Deprecating TLSv1 and TLSv1.1

As part of our never-ending quest to secure your repositories, Bitbucket Cloud will be disabling support for TLSv1 and TLSv1.1 effective 1 December 2018.

This will affect all HTTPS traffic to Bitbucket, including:

  • Git or Mercurial traffic to bitbucket.org
  • The bitbucket.org Web interface
  • API calls to api.bitbucket.org
  • Hosted sites on bitbucket.io
  • Any other HTTPS traffic not listed here

SSH traffic to bitbucket.org or altssh.bitbucket.org will not be affected by this change.

About 85% of HTTPS requests to Bitbucket use the newest version of TLS (v1.2). This includes all recent versions of our supported browsers, and most recent versions of Git and Mercurial clients. However, that other 15% includes a number of remote CI/CD systems (such as Bamboo or Jenkins), issue trackers (such as Jira Server instances), wikis (such as Confluence Server instances), and older versions of Git/Hg clients; all of those use older versions of Java, OpenSSL, or Python’s ssl module when negotiating the secured connection to Bitbucket, and all of those will be unable to connect to Bitbucket at all once we disable old versions of TLS.

Payment processing pages have already moved from TLSv1, to comply with PCI requirements.

How can I tell if I will be affected by this change?

We’ll be contacting some teams and users directly, based on what we find in our logs. If you’d like to be proactive, though, then be sure to check all of the things that you use to connect to Bitbucket, including (but not limited to) your browser, your Git or Mercurial client, your CI/CD system, any API clients, and anything else you may have linked to Bitbucket.

  • SSH connections to Bitbucket are unaffected.
  • Browser connections to Bitbucket are probably unaffected, unless you use a very old browser. Wikipedia has a chart detailing TLS support in Web browsers; you should be able to check your browser’s version there. Some browsers also make connection details visible in the developer tools, or by clicking the padlock icon in the address bar.
  • Bamboo, Jenkins, Jira Server, Confluence Server, or any other Java-based systems that connect to Bitbucket may be affected; you will need to check the underlying version of Java. JDK 8 is unaffected; JDK 7 versions 1.7.0_131-b31 and later are unaffected; JDK 7 versions earlier than 1.7.0_131-b31 are affected; and JDK 6 and older are all affected. (Jira Cloud and Confluence Cloud are unaffected.)
  • Graphical Git or Mercurial clients, such as Sourcetree, may be affected; please check with your vendor. (If you use Sourcetree for Windows 2.5.5 or later, or Sourcetree for Mac 2.7.2 or later, then the embedded Git and Mercurial clients are unaffected. If you use a system Git or Mercurial client with Sourcetree, then you might be affected; please make sure you’re on the latest client version available for your platform.)
  • The Git command line on UNIX-based systems (including macOS, Linux, and all BSDs) may be affected. You should be able to test your connection from the command line: GIT_CURL_VERBOSE=1 git ls-remote https://bitbucket.org/ This will connect to Bitbucket using the Git client and list the connection parameters. If you see a line like “SSL connection using TLSv1.2” in the output, then you are unaffected; if that line mentions a different version of TLS, then you are affected. UPDATE 2018-11-28: If you don’t see a line like that, then your client uses an older version of curl (prior to v7.40.0); however, if the cipher suite itself mentions “GCM”, “SHA256”, or “SHA384”, then you should be unaffected.
  • The Mercurial command line on UNIX-based systems may be affected; please check your version of Python (with “python -V”). Versions 2.7.9 and later are unaffected, and most versions earlier than 2.7.9 are affected. Affected systems may also see some text in the command-line output – “warning: connecting to bitbucket.org using legacy security technology (TLS 1.0)” – though this will only show for newer versions of Mercurial. (Please note that PyPI and all other python.org sites will enforce TLSv1.2 after 30 June 2018, so you may not be able to upgrade individual Python libraries after that.)
  • Finally, if you have an API client that queries Bitbucket, then please check the libraries your client uses to connect to api.bitbucket.org.

I’ve found an affected library or client, or you’ve contacted me to tell me that I will be affected by this change. What do I need to do?

Upgrade anything that is affected, before 1 December 2018. The exact details of your upgrade will depend on what you use, and how it’s installed; we don’t have enough room here to list all the different combinations, unfortunately, but we hope that the “will I be affected” section can point you in the right direction. (We’ll remind everyone as December approaches, but if your stuff is affected then you need to start planning this out now.)

We understand that system upgrades can be complicated, especially on shared systems, but keeping your repositories secure is a priority for us. We appreciate your support and patience as we disable old, insecure versions of TLS in six months’ time.

As always, please contact our support team if you need additional information.