Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
4,360,684
Community Members
 
Community Events
168
Community Groups

Fisheye Server SSL Cipher Options

I just configured SSL for my fisheye server.  I browse to it using Google Chrome on the same machine and get a message:

ERR_SSL_VERSION_OR_CIPHER_MISMATCH

Unsupported protocolThe client and server don't support a common SSL protocol version or cipher suite.

What are the built-in cipher suites and how do I change these?

2 answers

1 accepted

1 vote
Answer accepted

Set up a proxy server in front of FishEye and save yourself a lot of time and trouble.

https://confluence.atlassian.com/kb/proxying-atlassian-server-applications-with-apache-http-server-mod_proxy_http-806032611.html

Thanks.  That seems like the correct answer.

I get this same exact error. Setting up a proxy server appears to be a work around. There should be a clear set of steps to get this up and running and a set of steps to troubleshoot. I am really surprised this is so difficult. 

0 votes

For those of you who don't want to setup a proxy, or possibly want to know why it's not connecting properly, check out my answer here.

I get this same exact error. I have gone through the steps outlined but it does not help in my case.

Deleted user Apr 25, 2019

Are you sure you got your SSL certificate properly converted to a JKS and that Crucible is pointing to it (and has access to it)?

Don't get me wrong though, you should probably use the proxy server anyway as it allows you to run Jira, Crucible, and boat loads of other stuff on the same server while using something like IIS to manage the SSL certs, ports and IPs.

Yes, I was able to figure it out after 3 days. Ugh!. I had to include the entire certificate chain in the keystore. It was not enough that had my ca references in the trust store. Here are the commands I used to get this to work

First, I generated a combined pkcs12 formatted file (cert.p12) with the following command.

- openssl pkcs12 -export -out cert.p12 -in host.pem -inkey key.pem -CAfile cacerts_root.pem -caname root -name jetty -certfile cacerts_int.pem

Second, create a new store with pkcs12 formated file:

- keytool -importkeystore -deststorepass ***** -destkeypass ***** -destkeystore /path/to/key-file/host.p12 -srckeystore cert.p12 -srcstoretype PKCS12 -srcstorepass **** -alias jetty

Finally, I updated config.xml file with the appropriate settings:

<web-server>
<http bind=":80"/>
<ssl truststore="/path/to/trust-file/cacerts"
truststore-password="*******"
keystore="/path/to/key-file/host.p12"
keystore-password="********" bind=":443"><proxy-info/>
</ssl>
</web-server>

Restarted, and it came up. This was a huge pain. There was no logs, no errors to go by and no much on the documentation front. 

I tried the openssl command

openssl s_client -connect my.web.site:443 

but this did not help. It kept tell me no client certificate served. 

here is my stackoverflow post on it

https://serverfault.com/questions/964441/tls-setup-of-crucible-fisheye-server

There has to be some better tooling to help diagnose these issues or Atlassian / Jetty / Tomcat should create this tooling. 

Suggest an answer

Log in or Sign up to answer
TAGS
Community showcase
Published in Jira

Online AMA this week: Your project management questions answered by Jira Design Lead James Rotanson

We know that great teams require amazing project management chops. It's no surprise that great teams who use Jira have strong project managers, effective workflows, and secrets that bring planning ...

197 views 1 6
Read article

Atlassian Community Events