Stash SSL

Hi,

I'm trying to setup access via https over port 443 (running Windows Server 2012)

Note - I supplied a .key file from our CA that covers a wildcard *.domain.com.au

I have the following in server.xml

<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
                   maxThreads="150" scheme="https" secure="true"
                   clientAuth="false" sslProtocol="TLS" 
		keystoreFile="E:\Resources\StashHome\.keystore" 
		keystorePass="PASSWORDHERE" />

Catalina is showing me the following:

May 15, 2013 12:59:18 PM org.apache.catalina.startup.ClassLoaderFactory validateFile
WARNING: Problem with directory [E:\Resources\Stash\bin\${stash.home}\lib], exists: [false], isDirectory: [false], canRead: [false]
May 15, 2013 12:59:18 PM org.apache.catalina.startup.ClassLoaderFactory validateFile
WARNING: Problem with directory [E:\Resources\Stash\bin\${stash.home}\lib], exists: [false], isDirectory: [false], canRead: [false]
May 15, 2013 12:59:19 PM org.apache.catalina.core.AprLifecycleListener init
INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: E:\Resources\Stash\lib\native;E:\Resources\StashHome\lib\native
May 15, 2013 12:59:19 PM org.apache.tomcat.util.digester.SetPropertiesRule begin
WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'xmlValidation' to 'false' did not find a matching property.
May 15, 2013 12:59:19 PM org.apache.tomcat.util.digester.SetPropertiesRule begin
WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'xmlNamespaceAware' to 'false' did not find a matching property.
May 15, 2013 12:59:20 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["http-bio-80"]
May 15, 2013 12:59:20 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["http-bio-443"]
May 15, 2013 12:59:20 PM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 1395 ms
May 15, 2013 12:59:20 PM org.apache.catalina.core.StandardService startInternal
INFO: Starting service Catalina
May 15, 2013 12:59:20 PM org.apache.catalina.core.StandardEngine startInternal
INFO: Starting Servlet Engine: Apache Tomcat/7.0.32
May 15, 2013 1:00:23 PM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["http-bio-80"]
May 15, 2013 1:00:23 PM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["http-bio-443"]
May 15, 2013 1:00:23 PM org.apache.catalina.startup.Catalina start
INFO: Server startup in 62878 ms

Firefox gives me the following error:

An error occurred during a connection to git01.

Cannot communicate securely with peer: no common encryption algorithm(s).

(Error code: ssl_error_no_cypher_overlap)

Chrome is similar

Error 113 (net::ERR_SSL_VERSION_OR_CIPHER_MISMATCH): Unknown error.

How do I fix tihs?
Thanks!

2 answers

1 accepted

This widget could not be displayed.

Worked around this by expoting my key from my local CA.

Then used OpenSSL to convert and create a p12 type keystore.

Server.xml needed a change as well:


<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
                   maxThreads="150" scheme="https" secure="true"
                   clientAuth="false" sslProtocol="TLS" 
		keystoreType="PKCS12" 
		keystoreFile="StashHome\moo.domain.com.p12"
		keystorePass="PASSWORDHERE"

	/>

Thanks a lot - this works perfectly.

Atlassian should really overhaul their confluence/SSL documentation..

This widget could not be displayed.

Hi.

i think you shouldn't add 443 as a connector port there.

in my server.xml i've deactivated any other connector and just kept this one:

<Connector executor="tomcatThreadPool"
                   port="7990" protocol="AJP/1.3"
                   connectionTimeout="20000"
                   redirectPort="8443" />

in my environment HTTPS comes from Apache like this:

<VirtualHost $MY_STASH_HOST:443>

SSLEngine on
   SSLProtocol all -SSLv2
   SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM

  SSLCertificateFile $CERTFILE_HERE 
  SSLCertificateKeyFile $KEYFILE_HERE
   SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

    ServerAdmin $ADMIN_EMAIL
    ServerName $MY_STASH_HOST
    ServerAlias $MY_STASH_HOST

    ProxyRequests Off
    ProxyPreserveHost On

<Proxy *>
Order deny,allow
Allow from all
</Proxy>
SSLProxyEngine On
ProxyRequests           Off
ProxyPreserveHost       On
ProxyPass           /       ajp://localhost:7990/ connectiontimeout=5 timeout=300
ProxyPassReverse    /       ajp://localhost:7990/
<Location />
    Order allow,deny
    Allow from all
    </Location>

</VirtualHost>

but if your solution works for you and you don't plan to bring any other application behind 443 there is nothing to change.

just my recommendation to leave standard WEB Ports like 443 and 80 where they belong to (Webserver) and configure everything correctly.

Suggest an answer

Log in or Sign up to answer
Community showcase
Published Aug 21, 2018 in Bitbucket

Branch Management with Bitbucket

As a project manager, I have discovered that different developers want to bring their previous branching method with them when they join the team. Some developers are used to performing individual wo...

1,196 views 8 10
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you