Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Jira vulnerable to CVE-2011-1473 (DoS via repeated SSL session renegotiations)

Leif Neve
Leif Neve February 13, 2013

Jira allows SSL renegotiation as shown in the following test. Feel free to try it:

% openssl s_client -connect lhce-jira.nlm.nih.gov:8443

...stuff deleted...

R

RENEGOTIATING

...after a request to renegotiate the connection, Jira maintains the connection instead of exiting with a handshake failure...

How can we configure Jira to not allow SSL renegotiation?

Answer
Watch
Like Be the first to like this
643 views

1 answer

1 accepted

0 votes
Answer accepted
Leif Neve
Leif Neve February 15, 2013

I ended up using Apache as a reverse proxy following instructions here and Jira is no longer vulnerable:

https://confluence.atlassian.com/display/JIRA/Integrating+JIRA+with+Apache+using+SSL

Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira Software
TAGS
AUG Leaders

Atlassian Community Events

    See all events