Jira/Bitbucket server mTLS

Comments (10)

1. 

   Jonathan Doklovic Account Deactivated

   • changed status to resolved

   We now support setting your own SSL certs. see: https://bitbucket.org/atlassianlabs/atlascode/issues/201 for details.

   • 2019-10-07T14:35:01+00:00
2. 

   Grzegorz Skołyszewski reporter

   Thanks for responding, but.. #201 only resolves self-signed certificates on the SERVER side. This enhancement is for implementing CLIENT certificate support.

   • 2019-10-07T14:44:35+00:00
3. 

   Grzegorz Skołyszewski reporter

   • changed status to open

   • 2019-10-07T14:44:43+00:00
4. 

   Jonathan Doklovic Account Deactivated

   Would adding something like the following suffice?

   ‌

   httpsAgent({
     pfx: fs.readFileSync('${atlascodeSettings.pfxPaths}'),
     passphrase: '${atlascodeSettings.mutualTLSPassphrase}'
   });
   

   e.g. a path to a pfx file and a passphrase defined in our settings?

   • 2019-10-07T19:49:53+00:00
5. 

   Grzegorz Skołyszewski reporter

   I believe pfx and passhprase should be more than enough. Even if someone has separate key and crt, merging them into pfx is just one simple openssl command.

   As for the passphrase - this is much overlooked feature by most of the industry, sometimes you just want to keep the key encrypted - great idea!

   One thing I am unsure about is requiring both .pfx and username/password since often times they are mutually exclusive auth methods, but this could be a hassle to get done quick and clear. After all, if you use cert based authentication, you probably could just type anything in required u/p fields and have it work without issues.

   ‌

   Thanks for looking into this!

   ‌

   • 2019-10-07T20:27:18+00:00
6. 

   Jonathan Doklovic Account Deactivated

   The passphrase would be used to decrypt the pfx if required.

   From the node TLS docs:

   PFX is usually encrypted, if it is, passphrase will be used to decrypt it

   ‌

   • 2019-10-08T14:51:20+00:00
7. 

   Jonathan Doklovic Account Deactivated

   I’ve created a new version that allows you to configure SSL settings, both server and client, when you authenticate with a custom site.

   Can you please test it out and let me know if it works for you? You’ll need to install this manually using the “Install from visix…” from the extensions panel.

   https://bitbucket.org/atlassianlabs/atlascode/downloads/atlascode-2.0.5-mtls.vsix

   ‌

   • 2019-10-08T19:03:50+00:00
8. 

   Grzegorz Skołyszewski reporter

   Looks like it works. (only “looks like”, since I have only tested it against mocked proxy service which terminates the SSL connection, but it’s all good and working).

   I am only worried about the labels in settings.

   1. Use custom client-side pfx certificate is not exactly correct:

      1. you need to include CA certificates as well to use mTLS (in most cases), which are not really client-side
      2. you have to know above, so some note about it would be helpful

   2. Because of no. 1 above, Use custom server-side SSL certificate(s) is also a little bit confusing, I initially thought I need to check both options (even though the options are in one Radio group).

   The way I’d see it would be something like, granted you want to keep one radio group:

   radio1 = “Use custom CA certificates”

   radio2 = “Use custom client side certificates (in pfx format, bundled with CA certificates)”

   ‌

   You probably want to ask someone else for their opinion regarding the interface. Functionally, the feature should be ready to be rolled out.

   • 2019-10-08T22:16:19+00:00
9. 

   Jonathan Doklovic Account Deactivated

   FYI, we’ve released 2.1.0 with these changes and some other fixes.

   • 2019-10-09T22:08:09+00:00
10. 

    Jonathan Doklovic Account Deactivated

    • changed status to resolved

    • 2019-10-09T22:08:15+00:00
11. Log in to comment