We have been using LDAPS for authentication with Jira for about 2 years no with no real issues. After a recent upgrade to 8.16 the LDAP auth stopped working due to SSLHandshakeException.
After trying a variety of troubleshooting, including using SSLPoke and various versions of Java (those bundled with pre-8.16, 8.16, and an independent system installed one) we determined the cause to be something specific to the JVM version itself.
It seems Jira has used 1.8.0_202 from 8.3 through 8.15, but with 8.16 they have updated to using 1.8.0_275 (note: the documentation is wrong about what JVM comes with 8.16, and they are allegedly going to fix that). The only one that has the issue is the _275 version.
I opened a support case with Atlassian about this, and they have reviewed all my findings, checked with the engineers, etc. In the end they have confirmed it is something specific to the JVM, and thus outside of the scope of their support duties. Great.
As a workaround, I swapped in the entire "jre" directory tree from the previous version and it works fine. I guess I'm not benefiting from any of the JVM security/bugfix updates as a result though, so it's not the best long term solution.
Their best guess is that it's related to a known bug that has arisen from some vulnerability fixes.
I'm curious if anyone else using LDAPS has upgraded to 8.16, and whether or not you have run into this issue?
So there has been more digging by Atlassian, as well as on our end.
We ended up trying totally new certificates with this newer JRE. It was a bit of effort, but we got them deployed all around and the LDAPS is now working in Jira under the newer JRE!
I still have no idea what the exact root cause of this issue is, but I can now say that it had something to do with the way those older certificates were generated. Maybe they just happened to work in the older VM due to one of the many security flaws that was patched?
In either case, my issue has been resolved, and hopefully this helps anyone else who may run into a similar problem with their upgrade.
We will be updating in the next month to 8.16 and I will be able to let you know then. This is good information to have so thanks for posting.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.