How To Disable SSLv3 to Mitigate Against POODLE Exploit for JIRA

If JIRA is running behind a proxy that handles SSL for it then the following information does not apply. Instead you will need to modify the configuration of the proxy that is in front of JIRA to disable SSLv3.

Use Case

If you have enabled the SSL connector for JIRA using <jira_install>/conf/server.xml, the default settings do not block SSLv3 connections which can be exploited by the POODLE fallback attack. There are two changes that need to be made to the SSL connector. By default, the SSL connector sets sslProtocol="TLS" which starts both TLS connectors and SSLv3 connectors. You can tell if you are affected by opening <jira_install>/conf/server.xml and find the SSL connector, example follows:

<Connector port="8443" maxHttpHeaderSize="8192"
           maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
           enableLookups="false" disableUploadTimeout="true"
           acceptCount="100" scheme="https" secure="true"
           clientAuth="false" sslProtocol="TLS" SSLEnabled="true"
           URIEncoding="UTF-8" keystorePass="<MY_CERTIFICATE_PASSWORD>"/>

Resolution

  • Edit the SSL connector in server.xml as follows:

    <Connector port="8443" maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" scheme="https" secure="true"
               clientAuth="false" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" SSLEnabled="true"
               URIEncoding="UTF-8" keystorePass="<MY_CERTIFICATE_PASSWORD>"/>
  • In older versions of Tomcat (up to 6.0.32) the property sslEnabledProtocols didn't exist. If you're running JIRA 5.2.11 or older, please edit the SSL connector as follows instead:

    <Connector port="8443" maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" scheme="https" secure="true"
               clientAuth="false" sslProtocols="TLSv1,TLSv1.1,TLSv1.2" SSLEnabled="true"
               URIEncoding="UTF-8" keystorePass="<MY_CERTIFICATE_PASSWORD>"/>
  • At this point you can start JIRA and use something like SSLScan to verify that connections can only be made through TLS and not SSLv3.
  • Java 7 (or higher) is required to use TLSv1.1 and TLSv1.2.
  • Use "sslProtocols" attribute if you are supporting more than one protocol.


Was this helpful?

Thanks for your feedback!

Why was this unhelpful?

Have a question about this article?

See questions about this article

Powered by Confluence and Scroll Viewport