Deprecating TLSv1 and TLSv1.1 for Atlassian Cloud Products

As part of our quest to better secure Atlassian cloud products, Atlassian will be disabling support for Transport Layer Security (TLS) v1 and v1.1, effective December 1, 2018. We are urging companies using the Atlassian cloud products listed below to upgrade to TLSv1.2 before this date. Please read below to determine if you are affected and, if so, how to start making preparations for the change. 

Impacts

This will affect all HTTPS traffic to Atlassian cloud products, including:

  • Atlassian.com 
  • Atlassian Marketplace
  • Bitbucket Cloud (which we announced here
  • Confluence Cloud
  • Jira Cloud
  • Jira Service Desk
  • Statuspage
  • Stride

The types of traffic which would be impacted include:

  • Atlassian cloud product web interfaces viewed in a browser
  • API calls to Atlassian cloud product API endpoints
  • Hosted sites on bitbucket.io (more details here)*
  • Any other HTTPS traffic not listed here

*SSH traffic to bitbucket.org or altssh.bitbucket.org will not be affected by this change. 

 

Many of HTTPS requests to Atlassian cloud products already use the newest version of TLS, v1.2. This includes all recent versions of our supported browsers. However, some requests include a number of remote CI/CD systems, scripts, and programs which interact with our APIs; all of which use older versions of Java, OpenSSL, .NET Framework, RestSharp, NING or Python’s ssl module when negotiating the secured connection to Atlassian cloud products. All of these will be unable to connect once we disable TLSv1 and TLSv1.1.

Please note: Payment processing pages have already moved from TLSv1, to comply with PCI requirements.

How to tell if you will be affected by this change

We plan to contact some teams and users directly, based on what we find in our logs. However, we recommend that you check to make sure that everything you use to connect to Atlassian's cloud products supports TSLv1.2. This includes (but is not limited to) your browser, Git or Mercurial client, CI/CD system, API clients, and anything else that may be linked to our products.

The following list is an overview of items which may or may not affect you. 

  • Browser connections to Atlassian cloud products are probably unaffected, unless you use a very old browser. Wikipedia has a chart detailing TLS support in Web browsers, and you should be able to check your browser’s version there. Some browsers also make connection details visible in the developer tools or by clicking the padlock icon in the address bar.
  • Bamboo, Jenkins, Jira Server, Confluence Server, or any other Java-based systems that connect to Bitbucket may be affected; you will need to check the underlying version of Java. JDK 8 is unaffected; JDK 7 versions 1.7.0_131-b31 and later are unaffected; JDK 7 versions earlier than 1.7.0_131-b31 are affected; and JDK 6 and older are affected.
  • Graphical Git or Mercurial clients, such as Sourcetree, may be affected; please check with your vendor. For example, if you use Sourcetree for Windows 2.5.5 or later, or Sourcetree for Mac 2.7.2 or later, then the embedded Git and Mercurial clients are unaffected. If you use a system Git or Mercurial client with Sourcetree, then you might be affected; please make sure you’re on the latest client version available for your platform.
  • The Git command line on UNIX-based systems (including macOS, Linux, and all BSDs) may be affected. You should be able to test your connection from the following command line: GIT_CURL_VERBOSE=1 git ls-remote https://bitbucket.org/ This will connect to Bitbucket using the Git client and list the connection parameters. If you see a line like “SSL connection using TLSv1.2” in the output, then you are unaffected; if that line mentions a different version of TLS, then you are affected.
  • The Mercurial command line on UNIX-based systems may be affected; please check your version of Python (with “python -V”). Versions 2.7.9 and later are unaffected, and most versions earlier than 2.7.9 are affected. Affected systems may also see some text in the command-line output – “warning: connecting to bitbucket.org using legacy security technology (TLS 1.0)” – though this will only show for newer versions of Mercurial. Please note that PyPI and all other python.org sites enforced TLSv1.2 as of June 30, 2018.
  • SSH connections to Bitbucket are unaffected.
  • If you have an API client that queries an Atlassian cloud product, then please check the libraries your client use support TLSv1.2 at a minimum.

