Problem

Windows Server 2012 and Windows 8 and earlier clients may see the following error messages when integrating with Jira and Confluence Cloud APIs:

• fatal TLS/SSL alert is received , more details may be available in Windows system event log.
• 9368:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake fa

Root Cause

To improve performance and address constantly evolving threats on the web, Atlassian is enabling AWS Cloudfront Content Delivery Network (CDN) and Web Application Firewall (WAF) for all Confluence and Jira Cloud Customers.

A side effect of this change is the deprecation of the following three ciphers:

• TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
• TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
• TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

This change was announced here: https://developer.atlassian.com/cloud/jira/platform/changelog/#CHANGE-2383

For the list of currently supported ciphers, please visit https://support.atlassian.com/security-and-access-policies/docs/supported-security-protocols-for-atlassian-cloud-products/ .

We are working with our CDN provider to allow the simultaneous use of RSA and ECDSA ciphers, which may mitigate this issue, but there is no near-term solution.

Windows Server 2012 (including R2) and Windows 8.1 native applications (such as Internet Explorer or Invoke-WebRequest) that rely on the inbuilt schannel may fail to interact with Jira and Confluence Cloud.

Other affected clients on Windows Server 2012 (including R2) and Windows 8.1 include:

• Native compilations of curl and libcurl that depend on schannel

• Microsoft specific standard HTTP libraries, e.g. those in ASP.NET on Windows Server 2012 or Windows 8.

The problem stems from a lack of support for modern cipher suites due to the operating system no longer receiving updates from Microsoft.

• Windows Server 2012 end-of-life was October 10, 2023. https://learn.microsoft.com/en-us/lifecycle/announcements/windows-server-2012-r2-end-of-support

• Windows 8.1 end-of-life was January 10, 2023. https://support.microsoft.com/en-au/windows/windows-8-1-support-ended-on-january-10-2023-3cfd4cde-f611-496a-8057-923fba401e93

Resolution

There are a number of ways to resolve this problem.

• For browsing Jira and Confluence Cloud, use an updated browser such as Chrome, Firefox, Edge, etc.

• Update to an operating system with improved TLS cipher support, such as Windows 10 or Windows Server 2016 and later.

• For curl and libcurl and other HTTP libraries, use a cross-compiled version that uses LibreSSL or OpenSSL. The official precompiled binary for Windows uses LibreSSL https://curl.se/windows/

• Alter your software to use an alternative HTTP/SSL/TLS library, or write it in a language which can use LibreSSL or OpenSSL or BoringSSL e.g. libcurl, Python, Node, Java, Go etc.

• Add a small HTTP proxy between your application and Jira/Confluence Cloud (e.g. Nginx, HAProxy, Caddy, Traefik, Kong) that can negotiate TLS on behalf of your application. (Specific instructions on how to achieve this are not provided here).

• Use the hosts file to pin your Jira/Confluence domain to our old IPs:
  https://www.howtogeek.com/27350/beginner-geek-how-to-edit-your-hosts-file/
  Note: These old IPs will only be available until October 2025.

  • US 104.192.142.18

  • Europe 185.166.143.36

  • Asia 13.200.41.128