Jira allows SSL renegotiation as shown in the following test. Feel free to try it:
% openssl s_client -connect lhce-jira.nlm.nih.gov:8443
...stuff deleted...
R
RENEGOTIATING
...after a request to renegotiate the connection, Jira maintains the connection instead of exiting with a handshake failure...
How can we configure Jira to not allow SSL renegotiation?
I ended up using Apache as a reverse proxy following instructions here and Jira is no longer vulnerable:
https://confluence.atlassian.com/display/JIRA/Integrating+JIRA+with+Apache+using+SSL
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.