Uploaded image for project: 'Jira Software Server and Data Center'
  1. Jira Software Server and Data Center
  2. JSWSERVER-14914

NavLink RestCapabilitiesClient ignoring system properties

    XMLWordPrintable

Details

    Description

      Summary

      NavLink RestCapabilitiesClient doesn't respect environment configuration settings -Dhttps.protocols=TLSv1 -Djdk.tls.client.protocols=TLSv1 and doesn't fallback to TLSv1 mode. It still tries to connect to Host with Java default (with TLSv1.2 protocol). If remote host supports TLSv1 only, so this leads to javax.net.ssl.SSLException: Received fatal alert: protocol_version error and as a result JIRA is not resolving Stash/other capabilities properly.

      Environment

      • JIRA with Application links
      • Network environment with proxy or SSL offloading.

      Steps to Reproduce

      1. Setup JIRA with Java8
      2. Configure Stash with SSL configuration TLSv1 only (for example)
      3. Configure Applink from JIRA to Stash (for example)
      4. Check Create branch in JIRA Development panel - it will be absent
      5. Navigate to <Project> > Administration > Development tools. Clicking 'Refresh' should send the capabilities request again.

      Expected Results

      JIRA will respect environment configuration settings and connect to remote host.

      Actual Results

      JIRA doesn't respect environment configuration settings and fail to connect to remote host.
      The below exception is thrown in the atlassian-jira.log file:

      NavLink RestCapabilitiesClient:thread-1, WRITE: TLSv1.2 Handshake, length = 197
      NavLink RestCapabilitiesClient:thread-1, READ: SSLv3 Alert, length = 2
      NavLink RestCapabilitiesClient:thread-1, RECV TLSv1.2 ALERT:  fatal, protocol_version
      NavLink RestCapabilitiesClient:thread-1, called closeSocket()
      NavLink RestCapabilitiesClient:thread-1, handling exception: javax.net.ssl.SSLException: Received fatal alert: protocol_version
      NavLink RestCapabilitiesClient:thread-1, setSoTimeout(1) called
      NavLink RestCapabilitiesClient:thread-1, handling exception: java.net.SocketTimeoutException: Read timed out
      
      2015-11-25 11:12:28,833 NavLink RestCapabilitiesClient:thread-1 DEBUG anonymous     [menu.client.capabilities.RestCapabilitiesClient] Stacktrace: 
      javax.net.ssl.SSLException: Received fatal alert: protocol_version
      	at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
      	at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
      	at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023)
      	at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125)
      	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
      	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
      	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
      	at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:290)
      	at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:259)
      	at org.apache.http.impl.conn.HttpClientConnectionOperator.connect(HttpClientConnectionOperator.java:125)
      	at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:319)
      	at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:363)
      	at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:219)
      	at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:195)
      	at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:86)
      	at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:108)
      	at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)
      

      Notes

      JIRA 6.4.12 running on Java8 (TLSv1.2 is default for this version: see diagnosing_tls_ssl_and_https) with configuration tuning:

      -Dhttps.protocols=TLSv1 -Djdk.tls.client.protocols=TLSv1
      
      Cause

      Caused by: https://ecosystem.atlassian.net/browse/ANL-41

      Workaround

      We have new version of atlassian-nav-links-plugin 3.3.22 (bundled version is 3.3.21).

      1. Download atlassian-nav-links-plugin-3.3.22.jar
      2. Upload atlassian-nav-links-plugin-3.3.22.jar to <JIRA_HOME>/plugins/installed-plugins/
      3. Restart JIRA

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              ayakovlev@atlassian.com Andriy Yakovlev [Atlassian]
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: