On July 15, 2024, Bitbucket began to update its Transport Layer Security (TLS) configuration to be consistent with other Atlassian Cloud products. This includes ending support for some weaker cipher suites.
This change is not being made in response to any breach or issue, but as part of our continuous efforts to ensure our products maintain our best-in-class security for our customers.
This change affects all HTTPS traffic to Bitbucket, including:
- https://bitbucket.org
- https://api.bitbucket.org
- Repository operations against https://bitbucket.org
- Hosted sites on https://*.bitbucket.io
This change does not affect:
- Repository operations via SSH (bitbucket.org or altssh.bitbucket.org)
Supported cipher suites as of July 15, 2024
As of July 15, 2024, your browser, client, or CI server must support making TLS connections using at least one of the cipher suites below.
TLS_AES_128_GCM_SHA256TLS_AES_256_GCM_SHA384TLS_CHACHA20_POLY1305_SHA256TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
What cipher suites are deprecated?
As of July 15, 2024, the following cipher suites are no longer supported.
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
How can I tell if I am affected by this change?
We will be contacting some teams and users directly, based on what we find in our logs. If you’d like to be proactive, though, then be sure to check all of the things that you use to connect to Bitbucket, including (but not limited to) your browser, your Git client, your CI/CD system, any API clients, and anything else you may have linked to Bitbucket.
- SSH connections to Bitbucket are unaffected.
- Browser connections to Bitbucket are probably unaffected, unless you use a very old browser. Wikipedia has a chart detailing TLS support in Web browsers; you should be able to check your browser’s version there. Some browsers also make connection details visible in the developer tools, or by clicking the padlock icon in the address bar.
- Bamboo, Jenkins, Jira Data Center, Confluence Data Center, or any other Java-based systems that connect to Bitbucket may be affected; you will need to check the underlying version of Java. JDK 8 is unaffected; JDK 7 versions 1.7.0_131-b31 and later are unaffected; JDK 7 versions earlier than 1.7.0_131-b31 are affected; and JDK 6 and older are all affected. (Jira Cloud and Confluence Cloud are unaffected.)
- Graphical Git, such as Sourcetree, may be affected; please check with your vendor. (If you use the latest versions of Sourcetree for Windows 3.3.4, or Mac 4.0, then the embedded Git clients are unaffected. If you use a system Git client with Sourcetree, then you might be affected; please make sure you’re on the latest client version available for your platform.)
- The Git command line on UNIX-based systems (including macOS, Linux, and all BSDs) may be affected. You should be able to test your connection from the command line:
GIT_CURL_VERBOSE=1 git ls-remote https://bitbucket.org/
This will connect to Bitbucket using the Git client and list the connection parameters. - Finally, if you have an API client that queries Bitbucket, then please check the libraries your client uses to connect to api.bitbucket.org.
I’ve found an affected library or client, or you’ve contacted me to tell me that I will be affected by this change. What do I need to do?
Immediately upgrade anything that is affected to one of the supported cipher suites listed above. We understand that system upgrades can be complicated, especially on shared systems, but keeping your repositories secure is a priority for us. We appreciate your support and patience as we disable old, insecure cipher suites.