Details
-
Bug
-
Resolution: Unresolved
-
Medium
-
None
-
3.13.2, 6.1.6
-
3.13
-
Severity 2 - Major
-
0
-
Description
While investigating a support case, where the customer had difficulty establishing a trusted relationship between JIRA and Confluence listening on HTTPS, I attempted to add a relationship between my instance of 3.13.2 and https://confluence.atlassian.com/ . The UI threw back a 500 page with this stacktrace:
java.lang.RuntimeException: java.security.spec.InvalidKeySpecException: java.io.EOFException: EOF encountered in middle of object at com.atlassian.security.auth.trustedapps.ListApplicationRetriever.getApplicationProtocolV0(ListApplicationRetriever.java:90) at com.atlassian.security.auth.trustedapps.ListApplicationRetriever.getApplicationProtocolV1(ListApplicationRetriever.java:49) at com.atlassian.security.auth.trustedapps.ListApplicationRetriever.getApplication(ListApplicationRetriever.java:43) at com.atlassian.security.auth.trustedapps.ReaderApplicationRetriever.getApplication(ReaderApplicationRetriever.java:27) at com.atlassian.security.auth.trustedapps.URLApplicationRetriever.getApplication(URLApplicationRetriever.java:40) at com.atlassian.security.auth.trustedapps.BaseEncryptionProvider.getApplicationCertificate(BaseEncryptionProvider.java:12) at com.atlassian.jira.web.action.admin.trustedapps.ViewTrustedApplications.requestTrustedApplication(ViewTrustedApplications.java:133) at com.atlassian.jira.web.action.admin.trustedapps.ViewTrustedApplications.doRequest(ViewTrustedApplications.java:77)
When you attempt to view the certificate manually via https://confluence.atlassian.com/admin/appTrustCertificate , you can see that CAC redirects you to the non-HTTP version of the file (ie http://confluence.atlassian.com/admin/appTrustCertificate). It appears that CAC is sending a "page has been moved" response back to JIRA, which is mistakenly consumed as the actual trusted app certificate.