Bitbucket Server connection to non-default ports using TLS1.2 fails with SocketException: Connection reset

Still need help?

The Atlassian Community is here for you.

Ask the community

Problem

We perceived this issue specifically when a customer was using the 1.8.0_40-b25 JRE we ship with Bitbucket Server to sync with his LDAP server.

It failed with the following message in the atlassian-bitbucket.log:

 2015-04-30 07:02:21,198 ERROR [clusterScheduler_Worker-4]  c.a.c.d.DbCachingDirectoryPoller Error occurred while refreshing the cache for directory [ 32770 ].
org.springframework.ldap.CommunicationException: simple bind failed: useprddc1.corp.kns.com:636; nested exception is javax.naming.CommunicationException: simple bind failed: ad.company.com:636 [Root exception is java.net.SocketException: Connection reset]
...
...
Caused by: java.net.SocketException: Connection reset
	at java.net.SocketInputStream.read(SocketInputStream.java:209) ~[na:1.8.0_40]
	at java.net.SocketInputStream.read(SocketInputStream.java:141) ~[na:1.8.0_40]
	at sun.security.ssl.InputRecord.readFully(InputRecord.java:465) ~[na:1.8.0_40]
	at sun.security.ssl.InputRecord.read(InputRecord.java:503) ~[na:1.8.0_40]
	at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:961) ~[na:1.8.0_40]
	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363) ~[na:1.8.0_40]
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391) ~[na:1.8.0_40]
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375) ~[na:1.8.0_40]
	at com.sun.jndi.ldap.Connection.createSocket(Connection.java:376) ~[na:1.8.0_40]
	at com.sun.jndi.ldap.Connection.<init>(Connection.java:203) ~[na:1.8.0_40]
	... 54 common frames omitted

Cause

The customer was connecting to his LDAP server using:

ldaps://ldap.server.com:636

This stack overflow post details the tests done around that specific issue.

To sum up, Java 8 adds TLS1.2 as default and when using this protocol to connect to a port other than the default (443) one, it doesn't work. This could be due to a bug in Java 8.

 

Resolution

Workaround

  • Workaround 1: Add the following line to JVM_SUPPORT_RECOMMENDED_ARGS in BITBUCKET_INSTALL/bin/setenv.sh to switch enable TLSv1 and restart Bitbucket Server:
JVM_SUPPORT_RECOMMENDED_ARGS="-Djdk.tls.client.protocols=TLSv1"

setenv and environment variable changes in Bitbucket Server 5.0+

Starting with Bitbucket Server 5.0, setenv.sh and setenv.bat have been removed. The options that were set in this file can now be set via environment variables. Where to set the environment variable depends on which Operating System you're running on.

Linux

When using the atlbitbucket service on Linux, the environment variables are ignored. You must set the parameters in _start-webapp.sh (or start-bitbucket.sh). These values will be read when the service starts.

As an example, to set JVM_SUPPORT_RECOMMENDED_ARGS, you would add this line to the file:

Example
JVM_SUPPORT_RECOMMENDED_ARGS=-XX:+HeapDumpOnOutOfMemoryError

Windows

Set the parameter as an environment variable for the user running Bitbucket Server. For example, if you want to set JVM_SUPPORT_RECOMMENDED_ARGS, create it as an environment variable and assign the appropriate value to it. When Bitbucket Server starts using the startup scripts or service, it will pick up and apply this value.

  • Workaround 2: Downgrade your Java to Java 7.

Solution

Use a version of Java 8 that doesn't contain this bug.

 

Last modified on May 4, 2017

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.