-
Bug
-
Resolution: Fixed
-
Low
-
2.0.1
I wanted to create an application link between Stash and JIRA. Both run behind an individual Apache SSL proxy (stash.company.com and jira.company.com). The Apache server uses GnuTLS / SNI (Server Name Indication) to provide the required reverse proxy instances using one single ip address.
Both with Java 6 and 7, Stash is not able to establish a secure connection (Stash reports it could not connect to the server). However, using a reasonably modern browser, I am perfectly able to access both applications via https (https://stash.company.com/ and https://jira.company.com/).
With Java 6, this failes with the following Apache error log message: "Invalid method in request \x80e\x01\x03\x01". This is because Java 6 does not implement SNI.
Therefore, I upgraded to Java 7 which implements SNI. Unfortunately, then I get the following Apache error message: "Invalid method in request \x16\x03\x01". Thus, Stash still does not make a proper request.
Unfortunately, it seems that Jakarta Commons-HttpClient currently does not support SNI, see https://issues.apache.org/jira/browse/HTTPCLIENT-1119 for details.
Attempting to connect to SNI enabled host 'expectedhost' over SSL using http client could also result in an SSLException similar to:
javax.net.ssl.SSLException: hostname in certificate didn't match: <expectedhost> != <defaulthost> at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:220)
Workaround for creating applinks between JIRA and Stash:
Please refer to this comment by Christopher S. Hebert.
The key point is to use localhost as Application URLs, while keeping HTTPS as Display and Base URLs, in both JIRA and Stash.
- is related to
-
-
- Closed
-
-
BAM-16239 Bamboo should support the use of TLS - SNI
- Closed
-
FUSE-2012 Failed to load
- relates to
-
- Closed
-
- Closed
- is blocked by
-
SAL-209 Loading...
- mentioned in
-
-
-
-
-
-
-
| Form Name | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
[BSERV-2970] SNI not supported
Alex Christopher
added a comment - +1
This make a lot of sense now. I have raised many issues before, why app link wasnt working. Atlassian support never was able to solve the problem and they didnt know it was SNI related.
Alex Christopher
added a comment - +1
This make a lot of sense now. I have raised many issues before, why app link wasnt working. Atlassian support never was able to solve the problem and they didnt know it was SNI related. 
Nathan McC
added a comment - +1!!! 
Merritt Krakowitzer
added a comment - We would like to see this implemented please! 
Bradley Baetz
added a comment - This would be really useful. From the HTTPCLIENT patch, this doesn't seem to require any code changes to stash, just an upgrade to the httpclient library version.
Bradley Baetz
added a comment - This would be really useful. From the HTTPCLIENT patch, this doesn't seem to require any code changes to stash, just an upgrade to the httpclient library version. 
Romain Kassel
added a comment - https://issues.apache.org/jira/browse/HTTPCLIENT-1119 is now resolved and has been included in version 4.3.2.
Any idea when this will be available in Stash?
Romain Kassel
added a comment - https://issues.apache.org/jira/browse/HTTPCLIENT-1119 is now resolved and has been included in version 4.3.2.
Any idea when this will be available in Stash? Thanks for reporting this Martin. I've raised an issue in our Shared Access Layer project (https://ecosystem.atlassian.net/browse/SAL-209) which the application links are using for their request handling.
Stash 3.9.2 and 3.10.0 will be able to create applinks with applications behind SNI. However, JIRA does not yet support making an applink back to Stash behind SNI. See
JRA-24515to follow their progress with supporting SNI.Right now, this enables a Stash server connecting to a JIRA instance in OnDemand. Stash will be able to navigate SNI into OnDemand and the OnDemand JIRA instance will be able to connect to back to Stash (assuming Stash is not behind SNI).