Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Fixed
Priority: High
Fix Version/s: 6.6.4, 6.8.0
Affects Version/s: 6.6.0
Component/s: Platform - Application Links
Labels:
- lbp
- lbp-bugfix
- pse-request
- warranty

Fixed in Long Term Support Release/s:

Download 6.6
Support reference count:
3
Symptom Severity:
Severity 2 - Major
Bug Fix Policy:
View Atlassian Server bug fix policy

Description

Summary

Attempting to create an application link from Confluence to another application will fail if that application runs over HTTPS with an SSL certificate that uses Subject Alternative Name (SAN). This will also impact existing Application Links, causing them to stop working.

Environment

Confluence 6.6.0 bundled with Apache HttpClient 4.5.3.

Steps to reproduce

Configure JIRA and Confluence to run over HTTPS with an SSL certificate using SAN
Ensure Confluence certificate has been imported into JIRA's trust store (and vice-versa)
From Confluence, create an application link to Jira

Expected behavior

The applinks creation is successful on both sides.

Actual behavior

The applinks fails on JIRA side with the following symptoms:

Jira is not detected and Confluence is asked to provide Consumer key and Shared secret as if Jiras`s SSL cert hadn't been imported. However, there's no PKIX error in the log.

...
java.lang.ClassCastException: [B cannot be cast to java.lang.Stringjava.lang.ClassCastException: [B cannot be cast to java.lang.String 
at org.apache.http.conn.ssl.DefaultHostnameVerifier.getSubjectAltNames(DefaultHostnameVerifier.java:309) 
at org.apache.http.conn.ssl.DefaultHostnameVerifier.verify(DefaultHostnameVerifier.java:112) 
at org.apache.http.conn.ssl.DefaultHostnameVerifier.verify(DefaultHostnameVerifier.java:99) 
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:463) 
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:397) 
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:355) 
...

Cause

Confluence 6.6.0 uses Apache HttpClient 4.5.3 as can be seen in /confluence/WEB-INF/lib/httpclient-4.5.3.jar
This version carries this bug that affects SSL certificates with SAN:

https://issues.apache.org/jira/browse/HTTPCLIENT-1836

Workarounds

Use unproxied applinks that would bypass the SSL check
- Temporarily use the linked application/s over HTTP
Temporarily use a certificate that doesn't use SAN
- This could be a problem if you use Chrome 58+

Note

Version of client in prior versions like Confluence 6.5.1 is httpclient-4.4.1.jar and not affected with bug.
Also note that Chromium/Chrome removed support for matching common name (CN) in certificates in M58, so enforcing users to switch to SAN, so that makes bug more critical.
- https://bugs.chromium.org/p/chromium/issues/detail?id=308330

Attachments

Issue Links

relates to

JRASERVER-65595 JIRA applinks fail if SSL certificate uses Subject Alternative Name (SAN)

Closed

BAM-18443 HTTPClient throws ClassCastException when agent publishes artifact to Bamboo Server with Microsoft UPNs in the certificate

Closed

CRUC-8060 HTTPClient throws ClassCastException when user(s) attempts to login

Closed

mentioned in: Page Loading...; Page Loading...; Page Loading...

(1 mentioned in)

Activity

People

Assignee:: Richard Atkins

Reporter:: g

Votes:: 6 Vote for this issue

Watchers:: 13 Start watching this issue

Dates

Created:: 25/Jan/2018 12:45 PM

Updated:: 22/May/2020 8:24 AM

Resolved:: 20/Mar/2018 2:09 AM