[JRASERVER-30634] Can't connect to LDAP over SSL when using Java 7

Type: Bug
Resolution: Fixed
Priority: Low (View bug fix roadmap)
Fix Version/s: 6.0-OD-09
Affects Version/s: 5.2
Component/s: None
Labels:
- affects-server
- ldap
- nitro
- warranty

Introduced in Version:
5.02
Bug Fix Policy:
View Atlassian Server bug fix policy

Symptoms

When connecting a directory to LDAP via SSL you will see an error like this in the web browser:

Connection test failed. Response from the server:
localhost:636; nested exception is javax.naming.CommunicationException: localhost:636 [Root exception is java.lang.RuntimeException: Unable to set hostname verification on SSLSocket]

In the log file there will be an entry like this:

2012-11-18 18:46:38,147 QuartzWorker-1 ERROR      [atlassian.crowd.directory.DbCachingDirectoryPoller] Error occurred while refreshing the cache for directory [ 10000 ].
com.atlassian.crowd.exception.OperationFailedException: org.springframework.ldap.CommunicationException: localhost:636; nested exception is javax.naming.CommunicationException: localhost:636 [Root exception is java.lang.RuntimeException: Unable to set hostname verification on SSLSocket]
        at com.atlassian.crowd.directory.SpringLDAPConnector.searchEntitiesWithRequestControls(SpringLDAPConnector.java:416)
        at com.atlassian.crowd.directory.SpringLDAPConnector.searchEntities(SpringLDAPConnector.java:384)
        at com.atlassian.crowd.directory.SpringLDAPConnector.searchUserObjects(SpringLDAPConnector.java:574)
        at com.atlassian.crowd.directory.SpringLDAPConnector.searchUsers(SpringLDAPConnector.java:944)
        at com.atlassian.crowd.directory.ldap.cache.RemoteDirectoryCacheRefresher.findAllRemoteUsers(RemoteDirectoryCacheRefresher.java:41)
        at com.atlassian.crowd.directory.ldap.cache.RemoteDirectoryCacheRefresher.synchroniseAllUsers(RemoteDirectoryCacheRefresher.java:60)
        at com.atlassian.crowd.directory.ldap.cache.AbstractCacheRefresher.synchroniseAll(AbstractCacheRefresher.java:40)
        at com.atlassian.crowd.directory.DbCachingRemoteDirectory.synchroniseCache(DbCachingRemoteDirectory.java:619)
        at com.atlassian.crowd.manager.directory.DirectorySynchroniserImpl.synchronise(DirectorySynchroniserImpl.java:63)
        at com.atlassian.crowd.directory.DbCachingDirectoryPoller.pollChanges(DbCachingDirectoryPoller.java:50)
        at com.atlassian.crowd.manager.directory.monitor.poller.DirectoryPollerJob.execute(DirectoryPollerJob.java:34)
        at org.quartz.core.JobRunShell.run(JobRunShell.java:195)
        at com.atlassian.multitenant.quartz.MultiTenantThreadPool$MultiTenantRunnable.run(MultiTenantThreadPool.java:72)
        at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:520)
Caused by: org.springframework.ldap.CommunicationException: localhost:636; nested exception is javax.naming.CommunicationException: localhost:636 [Root exception is java.lang.RuntimeException: Unable to set hostname verification on SSLSocket]
        at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:98)
        at org.springframework.ldap.core.support.AbstractContextSource.createContext(AbstractContextSource.java:266)
        at org.springframework.ldap.core.support.AbstractContextSource.getContext(AbstractContextSource.java:106)
        at org.springframework.ldap.core.support.AbstractContextSource.getReadWriteContext(AbstractContextSource.java:138)
