Stash connection to non-default ports using TLS1.2 fails with SocketException: Connection reset

Miscellaneous

On this page

Still need help?

The Atlassian Community is here for you.

Ask the community

Problem

We perceived this issue specifically when a customer was using the 1.8.0_40-b25 JRE we ship with Stash to sync with his LDAP server.

It failed with the following message in the atlassian-stash.log:

 2015-04-30 07:02:21,198 ERROR [clusterScheduler_Worker-4]  c.a.c.d.DbCachingDirectoryPoller Error occurred while refreshing the cache for directory [ 32770 ].
org.springframework.ldap.CommunicationException: simple bind failed: useprddc1.corp.kns.com:636; nested exception is javax.naming.CommunicationException: simple bind failed: ad.company.com:636 [Root exception is java.net.SocketException: Connection reset]
...
...
Caused by: java.net.SocketException: Connection reset
	at java.net.SocketInputStream.read(SocketInputStream.java:209) ~[na:1.8.0_40]
	at java.net.SocketInputStream.read(SocketInputStream.java:141) ~[na:1.8.0_40]
	at sun.security.ssl.InputRecord.readFully(InputRecord.java:465) ~[na:1.8.0_40]
	at sun.security.ssl.InputRecord.read(InputRecord.java:503) ~[na:1.8.0_40]
	at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:961) ~[na:1.8.0_40]
	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363) ~[na:1.8.0_40]
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391) ~[na:1.8.0_40]
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375) ~[na:1.8.0_40]
	at com.sun.jndi.ldap.Connection.createSocket(Connection.java:376) ~[na:1.8.0_40]
	at com.sun.jndi.ldap.Connection.<init>(Connection.java:203) ~[na:1.8.0_40]
	... 54 common frames omitted

Cause

The customer was connecting to his LDAP server using:

ldaps://ldap.server.com:636

This stack overflow post details the tests done around that specific issue.

To sum up, Java 8 adds TLS1.2 as default and when using this protocol to connect to a port other than the default (443) one, it doesn't work. This could be due to a bug in Java 8.

 

Resolution

Workaround

  • Workaround 1: Add the following line to JVM_SUPPORT_RECOMMENDED_ARGS in STASH_INSTALL/bin/setenv.sh to switch enable TLSv1 and restart Stash:
JVM_SUPPORT_RECOMMENDED_ARGS="-Djdk.tls.client.protocols=TLSv1"
  • Workaround 2: Downgrade your Java to Java 7.

Solution

Use a version of Java 8 that doesn't contain this bug.

 

Last modified on Mar 30, 2016

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.