Deprecating TLSv1 and TLSv1.1

By on May 31, 2018

As part of our never-ending quest to secure your repositories, Bitbucket Cloud will be disabling support for TLSv1 and TLSv1.1 effective 1 December 2018.

This will affect all HTTPS traffic to Bitbucket, including:

SSH traffic to bitbucket.org or altssh.bitbucket.org will not be affected by this change.

About 85% of HTTPS requests to Bitbucket use the newest version of TLS (v1.2). This includes all recent versions of our supported browsers, and most recent versions of Git and Mercurial clients. However, that other 15% includes a number of remote CI/CD systems (such as Bamboo or Jenkins), issue trackers (such as Jira Server instances), wikis (such as Confluence Server instances), and older versions of Git/Hg clients; all of those use older versions of Java, OpenSSL, or Python’s ssl module when negotiating the secured connection to Bitbucket, and all of those will be unable to connect to Bitbucket at all once we disable old versions of TLS.

Payment processing pages have already moved from TLSv1, to comply with PCI requirements.

How can I tell if I will be affected by this change?

We’ll be contacting some teams and users directly, based on what we find in our logs. If you’d like to be proactive, though, then be sure to check all of the things that you use to connect to Bitbucket, including (but not limited to) your browser, your Git or Mercurial client, your CI/CD system, any API clients, and anything else you may have linked to Bitbucket.

I’ve found an affected library or client, or you’ve contacted me to tell me that I will be affected by this change. What do I need to do?

Upgrade anything that is affected, before 1 December 2018. The exact details of your upgrade will depend on what you use, and how it’s installed; we don’t have enough room here to list all the different combinations, unfortunately, but we hope that the “will I be affected” section can point you in the right direction. (We’ll remind everyone as December approaches, but if your stuff is affected then you need to start planning this out now.)

We understand that system upgrades can be complicated, especially on shared systems, but keeping your repositories secure is a priority for us. We appreciate your support and patience as we disable old, insecure versions of TLS in six months’ time.

As always, please contact our support team if you need additional information.