        at org.springframework.ldap.transaction.compensating.manager.TransactionAwareContextSourceProxy.getReadWriteContext(TransactionAwareContextSourceProxy.java:94)
        at org.springframework.ldap.transaction.compensating.manager.TransactionAwareContextSourceProxy.getReadOnlyContext(TransactionAwareContextSourceProxy.java:65)
        at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:287)
        at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:237)
        at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:624)
        at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:535)
        at com.atlassian.crowd.directory.ldap.LdapTemplateWithClassLoaderWrapper$1.call(LdapTemplateWithClassLoaderWrapper.java:56)
        at com.atlassian.crowd.directory.ldap.LdapTemplateWithClassLoaderWrapper$1.call(LdapTemplateWithClassLoaderWrapper.java:53)
        at com.atlassian.crowd.directory.ldap.LdapTemplateWithClassLoaderWrapper.invokeWithContextClassLoader(LdapTemplateWithClassLoaderWrapper.java:43)
        at com.atlassian.crowd.directory.ldap.LdapTemplateWithClassLoaderWrapper.search(LdapTemplateWithClassLoaderWrapper.java:53)
        at com.atlassian.crowd.directory.SpringLDAPConnector.searchEntitiesWithRequestControls(SpringLDAPConnector.java:412)
        ... 13 more
Caused by: javax.naming.CommunicationException: localhost:636 [Root exception is java.lang.RuntimeException: Unable to set hostname verification on SSLSocket]
        at com.sun.jndi.ldap.Connection.<init>(Unknown Source)
        at com.sun.jndi.ldap.LdapClient.<init>(Unknown Source)
        at com.sun.jndi.ldap.LdapClient.getInstance(Unknown Source)
        at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
        at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)
        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)
        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source)
        at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source)
        at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)
        at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
        at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
        at javax.naming.InitialContext.init(Unknown Source)
        at javax.naming.ldap.InitialLdapContext.<init>(Unknown Source)
        at org.springframework.ldap.core.support.LdapContextSource.getDirContextInstance(LdapContextSource.java:43)
        at org.springframework.ldap.core.support.AbstractContextSource.createContext(AbstractContextSource.java:254)
        ... 26 more
Caused by: java.lang.RuntimeException: Unable to set hostname verification on SSLSocket
        at com.atlassian.crowd.directory.ssl.LdapHostnameVerificationSSLSocketFactory.makeUseLdapVerification(LdapHostnameVerificationSSLSocketFactory.java:85)
        at com.atlassian.crowd.directory.ssl.LdapHostnameVerificationSSLSocketFactory.createSocket(LdapHostnameVerificationSSLSocketFactory.java:125)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
        at java.lang.reflect.Method.invoke(Unknown Source)
        at com.sun.jndi.ldap.Connection.createSocket(Unknown Source)
        ... 41 more
Caused by: java.lang.NoSuchMethodException: sun.security.ssl.SSLSocketImpl.trySetHostnameVerification(java.lang.String)
        at java.lang.Class.getMethod(Unknown Source)
        at com.atlassian.crowd.directory.ssl.LdapHostnameVerificationSSLSocketFactory.makeUseLdapVerification(LdapHostnameVerificationSSLSocketFactory.java:80)
        ... 47 more

