- changed status to resolved
Jira/Bitbucket server mTLS
Thanks for bringing JIRA/BB Server support. However, it seems that it does not work in mutual TLS setups.
Would be great if there was a way to specify paths to client key/cert (like with self-signed CA certs) to be used for authenticating against JIRA/BB Server services.
Comments (10)
-
Account Deactivated -
reporter Thanks for responding, but..
#201only resolves self-signed certificates on the SERVER side. This enhancement is for implementing CLIENT certificate support. -
reporter - changed status to open
-
Account Deactivated Would adding something like the following suffice?
httpsAgent({ pfx: fs.readFileSync('${atlascodeSettings.pfxPaths}'), passphrase: '${atlascodeSettings.mutualTLSPassphrase}' });
e.g. a path to a pfx file and a passphrase defined in our settings?
-
reporter I believe pfx and passhprase should be more than enough. Even if someone has separate key and crt, merging them into pfx is just one simple openssl command.
As for the passphrase - this is much overlooked feature by most of the industry, sometimes you just want to keep the key encrypted - great idea!
One thing I am unsure about is requiring both .pfx and username/password since often times they are mutually exclusive auth methods, but this could be a hassle to get done quick and clear. After all, if you use cert based authentication, you probably could just type anything in required u/p fields and have it work without issues.
Thanks for looking into this!
-
Account Deactivated The passphrase would be used to decrypt the pfx if required.
From the node TLS docs:
PFX is usually encrypted, if it is,
passphrase
will be used to decrypt it
-
Account Deactivated I’ve created a new version that allows you to configure SSL settings, both server and client, when you authenticate with a custom site.
Can you please test it out and let me know if it works for you? You’ll need to install this manually using the “Install from visix…” from the extensions panel.
https://bitbucket.org/atlassianlabs/atlascode/downloads/atlascode-2.0.5-mtls.vsix
-
reporter Looks like it works. (only “looks like”, since I have only tested it against mocked proxy service which terminates the SSL connection, but it’s all good and working).
I am only worried about the labels in settings.
-
Use custom client-side pfx certificate
is not exactly correct:- you need to include CA certificates as well to use mTLS (in most cases), which are not really client-side
- you have to know above, so some note about it would be helpful
-
Because of no. 1 above,
Use custom server-side SSL certificate(s)
is also a little bit confusing, I initially thought I need to check both options (even though the options are in one Radio group).
The way I’d see it would be something like, granted you want to keep one radio group:
radio1 = “Use custom CA certificates”
radio2 = “Use custom client side certificates (in pfx format, bundled with CA certificates)”
You probably want to ask someone else for their opinion regarding the interface. Functionally, the feature should be ready to be rolled out.
-
-
Account Deactivated FYI, we’ve released 2.1.0 with these changes and some other fixes.
-
Account Deactivated - changed status to resolved
- Log in to comment
We now support setting your own SSL certs. see: https://bitbucket.org/atlassianlabs/atlascode/issues/201 for details.