Impact of updated cipher suites on Jira and Jira Service Management

On August 5, 2024, Jira and Jira Service Management will begin updating their Transport Layer Security (TLS) configuration to be consistent with other Atlassian Cloud products. This includes ending support for some weaker cipher suites.

This change may impact sites using the following:

• Incoming mail feature to create new issues and comments in Jira.

• Email requests feature to receive new requests and replies to email notifications in Jira Service Management.

Who is affected?

For Jira:

You can verify if the deprecation notice applies to you by navigating to Jira’s incoming mail feature (cog icon > System > Incoming Mail) and locating the ‘Basic’ Authentication Type, as shown in the Set up your incoming mail server section (screenshot below).

Note: No action is required if you:

• Use mail servers configured with Google/Microsoft OAuth, Google Basic Authentication, or Atlassian’s Default Cloud Mail Server, OR

• Don’t use the incoming mail feature to create new issues and add comments on Jira.

For Jira Service Management:

You can verify if the change applies to you by checking if any of the service projects on your site are configured to receive new requests from external email accounts connected via Basic Authentication. i.e. If you’ve connected your external email account by selecting Other (or Continue with Other) on the Email requests page under Project Settings, then it’s connected using Basic Authentication.

Note: No action is required if you:

• Use mail servers configured with Google/Microsoft OAuth, Google Basic Authentication, or Atlassian’s Default Cloud Mail Server.
  
  

I’m affected by this change. What do I do next?

If the deprecation impacts your site, we will contact you before it comes into effect. If you’d like to be prepared for this change in advance, you can perform the following steps:

For Jira:

• If your organization uses a self-hosted or third-party mail server for the incoming mail feature, contact your IT team or service provider to confirm whether they’re using cipher suites supported by Atlassian.

• Post the deprecation, you can test the connection by going to Jira > Settings > System > Incoming Mail > Mail Handlers (configured with an already functional Basic Authentication mail server) > Edit > Next > Test. A successful test confirms that you’re using supported ciphers, and no action needs to be taken.

For Jira Service Management:

• From your service project, go to Project settings and select Email requests. If you have an external email account connected using Basic Authentication, find out its incoming mail server hostname. Depending on whether the mail server for your email account is self-hosted or managed by a third party, contact your IT team or service provider respectively for cipher details.
  

• Post the deprecation, you can refer to the Connectivity logs (Project settings > Email requests > View logs > Connectivity logs) to check if a connected email account is showing the status as failed due to the Remote host terminated the handshake error.

Supported cipher suites as of August 5, 2024

As of August 5, 2024, your mail servers must accept TLS connections using at least one of the cipher suites below.

• TLS_AES_128_GCM_SHA256

• TLS_AES_256_GCM_SHA384

• TLS_CHACHA20_POLY1305_SHA256

• TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256

• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

• TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256

• TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

• TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

How can I fix this issue?

For Jira and Jira Service Management, identify mail servers that are connected using Basic Authentication. Then, depending on your incoming mail server, follow the instructions below:

• For self-hosted mail server(s), contact your IT team and ensure they use one of the supported cipher suites.

• For mail server(s) managed by a third party, refer to the support documentation on their official website or contact your service provider. Make sure they use the ciphers that Atlassian supports.

• If you’re using Google Basic Authentication, no action is needed as it supports the latest ciphers. However, to avoid future issues, we recommend you connect via OAuth.

* For Jira Service Management, if the service projects on your site are connected to external email accounts with different incoming mail servers, then you need to perform this check for every mail server.

We understand that system upgrades can be complicated, but keeping your data secure is our priority. We appreciate your support and patience as we turn off old, insecure cipher suites. If the problem persists, contact the support team.