Java 11 TLS 1.3 problems

Issue Summary

There are currently some issues with TLS 1.3 support in Java 11, including (the JDK ticket is not public):

JDK-8214418 HttpClient falls in running with 100% cpu usage after an error signalled on channel

Some examples of how TLS 1.3 issues have manifested in Bitbucket Server (there may be more):

• BSERV-11796: Failure while importing repositories when running on Java 11
• BSERV-12180: Code search intermittently stops working with Java 11 JRE
• BSERV-12131: Webhooks intermittently stop working with Java 11 JRE

Loosely related (although not directly to Java 11 TLSv1.3 problems):

• BSERV-11889: Enforce TLS v1.2 for the Bitbucket Mail Server SMTP Protocol

Steps to Reproduce

See linked issues for reproduction details

Expected Results

All functionality works as expected when running Bitbucket Server on JRE 11

Actual Results

HttpClient calls using TLS 1.3 fail intermittently if Bitbucket Server is run using JRE 11

Workaround

Universally disable TLS 1.3 support and force use of TLS 1.2 instead by passing the following JVM args (on startup):

• jdk.tls.disabledAlgorithms=TLSv1.3
• https.protocols=TLSv1.2

plus this one specifically for BSERV-11889:

• mail.crypto.protocols=TLSv1.2