Summary

When using a SSL transport for Bamboo's JMS broker on port 54663 (or the additional SSL listener typically launched on port 54664) you may want to disable client renegotiation support to adhere to corporate security policy. 

Solution

Option 1

There is a JVM argument that rejects Client Initiated Renegotiation for all SSL connections to the JVM:

-Djdk.tls.rejectClientInitiatedRenegotiation=true

This disables client initiated renegotiation for all SSL connections made within Bamboo, not just those to port 54664.

It can be configured in the same fashion you configure any system property for Bamboo:

• Configuring your system properties

While we're confident there's no native Bamboo functionality that relies on client initiated renegotiation, we can't say there isn't some underlying library that might utilize it or third-party app that may rely on it -- so it's best if this is tested first in a lower environment.

You can identify if this has impacted something if you start to see errors or warnings in the application logs $BAMBOO_HOME/logs/atlassian-bamboo.log that logs:

javax.net.ssl.SSLHandshakeException: Client initiated renegotiation is not allowed

Option 2

If you're using a ssl:// transport as your main Bamboo transport, changing this to nio+ssl:// will also disable client renegotiation support due to NIO.

However, Bamboo will still launch an additional SSL listener on port 54664 (or primary port + 1) which does support client renegotation. This additional listener cannot be disabled:

• BAM-20420 - Getting issue details... STATUS

However, since it is not used in a typical Bamboo installation – this port can be safely firewalled off if that also meets your security requirements.