documentation