Next Steps: You have an affected library or client, or Atlassian has informed you directly that you will be affected by this change 

Please upgrade anything that is affected before December 1, 2018. The exact details of your upgrade will depend on what you use and how it’s installed. We don’t have enough room here to list all the different combinations, unfortunately, but we hope that the section above will point you in the right direction. We’ll remind everyone as December 1 approaches, but if you discover that you are affected, then you need to start planning now.

Keeping your Atlassian cloud product experience secure is a priority for us. We understand that system upgrades can be complicated, especially on shared systems. We appreciate your support and patience as we disable older versions of TLS in the coming months. 

As always, please contact our support team if you need additional information or ask questions in the comments below! 

17 comments

Cory Galloway October 23, 2018

Does this affect "Application Links" between on-prem instances and cloud instances?  For example, we run Bitbucket internally and it has an application link to a cloud version of JIRA.  Please advise.

jredmond
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
October 23, 2018

It affects all HTTPS traffic on any Atlassian-hosted product. Your Bitbucket Server instance won't be directly affected, but its link to Jira Cloud uses HTTPS and will therefore be affected by this change.

Carrie Reineccius October 23, 2018

Does this affect Trello?   (An atlassian app but it's not at atlassian.com)

jredmond
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
October 23, 2018

Trello already disallows TLSv1.0, but TLSv1.1 will be deprecated as well.

Bharadwaja Reddy October 24, 2018

We have implemented Jira integration in mobile. i.e, we have used Jira rest api to raise a ticket from mobile. Does this affect as TLSv1.0 and TLSv1.1 are deprecating. 

Cory Galloway October 24, 2018

James, thanks for the info about the App link.  However, what do we do now?  That is an application feature of yours and I am assuming you handle how TLS is being used.  Is that correct?

safdarali November 28, 2018

 Bitbucket Cloud will be disabling support for TLSv1 and TLSv1.1 effective 1 December 2018.
remote: Please make sure your TLS version is updated.

whats is this? please

jredmond
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
November 28, 2018

Have you read the linked post?

parthikambaa November 29, 2018

Yes... But... I did not  known about the  update....please let me know.How to update the TLS version.

Support me.???

hwozniak November 30, 2018

Is the "Bitbucket Cloud will be disabling..." warning being shown to everybody, or only to users who are connecting with an unsupported TLS version? I have tried upgrading some of the components mentioned in the post, but I'm still seeing the message.

jredmond
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
November 30, 2018

We're showing it to everybody. It's overkill in some cases, but we wanted to be sure people checked all of their systems (including, but not limited to, their other workstations; their CI/CD systems; and their Jira Server instances).

hwozniak November 30, 2018

Ah, that is not helpful! We are all thinking something is wrong with our systems and scrambling to upgrade. Can you rephrase it, or add clarification in the linked post that the warning doesn't necessarily mean your system is out of date?

jredmond
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
November 30, 2018

That's a great suggestion, but I think it might be a bit too late to make that change for this particular maintenance event (which happens in just a few hours). I'll add it to the guidelines for anything similar in the future, though.

Chris Raver December 11, 2018

We ran into a couple issues with some build utilities we use. This article helped, I used the 'Easy Fix'.

https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-default-secure-protocols-in-wi

william@perasotech.com December 16, 2019

This was great, hope Atlassian will also support TLS 1.3 soon.   They don't need to turn off TLS 1.2, just run it along with TLS 1.3 please

https://jira.atlassian.com/browse/JRACLOUD-73562

jredmond
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
December 16, 2019

Bitbucket Cloud already supports TLS1.3 (also ECDSA signing). I am not sure about the timeline for other products, though.

william@perasotech.com December 18, 2019

@jredmond , do each product have a page where these changes expectations would be shared?

Comment

Log in or Sign up to comment
TAGS
AUG Leaders

Atlassian Community Events