Problem:
Adding a new SonarQube server configuration I got an error complaining about the ssl handshake. This is how it looked in atlassian-bitbucket.log:
2018-09-10 09:03:24,796 ERROR [http-nio-50002-exec-10] bitadmin @HBVN6Wx543x650x0 1lam9n2 10.87.50.248,10.32.10.80,0:0:0:0:0:0:0:1 "POST /rest/sonar4st
ash/1.0/sonar-server-configs HTTP/1.1" c.m.s.s.sonar.DefaultSonarClient SONAR: Could not connect Sonar server at GET http://amdev.somecompany.com/sonarqube//api/server/version HTTP/1.1
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
...
Since we are using a companywide PKI with our own issuer certificates I rechecked if the whole certificate chain was imported into the truststore jdk1.8.0_121/jre/lib/security/cacerts/, but everything seemed ok.
Solution:
The problem was a missing cipher. See https://confluence.atlassian.com/stashkb/list-ciphers-used-by-jvm-679609085.htm for the solution.
Short: Download http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html and extract it to jre/lib/security/cacerts. Restart Bitbucket.
Checking the cipher needed:
openssl s_client -connect amdev.somecompany.com:443 | grep -i cipher
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Cipher : ECDHE-RSA-AES256-GCM-SHA384
New ciphers imported with the hint from Atlassian:
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DH_anon_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 < - - - This one!
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_256_GCM_SHA384
Kommentare