How to Setup TLSv1.3 in Bitbucket Data Center
Platform Notice: Data Center - This article applies to Atlassian products on the Data Center platform.
Note that this knowledge base article was created for the Data Center version of the product. Data Center knowledge base articles for non-Data Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Purpose
Sometimes security policy requires Bitbucket Data Center to use TLSv1.3
Solution
- TLSv1.3 works with Zulu OpenJDK8 versions 8.40 and above, provided the JVM runs with the additional argument as documented here.
Edit
_start-webapp.sh(Linux) or_start-webapp.bat<bitbucket-installation-directory>/binFind the line containing:JVM_SUPPORT_RECOMMENDED_ARGS=and append the following argument:
-XX:+UseOpenJSSEIf you didn't have any JVM arguments already listed, this line should now look as follows:JVM_SUPPORT_RECOMMENDED_ARGS=-XX:+UseOpenJSSE Please make sure you are using a version of Bitbucket Data Center that is not affected by BSERV-12135 - "Your current operating system is not supported" is displayed while starting Bitbucket Server when running with Azul Zulu OpenJDK
Also, the TLS protocol version has to be defined in the
bitbucket.propertiesby adding the following line:server.ssl.protocol=TLSv1.3If required, add other SSL configuration settings that can be found here.
Restart Bitbucket Data Center after saving the modified configuration files.
Additional Details About Zulu OpenJDK8
Starting with Zulu 8.48, Zulu 8 supports TLSv1.3 by default and follows the API changes
introduced by Maintenance Release 3 to the Java SE 8 specification. For more details,
refer to JDK-8248721: Backport TLSv1.3 protocol implementation.
TLSv1.3 support is now included in the default (SunJSSE) JSSE provider in Zulu 8. In
addition to the default JSSE provider, Zulu 8 releases also include a non-default
Legacy8uJSSE provider containing the prior, 8u252 JSSE provider implementation (with
no TLSv1.3 support) as a fallback measure, as well as the non-default OpenJSSE
provider previously included in Zulu packages for non-default support for TLSv1.3.
Zulu 8 currently supports the following bundled modes for JSSE:
Default mode: SunJSSE provider, including SSLv3.0, TLSv1, TLSv1.1, TLSv1.2, and
TLSv1.3 protocols support. This mode is enabled by default.
Fallback mode: using the bundled Legacy8uJSSE provider, which includes the prior, 8u252 JSSE provider implementation (with no TLSv1.3 support). This mode may be useful if any application issues are introduced by the new TLS 1.3 support in the default JSSE provider. To enable the fallback mode, set the -XX:+UseLegacy8uJSSE flag in the Java options.
OpenJSSE mode: using the OpenJSSE provider, which includes a TLSv1.3 protocol implementation. This mode has been included in Zulu 8 since Zulu 8.40. and may be useful for prior users of the OpenJSSE provider who wish to keep using it in place of the new default SunJSSE provider (even tho the new default provider now includes all functionality previously covered by the OpenJSSE provider). For example, applications that chose to use org.openjsse APIs directly may want to keep using the OpenJSSE mode. To enable the OpenJSSE mode, set the -XX:+UseOpenJSSE flag in the Java options.
TLS 1.3 and Smart Mirroring
Please note that all the visions of Smart Mirroring do not support TLSv1.3 for synchronization until BSERV-13366 - Enable support for TLSv1.3 for mirrors connectivity to primary is implemented.