Chrome Browser occasionally returns error code ERR_SSL_FALLBACK_BEYOND_MINIMUM_VERSION

Shawn Smith January 16, 2015

We are using an older version of JIRA (3.10.2-#262) and we are having issues where users of Chrome (39.0.2171.99 m) will occasionally get the following error ERR_SSL_FALLBACK_BEYOND_MINIMUM_VERSION when they are in different areas and stages of JIRA. We assume this is something to do with SSLv3 but we cannot find the correct settings that works to use in the server.xml file.

This only happens with Chrome. IE and Firefox do not have the issue.

We've tried this suggestion (https://confluence.atlassian.com/display/JIRA/How+To+Disable+SSLv3+to+Mitigate+Against+POODLE+Exploit+for+JIRA), but we think our tomcat version is too old to support these suggestions.

Here is our Tomcat version info:

Server version: Apache Tomcat/5.5.20
Server built: Sep 12 2006 10:09:20
Server number: 5.5.20.0
OS Name: Windows 2003
OS Version: 5.2
Architecture: x86
JVM Version: 1.5.0_08-b03
JVM Vendor: Sun Microsystems Inc.

13 answers

0 votes
Charles McCabe May 1, 2015

Same with Chrome 42 on Linux. Tried on a brand new install of Ubuntu 15.04, which has a slightly newer version of libnss.

0 votes
Charles McCabe April 7, 2015

Same thing with 41.0.2272.118 on Linux.

0 votes
Charles McCabe April 7, 2015

Chrome 41.0.2272.118 m on Windows seems happy. Chrome 41.0.2272.101 on my Linux machine on a regular basis gives "SSL connection error Hide details Unable to make a secure connection to the server. This may be a problem with the server, or it may be requiring a client authentication certificate that you don't have. Error code: ERR_SSL_PROTOCOL_ERROR" If I find an update for Linux and it behaves any differently, I'll let you know.

0 votes
Charles McCabe March 29, 2015

I haven't had the opportunity to test myself yet, but I've heard that from one user.

0 votes
Shawn Smith March 26, 2015

Charles, have you had the issue since Google Chrome version 41.0.2272.101 m has come out? I haven't had the issue in a few days now.

0 votes
Charles McCabe February 11, 2015

Been testing with Chrome 40. In both Windows and Linux, the error is now "ERR_SSL_PROTOCOL_ERROR". Also, I don't think either of us has mentioned previously that the problem seems most likely to be triggered after leaving the Jira session idle for a couple of minutes (e.g. opening a comment dialog, entering some text, and waiting a couple of minutes to submit it).

0 votes
Charles McCabe February 4, 2015

Just letting you know everything I've worked out so far (deep breath): If you didn't know, openssl has an "s_client" option that let's you quickly test various SSL/TLS functions (beware of this bug in 1.0.1j: https://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg1270845.html). Using "openssl s_client -ssl3 -no_tls1 -connect jira:443" I could verify that in our current configuration, SSLv3 was enabled. Then I played around with all the server.xml options until it stopped working. The winner was sslProtocols="TLSv1". I could verify with openssl that SSLv3 was not enabled. Conversely, with "openssl s_client -no_ssl3 -no_tls1_2 -no_tls1_1 -connect jira:443" I could verify that TLSv1 was enabled. I was able to verify the same thing by briefly exposing my Jira externally and using SSL Labs' test: https://www.ssllabs.com/ssltest/ That's the good news. Now here's the bad news: Things are still broken, just differently. In Chrome 39 (Linux), I now get "ERR_SSL_VERSION_OR_CIPHER_MISMATCH" like I used to get "ERR_SSL_FALLBACK_BEYOND_MINIMUM_VERSION". Someone on my team reports that Chrome 40 is working like a charm, but I haven't been able to verify that yet. In IE 11.0.9600.17498 and .17416 (on Windows 8.1 and Windows Server 2012 R2, respectively) with SSL 3.0 enabled (default) I get "This page can’t be displayed" ALWAYS, but with SSL 3.0 disabled, I get "This page can’t be displayed Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings". In IE 11.0.9600.17501, things work perfectly (not that that version was just hit by this vulnerability: http://thehackernews.com/2015/02/internet-explorer-xss.html). However, I can't get any of the 17498 machines to update to that version for love or money (IE versioning is unfathomably terrible). If you find a way, please let me know.

0 votes
Shawn Smith January 29, 2015

We have not had time this week to work on the issue, we will start back up next week. I'll keep you posted of our results.

0 votes
Charles McCabe January 29, 2015

Hope you're having some success on your end. I'm going to try sslProtocol=TLSv1 tonight. I still don't understand how the issue can be intermittent, though.

0 votes
Charles McCabe January 27, 2015

 

Java version "1.6.0_11".

I was re-reading that article and I think I may have been making a mistake.  I was under the impression originally that the config should say both 'sslProtocol="TLS"' (meaning "use SSL") and 'sslProtocols="TLSv1,TLSv1.1,TLSv1.2"' (meaning "specifically only allow these versions").  The way you read it, since I can only support TLSv1 on this version of Tomcat, should it actually be "sslProtocol=TLSv1"?

 

 

0 votes
Shawn Smith January 27, 2015

What JVM version are you running? We are looking to try and snapshot our installation and upgrade our JAVA and Tomcat to see if Confluence will work with a new version and then use the suggestions in https://confluence.atlassian.com/display/JIRA/How+To+Disable+SSLv3+to+Mitigate+Against+POODLE+Exploit+for+JIRA

0 votes
Charles McCabe January 27, 2015

No luck.  Some strange results, though.

 

Switching to sslProtocols = "TLSv1" seemed to result in sporadic (like the FALLBACK_BEYOND_MINIMUM_VERSION) SSL PROTOCOL MISMATCH errors on Chrome 39 (Linux) and "This page can't be displayed.  Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings..." on 2 out of 3 installations of IE11 (version 11.0.9600.17501 on 2008R2 worked, where 11.0.9600.17498 on W8.1 didn't; still waiting on the other version).  If I disabled SSL 3.0 in IE11, I got permanent PROTOCOL MISMATCH errors.


 

0 votes
Charles McCabe January 27, 2015

I'm in the same boat with Enterprise Edition, Version: 3.13.2-#335 and Tomcat 6.0.18.  Working from this article http://serverfault.com/questions/637649/how-do-i-disable-sslv3-support-in-apache-tomcat,  added sslEnabledProtocols="TLSv1" to server.xml and it didn't fix the issue.  I'd swear that it seemed to reduce the issue a little, but that could be my imagination.


I then noticed that someone said, 'sslEnabledProtocols didn't work for us on Tomcat 6. sslProtocols = "TLSv1,...."', so I'm going to try that next.

And I see that the article you linked to also points out that my version of Tomcat won't support the sslEnabledProtocols option.

I'll keep you updated and I'd appreciate very much if you did the same.

Suggest an answer

Log in or Sign up to answer