It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Fisheye Server SSL Cipher Options

I just configured SSL for my fisheye server.  I browse to it using Google Chrome on the same machine and get a message:

ERR_SSL_VERSION_OR_CIPHER_MISMATCH

Unsupported protocolThe client and server don't support a common SSL protocol version or cipher suite.

What are the built-in cipher suites and how do I change these?

2 answers

1 accepted

1 vote
Answer accepted

Set up a proxy server in front of FishEye and save yourself a lot of time and trouble.

https://confluence.atlassian.com/kb/proxying-atlassian-server-applications-with-apache-http-server-mod_proxy_http-806032611.html

Thanks.  That seems like the correct answer.

I get this same exact error. Setting up a proxy server appears to be a work around. There should be a clear set of steps to get this up and running and a set of steps to troubleshoot. I am really surprised this is so difficult. 

For those of you who don't want to setup a proxy, or possibly want to know why it's not connecting properly, check out my answer here.

I get this same exact error. I have gone through the steps outlined but it does not help in my case.

Are you sure you got your SSL certificate properly converted to a JKS and that Crucible is pointing to it (and has access to it)?

Don't get me wrong though, you should probably use the proxy server anyway as it allows you to run Jira, Crucible, and boat loads of other stuff on the same server while using something like IIS to manage the SSL certs, ports and IPs.

Yes, I was able to figure it out after 3 days. Ugh!. I had to include the entire certificate chain in the keystore. It was not enough that had my ca references in the trust store. Here are the commands I used to get this to work

First, I generated a combined pkcs12 formatted file (cert.p12) with the following command.

- openssl pkcs12 -export -out cert.p12 -in host.pem -inkey key.pem -CAfile cacerts_root.pem -caname root -name jetty -certfile cacerts_int.pem

Second, create a new store with pkcs12 formated file:

- keytool -importkeystore -deststorepass ***** -destkeypass ***** -destkeystore /path/to/key-file/host.p12 -srckeystore cert.p12 -srcstoretype PKCS12 -srcstorepass **** -alias jetty

Finally, I updated config.xml file with the appropriate settings:

<web-server>
<http bind=":80"/>
<ssl truststore="/path/to/trust-file/cacerts"
truststore-password="*******"
keystore="/path/to/key-file/host.p12"
keystore-password="********" bind=":443"><proxy-info/>
</ssl>
</web-server>

Restarted, and it came up. This was a huge pain. There was no logs, no errors to go by and no much on the documentation front. 

I tried the openssl command

openssl s_client -connect my.web.site:443 

but this did not help. It kept tell me no client certificate served. 

here is my stackoverflow post on it

https://serverfault.com/questions/964441/tls-setup-of-crucible-fisheye-server

There has to be some better tooling to help diagnose these issues or Atlassian / Jetty / Tomcat should create this tooling. 

Suggest an answer

Log in or Sign up to answer
Community showcase
Posted in Jira

We want to hear from you! How do you use Slack and Atlassian together?

Hi Everyone! My name is Mina and I am on Atlassian’s Ecosystems Marketing team. Our team is focused on our technology partnerships and marketplace apps. One of Atlassian’s partners is Slack, who ...

22 views 0 2
Join discussion

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you