Chrome Browser occasionally returns error code ERR_SSL_FALLBACK_BEYOND_MINIMUM_VERSION

We are using an older version of JIRA (3.10.2-#262) and we are having issues where users of Chrome (39.0.2171.99 m) will occasionally get the following error ERR_SSL_FALLBACK_BEYOND_MINIMUM_VERSION when they are in different areas and stages of JIRA. We assume this is something to do with SSLv3 but we cannot find the correct settings that works to use in the server.xml file.

This only happens with Chrome. IE and Firefox do not have the issue.

We've tried this suggestion (https://confluence.atlassian.com/display/JIRA/How+To+Disable+SSLv3+to+Mitigate+Against+POODLE+Exploit+for+JIRA), but we think our tomcat version is too old to support these suggestions.

Here is our Tomcat version info:

Server version: Apache Tomcat/5.5.20
Server built: Sep 12 2006 10:09:20
Server number: 5.5.20.0
OS Name: Windows 2003
OS Version: 5.2
Architecture: x86
JVM Version: 1.5.0_08-b03
JVM Vendor: Sun Microsystems Inc.

13 answers

I'm in the same boat with Enterprise Edition, Version: 3.13.2-#335 and Tomcat 6.0.18.  Working from this article http://serverfault.com/questions/637649/how-do-i-disable-sslv3-support-in-apache-tomcat,  added sslEnabledProtocols="TLSv1" to server.xml and it didn't fix the issue.  I'd swear that it seemed to reduce the issue a little, but that could be my imagination.


I then noticed that someone said, 'sslEnabledProtocols didn't work for us on Tomcat 6. sslProtocols = "TLSv1,...."', so I'm going to try that next.

And I see that the article you linked to also points out that my version of Tomcat won't support the sslEnabledProtocols option.

I'll keep you updated and I'd appreciate very much if you did the same.

No luck.  Some strange results, though.

 

Switching to sslProtocols = "TLSv1" seemed to result in sporadic (like the FALLBACK_BEYOND_MINIMUM_VERSION) SSL PROTOCOL MISMATCH errors on Chrome 39 (Linux) and "This page can't be displayed.  Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings..." on 2 out of 3 installations of IE11 (version 11.0.9600.17501 on 2008R2 worked, where 11.0.9600.17498 on W8.1 didn't; still waiting on the other version).  If I disabled SSL 3.0 in IE11, I got permanent PROTOCOL MISMATCH errors.


 

What JVM version are you running? We are looking to try and snapshot our installation and upgrade our JAVA and Tomcat to see if Confluence will work with a new version and then use the suggestions in https://confluence.atlassian.com/display/JIRA/How+To+Disable+SSLv3+to+Mitigate+Against+POODLE+Exploit+for+JIRA

 

Java version "1.6.0_11".

I was re-reading that article and I think I may have been making a mistake.  I was under the impression originally that the config should say both 'sslProtocol="TLS"' (meaning "use SSL") and 'sslProtocols="TLSv1,TLSv1.1,TLSv1.2"' (meaning "specifically only allow these versions").  The way you read it, since I can only support TLSv1 on this version of Tomcat, should it actually be "sslProtocol=TLSv1"?

 

 

Hope you're having some success on your end. I'm going to try sslProtocol=TLSv1 tonight. I still don't understand how the issue can be intermittent, though.

We have not had time this week to work on the issue, we will start back up next week. I'll keep you posted of our results.

Just letting you know everything I've worked out so far (deep breath): If you didn't know, openssl has an "s_client" option that let's you quickly test various SSL/TLS functions (beware of this bug in 1.0.1j: https://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg1270845.html). Using "openssl s_client -ssl3 -no_tls1 -connect jira:443" I could verify that in our current configuration, SSLv3 was enabled. Then I played around with all the server.xml options until it stopped working. The winner was sslProtocols="TLSv1". I could verify with openssl that SSLv3 was not enabled. Conversely, with "openssl s_client -no_ssl3 -no_tls1_2 -no_tls1_1 -connect jira:443" I could verify that TLSv1 was enabled. I was able to verify the same thing by briefly exposing my Jira externally and using SSL Labs' test: https://www.ssllabs.com/ssltest/ That's the good news. Now here's the bad news: Things are still broken, just differently. In Chrome 39 (Linux), I now get "ERR_SSL_VERSION_OR_CIPHER_MISMATCH" like I used to get "ERR_SSL_FALLBACK_BEYOND_MINIMUM_VERSION". Someone on my team reports that Chrome 40 is working like a charm, but I haven't been able to verify that yet. In IE 11.0.9600.17498 and .17416 (on Windows 8.1 and Windows Server 2012 R2, respectively) with SSL 3.0 enabled (default) I get "This page can’t be displayed" ALWAYS, but with SSL 3.0 disabled, I get "This page can’t be displayed Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings". In IE 11.0.9600.17501, things work perfectly (not that that version was just hit by this vulnerability: http://thehackernews.com/2015/02/internet-explorer-xss.html). However, I can't get any of the 17498 machines to update to that version for love or money (IE versioning is unfathomably terrible). If you find a way, please let me know.

Been testing with Chrome 40. In both Windows and Linux, the error is now "ERR_SSL_PROTOCOL_ERROR". Also, I don't think either of us has mentioned previously that the problem seems most likely to be triggered after leaving the Jira session idle for a couple of minutes (e.g. opening a comment dialog, entering some text, and waiting a couple of minutes to submit it).

Charles, have you had the issue since Google Chrome version 41.0.2272.101 m has come out? I haven't had the issue in a few days now.

I haven't had the opportunity to test myself yet, but I've heard that from one user.

Chrome 41.0.2272.118 m on Windows seems happy. Chrome 41.0.2272.101 on my Linux machine on a regular basis gives "SSL connection error Hide details Unable to make a secure connection to the server. This may be a problem with the server, or it may be requiring a client authentication certificate that you don't have. Error code: ERR_SSL_PROTOCOL_ERROR" If I find an update for Linux and it behaves any differently, I'll let you know.

Same thing with 41.0.2272.118 on Linux.

Same with Chrome 42 on Linux. Tried on a brand new install of Ubuntu 15.04, which has a slightly newer version of libnss.

Suggest an answer

Log in or Join to answer
Community showcase
Sarah Schuster
Posted Jan 29, 2018 in Jira

What are common themes you've seen across successful & failed Jira Software implementations?

Hey everyone! My name is Sarah Schuster, and I'm a Customer Success Manager in Atlassian specializing in Jira Software Cloud. Over the next few weeks I will be posting discussion topics (8 total) to ...

3,305 views 14 20
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you
Atlassian Team Tour

Join us on the Team Tour

We're bringing product updates and pro tips on teamwork to ten cities around the world.

Save your spot