Bitbucket Server connection to non-default ports using TLS1.2 fails with SocketException: Connection reset
Problem
We perceived this issue specifically when a customer was using the 1.8.0_40-b25
JRE we ship with Bitbucket Server to sync with his LDAP server.
It failed with the following message in the atlassian-bitbucket.log
:
2015-04-30 07:02:21,198 ERROR [clusterScheduler_Worker-4] c.a.c.d.DbCachingDirectoryPoller Error occurred while refreshing the cache for directory [ 32770 ].
org.springframework.ldap.CommunicationException: simple bind failed: useprddc1.corp.kns.com:636; nested exception is javax.naming.CommunicationException: simple bind failed: ad.company.com:636 [Root exception is java.net.SocketException: Connection reset]
...
...
Caused by: java.net.SocketException: Connection reset
at java.net.SocketInputStream.read(SocketInputStream.java:209) ~[na:1.8.0_40]
at java.net.SocketInputStream.read(SocketInputStream.java:141) ~[na:1.8.0_40]
at sun.security.ssl.InputRecord.readFully(InputRecord.java:465) ~[na:1.8.0_40]
at sun.security.ssl.InputRecord.read(InputRecord.java:503) ~[na:1.8.0_40]
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:961) ~[na:1.8.0_40]
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363) ~[na:1.8.0_40]
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391) ~[na:1.8.0_40]
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375) ~[na:1.8.0_40]
at com.sun.jndi.ldap.Connection.createSocket(Connection.java:376) ~[na:1.8.0_40]
at com.sun.jndi.ldap.Connection.<init>(Connection.java:203) ~[na:1.8.0_40]
... 54 common frames omitted
Cause
The customer was connecting to his LDAP server using:
ldaps://ldap.server.com:636
This stack overflow post details the tests done around that specific issue.
To sum up, Java 8 adds TLS1.2 as default and when using this protocol to connect to a port other than the default (443) one, it doesn't work. This could be due to a bug in Java 8.
Resolution
Workaround
- Workaround 1: Add the following line to
JVM_SUPPORT_RECOMMENDED_ARGS
inBITBUCKET_INSTALL/bin/setenv.sh
to switch enable TLSv1 and restart Bitbucket Server:
JVM_SUPPORT_RECOMMENDED_ARGS="-Djdk.tls.client.protocols=TLSv1"
setenv and environment variable changes in Bitbucket Server 5.0+
Starting with Bitbucket Server 5.0, setenv.sh
and setenv.bat
have been removed. The options that were set in this file can now be set via environment variables. Where to set the environment variable depends on which Operating System you're running on.
Linux
When using the atlbitbucket
service on Linux, the environment variables are ignored. You must set the parameters in _start-webapp.sh (or start-bitbucket.sh)
. These values will be read when the service starts.
As an example, to set JVM_SUPPORT_RECOMMENDED_ARGS
, you would add this line to the file:
JVM_SUPPORT_RECOMMENDED_ARGS=-XX:+HeapDumpOnOutOfMemoryError
Windows
Set the parameter as an environment variable for the user running Bitbucket Server. For example, if you want to set JVM_SUPPORT_RECOMMENDED_ARGS
, create it as an environment variable and assign the appropriate value to it. When Bitbucket Server starts using the startup scripts or service, it will pick up and apply this value.
- Workaround 2: Downgrade your Java to Java 7.
Solution
Use a version of Java 8 that doesn't contain this bug.