Chrome Browser occasionally returns error code ERR_SSL_FALLBACK_BEYOND_MINIMUM_VERSION

We are using an older version of JIRA (3.10.2-#262) and we are having issues where users of Chrome (39.0.2171.99 m) will occasionally get the following error ERR_SSL_FALLBACK_BEYOND_MINIMUM_VERSION when they are in different areas and stages of JIRA. We assume this is something to do with SSLv3 but we cannot find the correct settings that works to use in the server.xml file.

This only happens with Chrome. IE and Firefox do not have the issue.

We've tried this suggestion (https://confluence.atlassian.com/display/JIRA/How+To+Disable+SSLv3+to+Mitigate+Against+POODLE+Exploit+for+JIRA), but we think our tomcat version is too old to support these suggestions.

Here is our Tomcat version info:

Server version: Apache Tomcat/5.5.20
Server built: Sep 12 2006 10:09:20
Server number: 5.5.20.0
OS Name: Windows 2003
OS Version: 5.2
Architecture: x86
JVM Version: 1.5.0_08-b03
JVM Vendor: Sun Microsystems Inc.

13 answers

This widget could not be displayed.

I'm in the same boat with Enterprise Edition, Version: 3.13.2-#335 and Tomcat 6.0.18.  Working from this article http://serverfault.com/questions/637649/how-do-i-disable-sslv3-support-in-apache-tomcat,  added sslEnabledProtocols="TLSv1" to server.xml and it didn't fix the issue.  I'd swear that it seemed to reduce the issue a little, but that could be my imagination.


I then noticed that someone said, 'sslEnabledProtocols didn't work for us on Tomcat 6. sslProtocols = "TLSv1,...."', so I'm going to try that next.

And I see that the article you linked to also points out that my version of Tomcat won't support the sslEnabledProtocols option.

I'll keep you updated and I'd appreciate very much if you did the same.

This widget could not be displayed.

No luck.  Some strange results, though.

 

Switching to sslProtocols = "TLSv1" seemed to result in sporadic (like the FALLBACK_BEYOND_MINIMUM_VERSION) SSL PROTOCOL MISMATCH errors on Chrome 39 (Linux) and "This page can't be displayed.  Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings..." on 2 out of 3 installations of IE11 (version 11.0.9600.17501 on 2008R2 worked, where 11.0.9600.17498 on W8.1 didn't; still waiting on the other version).  If I disabled SSL 3.0 in IE11, I got permanent PROTOCOL MISMATCH errors.


 

This widget could not be displayed.

What JVM version are you running? We are looking to try and snapshot our installation and upgrade our JAVA and Tomcat to see if Confluence will work with a new version and then use the suggestions in https://confluence.atlassian.com/display/JIRA/How+To+Disable+SSLv3+to+Mitigate+Against+POODLE+Exploit+for+JIRA

This widget could not be displayed.

 

Java version "1.6.0_11".

I was re-reading that article and I think I may have been making a mistake.  I was under the impression originally that the config should say both 'sslProtocol="TLS"' (meaning "use SSL") and 'sslProtocols="TLSv1,TLSv1.1,TLSv1.2"' (meaning "specifically only allow these versions").  The way you read it, since I can only support TLSv1 on this version of Tomcat, should it actually be "sslProtocol=TLSv1"?

 

 

This widget could not be displayed.

Hope you're having some success on your end. I'm going to try sslProtocol=TLSv1 tonight. I still don't understand how the issue can be intermittent, though.

This widget could not be displayed.

We have not had time this week to work on the issue, we will start back up next week. I'll keep you posted of our results.

This widget could not be displayed.

Just letting you know everything I've worked out so far (deep breath): If you didn't know, openssl has an "s_client" option that let's you quickly test various SSL/TLS functions (beware of this bug in 1.0.1j: https://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg1270845.html). Using "openssl s_client -ssl3 -no_tls1 -connect jira:443" I could verify that in our current configuration, SSLv3 was enabled. Then I played around with all the server.xml options until it stopped working. The winner was sslProtocols="TLSv1". I could verify with openssl that SSLv3 was not enabled. Conversely, with "openssl s_client -no_ssl3 -no_tls1_2 -no_tls1_1 -connect jira:443" I could verify that TLSv1 was enabled. I was able to verify the same thing by briefly exposing my Jira externally and using SSL Labs' test: https://www.ssllabs.com/ssltest/ That's the good news. Now here's the bad news: Things are still broken, just differently. In Chrome 39 (Linux), I now get "ERR_SSL_VERSION_OR_CIPHER_MISMATCH" like I used to get "ERR_SSL_FALLBACK_BEYOND_MINIMUM_VERSION". Someone on my team reports that Chrome 40 is working like a charm, but I haven't been able to verify that yet. In IE 11.0.9600.17498 and .17416 (on Windows 8.1 and Windows Server 2012 R2, respectively) with SSL 3.0 enabled (default) I get "This page can’t be displayed" ALWAYS, but with SSL 3.0 disabled, I get "This page can’t be displayed Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings". In IE 11.0.9600.17501, things work perfectly (not that that version was just hit by this vulnerability: http://thehackernews.com/2015/02/internet-explorer-xss.html). However, I can't get any of the 17498 machines to update to that version for love or money (IE versioning is unfathomably terrible). If you find a way, please let me know.

This widget could not be displayed.

Been testing with Chrome 40. In both Windows and Linux, the error is now "ERR_SSL_PROTOCOL_ERROR". Also, I don't think either of us has mentioned previously that the problem seems most likely to be triggered after leaving the Jira session idle for a couple of minutes (e.g. opening a comment dialog, entering some text, and waiting a couple of minutes to submit it).

This widget could not be displayed.

Charles, have you had the issue since Google Chrome version 41.0.2272.101 m has come out? I haven't had the issue in a few days now.

This widget could not be displayed.

I haven't had the opportunity to test myself yet, but I've heard that from one user.

This widget could not be displayed.

Chrome 41.0.2272.118 m on Windows seems happy. Chrome 41.0.2272.101 on my Linux machine on a regular basis gives "SSL connection error Hide details Unable to make a secure connection to the server. This may be a problem with the server, or it may be requiring a client authentication certificate that you don't have. Error code: ERR_SSL_PROTOCOL_ERROR" If I find an update for Linux and it behaves any differently, I'll let you know.

This widget could not be displayed.

Same thing with 41.0.2272.118 on Linux.

This widget could not be displayed.

Same with Chrome 42 on Linux. Tried on a brand new install of Ubuntu 15.04, which has a slightly newer version of libnss.

Suggest an answer

Log in or Sign up to answer
Atlassian Summit 2018

Meet the community IRL

Atlassian Summit is an excellent opportunity for in-person support, training, and networking.

Learn more
Community showcase
Posted Wednesday in New to Jira

Are you planning to trial, or are currently trialling Jira Software? - We want to talk to you!

Hello! I'm Rayen, a product manager at Atlassian. My team and I are working hard to improve the trial experience for Jira Software Cloud. We are interested in   talking to 20 people planning t...

139 views 2 0
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you