Got TLSv1.2?

If you're terminating SSL on your Jira server, something administrators miss quite often is setting the ciphers to secure and disabling protocols such as TLSv.1.0 and 1.1.

How to check your settings?

First, go to SSLLabs and drop in your Jira url.  Give it a test.   You'll get a cool looking report card on how you're doing and what you need to do to fix things.

Second, review your server.xml file.  On your Jira application server, this is typically located under the Jira_Home directory in the conf folder.    Scroll down that file and check your connector settings, you'll see something like:

<Connector 
SSLEnabled="true"

if you don't see a line that says "ciphers=".....", you may have a problem.

How to fix it?

So you got a B on your SSLLabs score, and your connector settings in your server.xml look kind of lame.    Lets fix it.

Open back up your server.xml file and lets force sslprotocol to TLS1.2 and lets setup some secure cipher usage.  The final product should look something like:

<Connector 
SSLEnabled="true" acceptCount="100" clientAuth="false" 
connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false" 
keyAlias="AwesomeKey" keystoreFile="keystore" keystorePass="rockingpassword" keystoreType="JKS"
maxHttpHeaderSize="8192" maxSpareThreads="75" maxThreads="150" minSpareThreads="25" port="443" 
protocol="org.apache.coyote.http11.Http11NioProtocol"
ciphers="HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA:!3DES:!DHE:!DH"
scheme="https" secure="true" sslProtocol="TLSv1.2" sslEnabledProtocols="TLSv1.2" useBodyEncodingForURI="true"
/>

 Obviously, use your own keystore folder and keystore password.

Next, run the SSLLabs test again:

You've done it!

Congratulations, you're now one bit more secure.   

Now a few notes of caution.  Always test this sort of change on your staging environment first, and I've done this on Jira 7.4+. 

Can I use this configuration on Confluence?

Yes, absolutely.... go for it... but do it in your staging server.xml first, please :)

I use Bitbucket, what's its TLSv1.2 Setting?

BitBucket uses a slightly different configuration.  Look in the bitbucket.properties file found in Bitbucket\shared\ folder.  The configuration  lines you need will look like:

server.port=443
server.scheme=https
server.ssl.protocol=TLSv1.2
server.ssl.enabled=true
server.ssl.ciphers=HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA:!3DES:!DHE:!DH

Last, last note... remember any time you change these config files, you need to restart your instance.  So, service stop/start/restart or restart your application server.