Migration to SQL Server fails with "The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption"
Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Problem
Migrating to SQL server fails with following appears in the atlassian-bitbucket.log
Could not get JDBC Connection; nested exception is com.microsoft.sqlserver.jdbc.SQLServerException: The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: "java.lang.RuntimeException: Could not generate DH keypair". ClientConnectionId:59f2b121-128b-4f9c-afc6-31e32105a1e1
org.springframework.jdbc.datasource.DataSourceUtils.getConnection(DataSourceUtils.java:80)
...
The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: "java.lang.RuntimeException: Could not generate DH keypair". ClientConnectionId:59f2b121-128b-4f9c-afc6-31e32105a1e1
...
java.lang.RuntimeException: Could not generate DH keypair
sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
...
Could not generate DH keypair
sun.security.ssl.DHCrypt.(DHCrypt.java:142)
sun.security.ssl.DHCrypt.(DHCrypt.java:114)
sun.security.ssl.ClientHandshaker.serverKeyExchange(ClientHandshaker.java:708)
...
Prime size must be multiple of 64, and can only range from 512 to 2048 (inclusive)
com.sun.crypto.provider.DHKeyPairGenerator.initialize(DHKeyPairGenerator.java:120)
java.security.KeyPairGenerator$Delegate.initialize(KeyPairGenerator.java:674)
sun.security.ssl.DHCrypt.(DHCrypt.java:128)
Diagnosis
Environment
- SQL server is configured with a strong encryption, DHE key with more than 2048 bit
- Bitbucket is running with a java version which is less than 1.8u161 or 1.7u171
Cause
As explained in JDK-8072452 affected versions support only DHE sizes up to 2048-bits.
Resolution
- Upgrade Java to a version where in JDK-8072452 is fixed and configure Bitbucket use.
- To set that for Windows service see: How to update the JVM configuration for a Windows service
- Ans some of the troubleshooting instructions related to that can be found java: not found during Bitbucket Server startup
- Change the encryption with DHE keys size up to 2048.