Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Fisheye Server SSL Cipher Options

Ken Noppinger December 13, 2017

I just configured SSL for my fisheye server.  I browse to it using Google Chrome on the same machine and get a message:

ERR_SSL_VERSION_OR_CIPHER_MISMATCH

Unsupported protocolThe client and server don't support a common SSL protocol version or cipher suite.

What are the built-in cipher suites and how do I change these?

2 answers

1 accepted

1 vote
Answer accepted
Lars Olav Velle
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
December 13, 2017

Set up a proxy server in front of FishEye and save yourself a lot of time and trouble.

https://confluence.atlassian.com/kb/proxying-atlassian-server-applications-with-apache-http-server-mod_proxy_http-806032611.html

Ken Noppinger December 15, 2017

Thanks.  That seems like the correct answer.

Michael Rivera April 25, 2019

I get this same exact error. Setting up a proxy server appears to be a work around. There should be a clear set of steps to get this up and running and a set of steps to troubleshoot. I am really surprised this is so difficult. 

0 votes
Deleted user January 19, 2019

For those of you who don't want to setup a proxy, or possibly want to know why it's not connecting properly, check out my answer here.

Michael Rivera April 25, 2019

I get this same exact error. I have gone through the steps outlined but it does not help in my case.

Deleted user April 25, 2019

Are you sure you got your SSL certificate properly converted to a JKS and that Crucible is pointing to it (and has access to it)?

Don't get me wrong though, you should probably use the proxy server anyway as it allows you to run Jira, Crucible, and boat loads of other stuff on the same server while using something like IIS to manage the SSL certs, ports and IPs.

Michael Rivera April 25, 2019

Yes, I was able to figure it out after 3 days. Ugh!. I had to include the entire certificate chain in the keystore. It was not enough that had my ca references in the trust store. Here are the commands I used to get this to work

First, I generated a combined pkcs12 formatted file (cert.p12) with the following command.

- openssl pkcs12 -export -out cert.p12 -in host.pem -inkey key.pem -CAfile cacerts_root.pem -caname root -name jetty -certfile cacerts_int.pem

Second, create a new store with pkcs12 formated file:

- keytool -importkeystore -deststorepass ***** -destkeypass ***** -destkeystore /path/to/key-file/host.p12 -srckeystore cert.p12 -srcstoretype PKCS12 -srcstorepass **** -alias jetty

Finally, I updated config.xml file with the appropriate settings:

<web-server>
<http bind=":80"/>
<ssl truststore="/path/to/trust-file/cacerts"
truststore-password="*******"
keystore="/path/to/key-file/host.p12"
keystore-password="********" bind=":443"><proxy-info/>
</ssl>
</web-server>

Restarted, and it came up. This was a huge pain. There was no logs, no errors to go by and no much on the documentation front. 

I tried the openssl command

openssl s_client -connect my.web.site:443 

but this did not help. It kept tell me no client certificate served. 

here is my stackoverflow post on it

https://serverfault.com/questions/964441/tls-setup-of-crucible-fisheye-server

There has to be some better tooling to help diagnose these issues or Atlassian / Jetty / Tomcat should create this tooling. 

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events