How to change the SSL/TLS protocols used by Tomcat

Related content

  • No related content found

Still need help?

The Atlassian Community is here for you.

Ask the community

If JIRA is running behind a proxy that handles SSL then the following information does not apply. Instead you will need to modify the configuration of the proxy that is in front of JIRA to disable SSLv3. It is recommend to host JIRA behind a reverse-proxy as per the below documentation rather than host SSL on Tomcat:

Purpose

Admins may need to change the protocols used by Tomcat in response to a security scan that flags protocol versions such as TLSv1 and TLSv1.1 as insecure. 

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
              maxHttpHeaderSize="8192" SSLEnabled="true"
              maxThreads="150" minSpareThreads="25"
              enableLookups="false" disableUploadTimeout="true"
              acceptCount="100" scheme="https" secure="true"
              sslEnabledProtocols="TLSv1.2+TLSv1.3"
              clientAuth="false" useBodyEncodingForURI="true"
              keyAlias="jira" keystoreFile="<Jira_HOME>/jira.jks" keystorePass="changeit" keystoreType="JKS"/>

If you're running outdated SSL/TLS protocols, you may also notice that some web browsers, such as Google Chrome fail to browse to your SSL enabled instance, with the following error (or similar)

A secure connection cannot be established because this site uses an unsupported protocol

Solution

  • Edit one of the sslProtocol or sslEnabledProtocols attributes of the SSL connector in server.xml: 

    <Connector port="8443" maxHttpHeaderSize="8192"
           maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
           enableLookups="false" disableUploadTimeout="true"
           acceptCount="100" scheme="https" secure="true"
           clientAuth="false" sslEnabledProtocols="TLSv1+TLSv1.1+TLSv1.2" SSLEnabled="true"
           URIEncoding="UTF-8" keystorePass="<MY_CERTIFICATE_PASSWORD>"/>


    • In older versions of Tomcat (up to 6.0.32) the property sslEnabledProtocols didn't exist. If you're running JIRA 5.2.11 or older, please edit the SSL connector as follows instead:

      <Connector port="8443" maxHttpHeaderSize="8192"
           maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
           enableLookups="false" disableUploadTimeout="true"
           acceptCount="100" scheme="https" secure="true"
           clientAuth="false" sslProtocol="TLSv1+TLSv1.1+TLSv1.2" SSLEnabled="true"
           URIEncoding="UTF-8" keystorePass="<MY_CERTIFICATE_PASSWORD>"/>
  • Make sure you use the + sign to add protocols. 
  • In some cases the - sign was necessary in order to restrict some protocols. For example: sslEnabledProtocols="-SSLv2-SSLv3-TLSv1+TLSv1.2+TLSv1.3"
  • For more information, refer to The HTTP Connector > SSL Support - SSLHostConfig

To test if the ssl protocols are being used as expected, one method is using curl (see its documentation for more details) with parameter --tls-max (if necessary also use --tlsv1.0, --tlsv1.1, --tlsv1.2 and --tlsv1.3 to force the protocol). As an example, if the TLS 1.0 is blocked while TLS 1.2 is allowed, the test "curl <your jira-url> -v --tls-max 1.0" will return an error while curl "<your jira-url> -v --tls-max 1.2" shall return the TLS 1.2 hand shake and return and expected output.



Last modified on Mar 19, 2024

Was this helpful?

Yes
No
Provide feedback about this article

Related content

  • No related content found
Powered by Confluence and Scroll Viewport.