Update to supported cipher suites in Bitbucket Cloud

[Update Aug 7, 2020] On Aug 24th, 2020, we will be upgrading our TLS configuration and ending support for some weaker cipher suites. Please ensure your systems are updated to Bitbucket's latest security protocol ciphers to minimize disruption to your workflow.

On August 3, 2020, Bitbucket will begin to deprecate our Transport Layer Security (TLS) configuration and ending support for some weaker cipher suites. This change is not being made in response to any breach or issue, but as part of our continuous efforts to ensure our products maintain our best-in-class security for our customers.

This change will affect all HTTPS traffic to Bitbucket, including:

  • https://bitbucket.org
  • https://api.bitbucket.org
  • Repository operations against https://bitbucket.org
  • Hosted sites on https://*.bitbucket.io

This change will not affect:

  • Repository operations via SSH (bitbucket.org or altssh.bitbucket.org)

Supported cipher suites beginning August 3, 2020

Your browser, client, or CI server must support making TLS connections using at least one of the cipher suites below by August 3, 2020.

  • TLS_AES_128_GCM_SHA256 (TLS 1.3)
  • TLS_AES_256_GCM_SHA384 (TLS 1.3)
  • ECDHE-ECDSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-ECDSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES256-GCM-SHA384
  • DHE-RSA-AES128-GCM-SHA256
  • DHE-RSA-AES256-GCM-SHA384

What cipher suites will be deprecated?

Cipher suites using CBC mode and cipher suites without perfect-forward secrecy will be discontinued.

The following cipher suites will be deprecated.

  • SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
  • SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
  • SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA
  • SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA
  • SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
  • SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
  • SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA
  • SSL_DHE_RSA_WITH_AES_128_CBC_SHA
  • SSL_DHE_RSA_WITH_AES_256_CBC_SHA
  • SSL_RSA_WITH_AES_128_GCM_SHA256
  • SSL_RSA_WITH_AES_256_GCM_SHA384
  • SSL_RSA_WITH_AES_128_CBC_SHA256
  • SSL_RSA_WITH_AES_256_CBC_SHA256
  • SSL_RSA_WITH_AES_128_CBC_SHA
  • SSL_RSA_WITH_AES_256_CBC_SHA

How can I tell if I will be affected by this change?

We'll be contacting some teams and users directly, based on what we find in our logs. If you'd like to be proactive, though, then be sure to check all of the things that you use to connect to Bitbucket, including (but not limited to) your browser, your Git client, your CI/CD system, any API clients, and anything else you may have linked to Bitbucket.

  • SSH connections to Bitbucket are unaffected.
  • Browser connections to Bitbucket are probably unaffected, unless you use a very old browser. Wikipedia has a chart detailing TLS support in Web browsers; you should be able to check your browser's version there. Some browsers also make connection details visible in the developer tools, or by clicking the padlock icon in the address bar.
  • Bamboo, Jenkins, Jira Server, Confluence Server, or any other Java-based systems that connect to Bitbucket may be affected; you will need to check the underlying version of Java. JDK 8 is unaffected; JDK 7 versions 1.7.0_131-b31 and later are unaffected; JDK 7 versions earlier than 1.7.0_131-b31 are affected; and JDK 6 and older are all affected. (Jira Cloud and Confluence Cloud are unaffected.)
  • Graphical Git, such as Sourcetree, may be affected; please check with your vendor. (If you use the latest versions of Sourcetree for Windows 3.3.4, or Mac 4.0, then the embedded Git clients are unaffected. If you use a system Git client with Sourcetree, then you might be affected; please make sure you're on the latest client version available for your platform.)
  • The Git command line on UNIX-based systems (including macOS, Linux, and all BSDs) may be affected. You should be able to test your connection from the command line: GIT_CURL_VERBOSE=1 git ls-remote https://bitbucket.org/ This will connect to Bitbucket using the Git client and list the connection parameters.
  • Finally, if you have an API client that queries Bitbucket, then please check the libraries your client uses to connect to api.bitbucket.org.

I've found an affected library or client, or you've contacted me to tell me that I will be affected by this change. What do I need to do?

Upgrade anything that is affected, before August 3, 2020. The exact details of your upgrade will depend on what you use, and how it's installed; we don't have enough room here to list all the different combinations, unfortunately, but we hope that the above section can point you in the right direction. (We'll remind everyone as August approaches, but if your stuff is affected then you need to start planning this out now.)

We understand that system upgrades can be complicated, especially on shared systems, but keeping your repositories secure is a priority for us. We appreciate your support and patience as we disable old, insecure cipher suites in six months time.