Steps to Reproduce

Run JIRA using Java 7, not Java 6 - Java 7 is listed as a supported platform
Import SSL certificate of the LDAP server into JIRA's JVM keystore as per normal procedure
Add an LDAP directory, attempt to configure using SSL
Observe the error message and log entry described above

Workaround

Use Java 6

is caused by

CWD-2739 SSLSocketImpl.trySetHostnameVerification breaks under JDK 7

Closed

CWD-2740 Support running Crowd under JDK 7

Closed

is related to

CONFSERVER-26523 Can't connect to LDAP over SSL when using Java 7

Closed

relates to

JRASERVER-24515 JIRA should support the use of TLS - SNI

Closed

is incorporated by: JRADEV-11821 Failed to load

Joerg Schilling added a comment - 23/Apr/2013 8:55 AM

We are currently running into this issue while migrating to Jira 5.2.
Our corporate IT security guideline requires secure LDAP access.
Is there any plan to provide a fix for Jira 5.2?
The workaround suggests to use Java 6, however this is not the recommended version. What are the side effects?
I see this is fixed with Jira 6, is there a confirmed target release date?

Joerg Schilling added a comment - 23/Apr/2013 8:55 AM We are currently running into this issue while migrating to Jira 5.2. Our corporate IT security guideline requires secure LDAP access. Is there any plan to provide a fix for Jira 5.2? The workaround suggests to use Java 6, however this is not the recommended version. What are the side effects? I see this is fixed with Jira 6, is there a confirmed target release date?

Oswaldo Hernandez (Inactive) added a comment - 21/Mar/2013 7:01 AM

Hi Mick,

This issue has been fixed and the fix will be available in the JIRA 6.0 release.

Oswaldo Hernandez (Inactive) added a comment - 21/Mar/2013 7:01 AM Hi Mick, This issue has been fixed and the fix will be available in the JIRA 6.0 release.

Mick Flanigan added a comment - 11/Mar/2013 5:09 PM

We are seeing issues as well and it is also affecting our Enterprise Tester to JIRA connections and LDAP. Urgency is high this gets fixed.

Mick Flanigan added a comment - 11/Mar/2013 5:09 PM We are seeing issues as well and it is also affecting our Enterprise Tester to JIRA connections and LDAP. Urgency is high this gets fixed.

Oswaldo Hernandez (Inactive) added a comment - 25/Feb/2013 8:05 AM

Fixed by the crowd upgrade on master branch. Ready for QA.

Oswaldo Hernandez (Inactive) added a comment - 25/Feb/2013 8:05 AM Fixed by the crowd upgrade on master branch. Ready for QA.

Mark Moskovitz added a comment - 25/Feb/2013 5:07 AM

I completely agree.

Mark Moskovitz added a comment - 25/Feb/2013 5:07 AM I completely agree.

markmielke added a comment - 25/Feb/2013 12:14 AM

Please upgrade this to Major or Critical given that JIRA 6 is dropping Java 6 support:

https://confluence.atlassian.com/display/JIRA/End+of+Support+Announcements+for+JIRA

... and the latest EAP release seems to have Crowd 2.4.8:

https://confluence.atlassian.com/display/JIRA/JIRA+6.0+EAP+4+(m06)+Release+Notes

http://www.atlassian.com/software/jira/downloads/binary/atlassian-jira-6.0-m07.1.tar.gz

$ ls atlassian-jira-6.0-m07.1-standalone/**/embedded-crowd-core*
atlassian-jira-6.0-m07.1-standalone/atlassian-jira/WEB-INF/lib/embedded-crowd-core-2.4.8.jar

I believe at least 2.5.0 is required to address this problem as 2.5.x fixed the Confluence-side problem for me.

I can't speak for others - but although we would appreciate a backport to JIRA 5.2.x in order to prepare for JIRA 6 in increments, it would also be acceptable for us if we knew that JIRA 6 would address this problem. At this time, it looks like JIRA 6 does not address this problem.

The scenario that is not acceptable is for Atlassian to drop support for Java 6, and not support LDAP over SSL with Java 7.

markmielke added a comment - 25/Feb/2013 12:14 AM Please upgrade this to Major or Critical given that JIRA 6 is dropping Java 6 support: https://confluence.atlassian.com/display/JIRA/End+of+Support+Announcements+for+JIRA ... and the latest EAP release seems to have Crowd 2.4.8: https://confluence.atlassian.com/display/JIRA/JIRA+6.0+EAP+4+(m06)+Release+Notes http://www.atlassian.com/software/jira/downloads/binary/atlassian-jira-6.0-m07.1.tar.gz $ ls atlassian-jira-6.0-m07.1-standalone/**/embedded-crowd-core* atlassian-jira-6.0-m07.1-standalone/atlassian-jira/WEB-INF/lib/embedded-crowd-core-2.4.8.jar I believe at least 2.5.0 is required to address this problem as 2.5.x fixed the Confluence-side problem for me. I can't speak for others - but although we would appreciate a backport to JIRA 5.2.x in order to prepare for JIRA 6 in increments, it would also be acceptable for us if we knew that JIRA 6 would address this problem. At this time, it looks like JIRA 6 does not address this problem. The scenario that is not acceptable is for Atlassian to drop support for Java 6, and not support LDAP over SSL with Java 7.

