Bitbucket Server connection to non-default ports using TLS1.2 fails with SocketException: Connection reset
問題
We perceived this issue specifically when a customer was using the 1.8.0_40-b25 JRE we ship with Bitbucket Server to sync with his LDAP server.
It failed with the following message in the atlassian-bitbucket.log:
2015-04-30 07:02:21,198 ERROR [clusterScheduler_Worker-4] c.a.c.d.DbCachingDirectoryPoller Error occurred while refreshing the cache for directory [ 32770 ].
org.springframework.ldap.CommunicationException: simple bind failed: useprddc1.corp.kns.com:636; nested exception is javax.naming.CommunicationException: simple bind failed: ad.company.com:636 [Root exception is java.net.SocketException: Connection reset]
...
...
Caused by: java.net.SocketException: Connection reset
at java.net.SocketInputStream.read(SocketInputStream.java:209) ~[na:1.8.0_40]
at java.net.SocketInputStream.read(SocketInputStream.java:141) ~[na:1.8.0_40]
at sun.security.ssl.InputRecord.readFully(InputRecord.java:465) ~[na:1.8.0_40]
at sun.security.ssl.InputRecord.read(InputRecord.java:503) ~[na:1.8.0_40]
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:961) ~[na:1.8.0_40]
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363) ~[na:1.8.0_40]
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391) ~[na:1.8.0_40]
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375) ~[na:1.8.0_40]
at com.sun.jndi.ldap.Connection.createSocket(Connection.java:376) ~[na:1.8.0_40]
at com.sun.jndi.ldap.Connection.<init>(Connection.java:203) ~[na:1.8.0_40]
... 54 common frames omitted原因
The customer was connecting to his LDAP server using:
ldaps://ldap.server.com:636
This stack overflow post details the tests done around that specific issue.
To sum up, Java 8 adds TLS1.2 as default and when using this protocol to connect to a port other than the default (443) one, it doesn't work. This could be due to a bug in Java 8.
ソリューション
回避策
- Workaround 1: Add the following line to
JVM_SUPPORT_RECOMMENDED_ARGSinBITBUCKET_INSTALL/bin/setenv.shto switch enable TLSv1 and restart Bitbucket Server:
JVM_SUPPORT_RECOMMENDED_ARGS="-Djdk.tls.client.protocols=TLSv1"Bitbucket Server 5.0+ では setenv と環境変数に変更があります
Bitbucket Server 5.0 以降では setenv.sh と setenv.bat が取り除かれています。これらのファイルで設定されていたオプションは、環境変数で設定できるようになりました。環境変数の設定場所は、実行先のオペレーティング システムに応じます。
Linux
When using the atlbitbucket service on Linux, the environment variables are ignored. You must set the parameters in _start-webapp.sh (or start-bitbucket.sh). These values will be read when the service starts.
たとえば、 JVM_SUPPORT_RECOMMENDED_ARGS を設定するには、ファイルに次の行を追加します。
JVM_SUPPORT_RECOMMENDED_ARGS=-XX:+HeapDumpOnOutOfMemoryErrorWindows
Bitbucket Server を実行しているユーザーで、パラメーターを環境変数として設定します。たとえば、JVM_SUPPORT_RECOMMENDED_ARGS を設定したい場合、それを環境変数として作成して適切な値を割り当てます。Bitbucket Server がスタートアップ スクリプトやサービスを利用して起動する際に、この値が取得および適用されます。
- Workaround 2: Downgrade your Java to Java 7.
ソリューション
Use a version of Java 8 that doesn't contain this bug.