Occasional logouts occur due to peer not authenticated SSL errors

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

On Java versions 11.0 to 11.0.2, occasional logouts can occur during the authentication process to Crowd.

This manifests in the odd request being rejected by Jira with HTTP response code 401, indicating the user is not logged in

Environment

  • Jira Server or Data Center

  • Integrated with Crowd

  • Java 11 below version 11.0.3 is used

  • Crowd is integrated with Jira over TLS 1.3

Diagnosis

You experience the following symptoms

  1. Your Jira matches the "Environment" details above

  2. When viewing the browser DevTools Network tab, you observe that requests sometimes get denied by the Jira server with error 401, the endpoint returning Client must be authenticated to access this resource. However, the subsequent requests suceed.

  3. You observe the following errors in logs associated with the failed request

    1 [c.a.c.integration.seraph.CrowdAuthenticator] Error while attempting to check if user isAuthenticated with Crowd

    and

    1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 c.a.c.integration.seraph.CrowdAuthenticator] Error while attempting to check if user isAuthenticated with Crowd com.atlassian.crowd.exception.OperationFailedException: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated at com.atlassian.crowd.integration.rest.service.RestExecutor$MethodExecutor.andReceive(RestExecutor.java:370) at com.atlassian.crowd.integration.rest.service.RestCrowdClient.validateSSOAuthenticationAndGetSession(RestCrowdClient.java:916) at com.atlassian.crowd.integration.http.CrowdHttpAuthenticatorImpl.checkAuthenticated(CrowdHttpAuthenticatorImpl.java:132) at com.atlassian.crowd.integration.http.CacheAwareCrowdHttpAuthenticator.checkAuthenticated(CacheAwareCrowdHttpAuthenticator.java:78) at com.atlassian.crowd.integration.seraph.CrowdAuthenticator.checkAuthenticated(CrowdAuthenticator.java:269) at com.atlassian.crowd.integration.seraph.CrowdAuthenticator.getUser(CrowdAuthenticator.java:397) at com.atlassian.jira.security.login.SSOSeraphAuthenticator.getUser(SSOSeraphAuthenticator.java:63) <SNIP> at java.base/java.lang.Thread.run(Thread.java:834) Caused by: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated at java.base/sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:526) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:464) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:397) at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.upgrade(DefaultHttpClientConnectionOperator.java:193) at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.upgrade(PoolingHttpClientConnectionManager.java:389) at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:237) at org.apache.http.impl.client.cache.CachingExec.callBackend(CachingExec.java:592) at org.apache.http.impl.client.cache.CachingExec.execute(CachingExec.java:269) at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185) at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89) at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:111) at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83) at com.atlassian.crowd.integration.rest.service.RestExecutor$MethodExecutor.executeCrowdServiceMethod(RestExecutor.java:487) at com.atlassian.crowd.integration.rest.service.RestExecutor$MethodExecutor.andReceive(RestExecutor.java:361) ... 142 more

Cause

There is a bug in Java 11 below 11.0.3 where resumed TLS 1.3 sessions do not preserve the peer certificate chain that is held in the initially created SSLSession object. When Jira reaches out to Crowd to validate the user's authenticatedness, it does so over a SSL/TLS connection. If this TLS connection is at level TLS 1.3, this bug can be encountered where the SSL connection fails, thereby failing the connection to Crowd.

For more information, please see OpenJDK bug: JDK-8212885

Solution

Upgrade to JRE/JDK 11.0.3 or higher

For more information, see the KB article Installing Java

Updated on March 21, 2025
Platform
Data Center only
Products
Jira Software Data Center
Jira Core Data Center
Jira Service Management Data Center
Crowd Data Center
On this pageSummaryDiagnosisCauseSolution

Still need help?

The Atlassian Community is here for you.
Ask the Community