Mindaugas added a comment - 18/Feb/2013 3:18 PM

We have just upgraded JIRA to 5.2.6 and moving everything to new server with Java 7 installed. And it seems that we can not connect from JIRA to LDAP server using SSL. Yeah, we can use workaround for this by installing additional Java 6 version just for Jira but it would be great to avoid this. Can we expect a bug fix soon?

Mindaugas added a comment - 18/Feb/2013 3:18 PM We have just upgraded JIRA to 5.2.6 and moving everything to new server with Java 7 installed. And it seems that we can not connect from JIRA to LDAP server using SSL. Yeah, we can use workaround for this by installing additional Java 6 version just for Jira but it would be great to avoid this. Can we expect a bug fix soon?

Ken Mohr added a comment - 14/Feb/2013 8:39 AM

If possible, it would be nice to have this backported to jira 5.2.x since it will take a bit of time for Jira 6.0 to be adopted by all the add-on vendors.

Ken Mohr added a comment - 14/Feb/2013 8:39 AM If possible, it would be nice to have this backported to jira 5.2.x since it will take a bit of time for Jira 6.0 to be adopted by all the add-on vendors.

Eric Dalgliesh added a comment - 14/Feb/2013 7:42 AM

Hi ohernandez@atlassian.com, yeah, I think we can wait for 6.0 for this.

Eric Dalgliesh added a comment - 14/Feb/2013 7:42 AM Hi ohernandez@atlassian.com , yeah, I think we can wait for 6.0 for this.

Mark Moskovitz added a comment - 13/Feb/2013 4:47 PM

This is preventing us from moving to Java 7 as well. A huge bug.

Mark Moskovitz added a comment - 13/Feb/2013 4:47 PM This is preventing us from moving to Java 7 as well. A huge bug.

Assignee:: Marty Henderson (Inactive)

Reporter:: AmandaA

Affected customers:: 11 This affects my team

Watchers:: 23 Start watching this issue

Created:: 20/Nov/2012 11:17 AM

Updated:: 28/Mar/2019 12:08 AM

Resolved:: 25/Mar/2013 5:20 AM

Jira Data Center

Details

Description

Symptoms

Steps to Reproduce

Workaround

Attachments

Issue Links

Forms

Activity

Collapse comment: Joerg Schilling added a comment - 23/Apr/2013 8:55 AM

Expand comment: Joerg Schilling added a comment - 23/Apr/2013 8:55 AM

Collapse comment: Oswaldo Hernandez (Inactive) added a comment - 21/Mar/2013 7:01 AM

Expand comment: Oswaldo Hernandez (Inactive) added a comment - 21/Mar/2013 7:01 AM

Collapse comment: Mick Flanigan added a comment - 11/Mar/2013 5:09 PM

Expand comment: Mick Flanigan added a comment - 11/Mar/2013 5:09 PM

Collapse comment: Oswaldo Hernandez (Inactive) added a comment - 25/Feb/2013 8:05 AM

Expand comment: Oswaldo Hernandez (Inactive) added a comment - 25/Feb/2013 8:05 AM

Collapse comment: Mark Moskovitz added a comment - 25/Feb/2013 5:07 AM

Expand comment: Mark Moskovitz added a comment - 25/Feb/2013 5:07 AM

Collapse comment: markmielke added a comment - 25/Feb/2013 12:14 AM

Expand comment: markmielke added a comment - 25/Feb/2013 12:14 AM

Collapse comment: Mindaugas added a comment - 18/Feb/2013 3:18 PM

Expand comment: Mindaugas added a comment - 18/Feb/2013 3:18 PM

Collapse comment: Ken Mohr added a comment - 14/Feb/2013 8:39 AM

Expand comment: Ken Mohr added a comment - 14/Feb/2013 8:39 AM

Collapse comment: Eric Dalgliesh added a comment - 14/Feb/2013 7:42 AM

Expand comment: Eric Dalgliesh added a comment - 14/Feb/2013 7:42 AM

Collapse comment: Mark Moskovitz added a comment - 13/Feb/2013 4:47 PM

Expand comment: Mark Moskovitz added a comment - 13/Feb/2013 4:47 PM

People

Dates