Details
-
Suggestion
-
Resolution: Fixed
-
None
Description
TLS version 1.0 and 1.1 are considered not secure enough and are being deprecated on various platforms, such as GMail or Office365.
Fisheye should use the latest version of TLS protocol by default.
Microsoft announcement: "We're retiring 3DES in Office 365 beginning February 28, 2019" - it requires change from TLS 1.0 to 1.2.
Workaround
Configure TLS version using system properties.
StartTLS with TLSv1.2
Decompiled bytecode from com.sun.mail.util.SocketFetcher#startTLS shows that list of protocols is hard-coded:
/* * At least the UW IMAP server insists on only the TLSv1 * protocol for STARTTLS, and won't accept the old SSLv2 * or SSLv3 protocols. Here we enable only the TLSv1 * protocol. XXX - this should probably be parameterized. */ ((SSLSocket)socket).setEnabledProtocols(new String[] {"TLSv1"});
Therefore, it's not possible to configure it via system properties (like it's possible for SMTPS). It also means that the mail library was probably never tested with newer TLS version. The only method to switch a protocol is to use Byteman, which can manipulate Java bytecode at runtime. For these reasons we strongly recommend using SMTPS with TLSv1.2 (which is supported) instead of hacking the runtime.
If you sill want to configure it with StartTLS, do the following.
- Download the attached use-tls12.btm
script and save it on your Fisheye server.
This rule will swap TLSv1 with TLSv1.2 for any SSL socket connections. It may affect your plugins or repository connections. - Enable Byteman for Fisheye:
Do not follow the manual from Enable Byteman for additional logging in Fisheye and Crucible - the reason is that Byteman must be loaded by the bootstrap class loader as it has to modify a class from JRE.
- In Linux:
1. Add the following environment variable:export FISHEYE_OPTS="-javaagent:<full path to Fisheye installation directory>/tools/byteman/lib/byteman.jar=boot:<full path to Fisheye installation directory>/tools/byteman/lib/byteman.jar,listener:true,script:<full path to the>/use-tls12.btm"
Replacing the path placeholders accordingly.
2. Restart Fisheye - In Windows and started manually (by running <Fisheye installation directory>\bin\start.bat or <Fisheye installation directory>\bin\run.bat):
1. Create or update the FISHEYE_OPTS Windows Environment Variable, making sure it has at least the following (as there may be other settings already in place):-javaagent:<full path to Fisheye installation directory>\tools\byteman\lib\byteman.jar=listener:true,script:<full path to the>\use-tls12.btm
Replacing the path placeholders accordingly.
2. Restart Fisheye - In Windows and started as service:
1. Go to <Fisheye installation directory>\bin and execute either service.bat manage or prunmgr.exe "//ES//<SERVICE_NAME>", where <SERVICE_NAME> is the Windows Service name used by Fisheye.
2. In the Atlassian Fisheye Properties window that will open, go to Java tab
3. Add the following in a new line in Java Options field:-javaagent:<Fisheye installation directory>\tools\byteman\lib\byteman.jar=boot:<Fisheye installation directory>\tools\byteman\lib\byteman.jar,listener:true,script:<full path to the>\use-tls12.btm
Replacing the path placeholders accordingly.
4. Go to General tab, then stop and start the service
- In Linux:
- After it's up and running, verify that rules have been loaded correctly.
- In Linux, run:
<Fisheye installation directory>/tools/byteman/list-rules.sh
- In Windows, run:
<Fisheye installation directory>/tools/byteman/list-rules.bat
- In Linux, run:
- You should see the rule and a message like this:
Transformed in: loader: sun.misc.Launcher$AppClassLoader@18b4aac2 trigger method: sun.security.ssl.SSLSocketImpl.setEnabledProtocols(java.lang.String[]) void
- Configure mail settings in "Administration > Server > Mail Server > Edit config"
- Set "Use SSL/TLS" to true.
- Put host name, port, username, password.
SMTPS with TLSv1.2
Please read the workaround described in FE-3912.