[JSWSERVER-14914] NavLink RestCapabilitiesClient ignoring system properties

Type: Bug
Resolution: Fixed
Priority: Low (View bug fix roadmap)
Fix Version/s: 7.0.Next, 7.1.4
Affects Version/s: None
Component/s: Development Panel
Labels:

Support reference count:
1
Symptom Severity:
Severity 3 - Minor
Bug Fix Policy:
View Atlassian Server bug fix policy

Summary

NavLink RestCapabilitiesClient doesn't respect environment configuration settings -Dhttps.protocols=TLSv1 -Djdk.tls.client.protocols=TLSv1 and doesn't fallback to TLSv1 mode. It still tries to connect to Host with Java default (with TLSv1.2 protocol). If remote host supports TLSv1 only, so this leads to javax.net.ssl.SSLException: Received fatal alert: protocol_version error and as a result JIRA is not resolving Stash/other capabilities properly.

Environment

JIRA with Application links
Network environment with proxy or SSL offloading.

Steps to Reproduce

Setup JIRA with Java8
Configure Stash with SSL configuration TLSv1 only (for example)
Configure Applink from JIRA to Stash (for example)
Check Create branch in JIRA Development panel - it will be absent
Navigate to <Project> > Administration > Development tools. Clicking 'Refresh' should send the capabilities request again.

Expected Results

JIRA will respect environment configuration settings and connect to remote host.

Actual Results

JIRA doesn't respect environment configuration settings and fail to connect to remote host.
The below exception is thrown in the atlassian-jira.log file:

NavLink RestCapabilitiesClient:thread-1, WRITE: TLSv1.2 Handshake, length = 197
NavLink RestCapabilitiesClient:thread-1, READ: SSLv3 Alert, length = 2
NavLink RestCapabilitiesClient:thread-1, RECV TLSv1.2 ALERT:  fatal, protocol_version
NavLink RestCapabilitiesClient:thread-1, called closeSocket()
NavLink RestCapabilitiesClient:thread-1, handling exception: javax.net.ssl.SSLException: Received fatal alert: protocol_version
NavLink RestCapabilitiesClient:thread-1, setSoTimeout(1) called
NavLink RestCapabilitiesClient:thread-1, handling exception: java.net.SocketTimeoutException: Read timed out

2015-11-25 11:12:28,833 NavLink RestCapabilitiesClient:thread-1 DEBUG anonymous     [menu.client.capabilities.RestCapabilitiesClient] Stacktrace: 
javax.net.ssl.SSLException: Received fatal alert: protocol_version
	at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
	at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
	at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023)
	at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125)
	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
	at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:290)
	at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:259)
	at org.apache.http.impl.conn.HttpClientConnectionOperator.connect(HttpClientConnectionOperator.java:125)
	at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:319)
	at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:363)
	at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:219)
	at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:195)
	at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:86)
	at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:108)
	at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)

Notes

JIRA 6.4.12 running on Java8 (TLSv1.2 is default for this version: see diagnosing_tls_ssl_and_https) with configuration tuning:

-Dhttps.protocols=TLSv1 -Djdk.tls.client.protocols=TLSv1

Cause

Caused by: https://ecosystem.atlassian.net/browse/ANL-41

Workaround

We have new version of atlassian-nav-links-plugin 3.3.22 (bundled version is 3.3.21).

Download atlassian-nav-links-plugin-3.3.22.jar
Upload atlassian-nav-links-plugin-3.3.22.jar to <JIRA_HOME>/plugins/installed-plugins/
Restart JIRA

relates to

JSWSERVER-14871 Stash integration functionality does not work properly when JIRA and Stash are behind SSL on subdomains

Closed

is related to: ANL-41 Failed to load

Form Name

David Black added a comment - 19/Jan/2016 11:57 PM

ayakovlev@atlassian.com thank you for clarifying.

David Black added a comment - 19/Jan/2016 11:57 PM ayakovlev@atlassian.com thank you for clarifying.

Andriy Yakovlev [Atlassian] added a comment - 18/Jan/2016 9:56 AM

Hi dblack
Thanks for paying attention to this.
Fix is not to explicitly fall-back to TLSv1, fix is to make sure that nav-links-plugin will respect system properties, to we can set https.protocols, proxy and other option.

Andriy Yakovlev [Atlassian] added a comment - 18/Jan/2016 9:56 AM Hi dblack Thanks for paying attention to this. Fix is not to explicitly fall-back to TLSv1, fix is to make sure that nav-links-plugin will respect system properties, to we can set https.protocols , proxy and other option.

David Black added a comment - 16/Jan/2016 10:11 PM - edited

If the suggestion is that we should make our TLS code explicitly fall-back to TLSv1 then I'd like to chime in here and say that we should never do such a thing without a very good reason. It is also worth noting that most user's should never run into this issue as TLSv1.2 adoption has been fairly high for some time now (see https://www.trustworthyinternet.org/ssl-pulse/ ).

David Black added a comment - 16/Jan/2016 10:11 PM - edited If the suggestion is that we should make our TLS code explicitly fall-back to TLSv1 then I'd like to chime in here and say that we should never do such a thing without a very good reason. It is also worth noting that most user's should never run into this issue as TLSv1.2 adoption has been fairly high for some time now (see https://www.trustworthyinternet.org/ssl-pulse/ ).

Details

Description

Summary

Environment

Steps to Reproduce

Expected Results

Actual Results

Notes

Cause

Workaround

Attachments

Issue Links

Forms

Activity

Collapse comment: David Black added a comment - 19/Jan/2016 11:57 PM

Expand comment: David Black added a comment - 19/Jan/2016 11:57 PM

Collapse comment: Andriy Yakovlev [Atlassian] added a comment - 18/Jan/2016 9:56 AM

Expand comment: Andriy Yakovlev [Atlassian] added a comment - 18/Jan/2016 9:56 AM

Collapse comment: David Black added a comment - 16/Jan/2016 10:11 PM, Edited by David Black - 16/Jan/2016 10:20 PM

Expand comment: David Black added a comment - 16/Jan/2016 10:11 PM, Edited by David Black - 16/Jan/2016 10:20 PM

People

Dates

Backbone Issue Sync