How to change the SSL/TLS protocols used by Tomcat (Jira Server and Data Center)
If JIRA is running behind a proxy that handles SSL then the following information does not apply. Instead you will need to modify the configuration of the proxy that is in front of JIRA to disable SSLv3. It is recommend to host JIRA behind a reverse-proxy as per the below documentation rather than host SSL on Tomcat:
Purpose
Admins may need to change the protocols used by Tomcat in response to a security scan that flags protocol versions such as TLSv1 and TLSv1.1 as insecure.
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxHttpHeaderSize="8192" SSLEnabled="true"
maxThreads="150" minSpareThreads="25"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
sslEnabledProtocols="TLSv1.2+TLSv1.3"
clientAuth="false" useBodyEncodingForURI="true"
keyAlias="jira" keystoreFile="<Jira_HOME>/jira.jks" keystorePass="changeit" keystoreType="JKS"/>
If you're running outdated SSL/TLS protocols, you may also notice that some web browsers, such as Google Chrome fail to browse to your SSL enabled instance, with the following error (or similar)
A secure connection cannot be established because this site uses an unsupported protocol
Solution
Edit one of the
sslProtocol
orsslEnabledProtocols
attributes of the SSL connector inserver.xml:
<Connector port="8443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" clientAuth="false" sslEnabledProtocols="TLSv1+TLSv1.1+TLSv1.2" SSLEnabled="true" URIEncoding="UTF-8" keystorePass="<MY_CERTIFICATE_PASSWORD>"/>
In older versions of Tomcat (up to 6.0.32) the property
sslEnabledProtocols
didn't exist. If you're running JIRA 5.2.11 or older, please edit the SSL connector as follows instead:<Connector port="8443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" clientAuth="false" sslProtocol="TLSv1+TLSv1.1+TLSv1.2" SSLEnabled="true" URIEncoding="UTF-8" keystorePass="<MY_CERTIFICATE_PASSWORD>"/>
- Make sure you use the
+
sign to add protocols. - In some cases the - sign was necessary in order to restrict some protocols. For example: sslEnabledProtocols="-SSLv2-SSLv3-TLSv1+TLSv1.2+TLSv1.3"
- For more information, refer to The HTTP Connector > SSL Support - SSLHostConfig
To test if the ssl protocols are being used as expected, one method is using curl (see its documentation for more details) with parameter --tls-max (if necessary also use --tlsv1.0, --tlsv1.1, --tlsv1.2 and --tlsv1.3 to force the protocol). As an example, if the TLS 1.0 is blocked while TLS 1.2 is allowed, the test "curl <your jira-url> -v --tls-max 1.0" will return an error while curl "<your jira-url> -v --tls-max 1.2" shall return the TLS 1.2 hand shake and return and expected output.