We are using an older version of JIRA (3.10.2-#262) and we are having issues where users of Chrome (39.0.2171.99 m) will occasionally get the following error ERR_SSL_FALLBACK_BEYOND_MINIMUM_VERSION when they are in different areas and stages of JIRA. We assume this is something to do with SSLv3 but we cannot find the correct settings that works to use in the server.xml file.
This only happens with Chrome. IE and Firefox do not have the issue.
We've tried this suggestion (https://confluence.atlassian.com/display/JIRA/How+To+Disable+SSLv3+to+Mitigate+Against+POODLE+Exploit+for+JIRA), but we think our tomcat version is too old to support these suggestions.
Here is our Tomcat version info:
Server version: Apache Tomcat/5.5.20
Server built: Sep 12 2006 10:09:20
Server number: 184.108.40.206
OS Name: Windows 2003
OS Version: 5.2
JVM Version: 1.5.0_08-b03
JVM Vendor: Sun Microsystems Inc.
I'm in the same boat with Enterprise Edition, Version: 3.13.2-#335 and Tomcat 6.0.18. Working from this article http://serverfault.com/questions/637649/how-do-i-disable-sslv3-support-in-apache-tomcat, added sslEnabledProtocols="TLSv1" to server.xml and it didn't fix the issue. I'd swear that it seemed to reduce the issue a little, but that could be my imagination.
I then noticed that someone said, '
sslEnabledProtocols didn't work for us on Tomcat 6.
sslProtocols = "TLSv1,...."', so I'm going to try that next.
And I see that the article you linked to also points out that my version of Tomcat won't support the sslEnabledProtocols option.
I'll keep you updated and I'd appreciate very much if you did the same.
No luck. Some strange results, though.
Switching to sslProtocols = "TLSv1" seemed to result in sporadic (like the FALLBACK_BEYOND_MINIMUM_VERSION) SSL PROTOCOL MISMATCH errors on Chrome 39 (Linux) and "This page can't be displayed. Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings..." on 2 out of 3 installations of IE11 (version 11.0.9600.17501 on 2008R2 worked, where 11.0.9600.17498 on W8.1 didn't; still waiting on the other version). If I disabled SSL 3.0 in IE11, I got permanent PROTOCOL MISMATCH errors.
What JVM version are you running? We are looking to try and snapshot our installation and upgrade our JAVA and Tomcat to see if Confluence will work with a new version and then use the suggestions in https://confluence.atlassian.com/display/JIRA/How+To+Disable+SSLv3+to+Mitigate+Against+POODLE+Exploit+for+JIRA
Java version "1.6.0_11".
I was re-reading that article and I think I may have been making a mistake. I was under the impression originally that the config should say both '
"TLS"' (meaning "use SSL") and '
"TLSv1,TLSv1.1,TLSv1.2"' (meaning "specifically only allow these versions"). The way you read it, since I can only support TLSv1 on this version of Tomcat, should it actually be "sslProtocol=TLSv1"?
Just letting you know everything I've worked out so far (deep breath): If you didn't know, openssl has an "s_client" option that let's you quickly test various SSL/TLS functions (beware of this bug in 1.0.1j: https://firstname.lastname@example.org/msg1270845.html). Using "openssl s_client -ssl3 -no_tls1 -connect jira:443" I could verify that in our current configuration, SSLv3 was enabled. Then I played around with all the server.xml options until it stopped working. The winner was sslProtocols="TLSv1". I could verify with openssl that SSLv3 was not enabled. Conversely, with "openssl s_client -no_ssl3 -no_tls1_2 -no_tls1_1 -connect jira:443" I could verify that TLSv1 was enabled. I was able to verify the same thing by briefly exposing my Jira externally and using SSL Labs' test: https://www.ssllabs.com/ssltest/ That's the good news. Now here's the bad news: Things are still broken, just differently. In Chrome 39 (Linux), I now get "ERR_SSL_VERSION_OR_CIPHER_MISMATCH" like I used to get "ERR_SSL_FALLBACK_BEYOND_MINIMUM_VERSION". Someone on my team reports that Chrome 40 is working like a charm, but I haven't been able to verify that yet. In IE 11.0.9600.17498 and .17416 (on Windows 8.1 and Windows Server 2012 R2, respectively) with SSL 3.0 enabled (default) I get "This page can’t be displayed" ALWAYS, but with SSL 3.0 disabled, I get "This page can’t be displayed Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings". In IE 11.0.9600.17501, things work perfectly (not that that version was just hit by this vulnerability: http://thehackernews.com/2015/02/internet-explorer-xss.html). However, I can't get any of the 17498 machines to update to that version for love or money (IE versioning is unfathomably terrible). If you find a way, please let me know.
Been testing with Chrome 40. In both Windows and Linux, the error is now "ERR_SSL_PROTOCOL_ERROR". Also, I don't think either of us has mentioned previously that the problem seems most likely to be triggered after leaving the Jira session idle for a couple of minutes (e.g. opening a comment dialog, entering some text, and waiting a couple of minutes to submit it).
Chrome 41.0.2272.118 m on Windows seems happy. Chrome 41.0.2272.101 on my Linux machine on a regular basis gives "SSL connection error Hide details Unable to make a secure connection to the server. This may be a problem with the server, or it may be requiring a client authentication certificate that you don't have. Error code: ERR_SSL_PROTOCOL_ERROR" If I find an update for Linux and it behaves any differently, I'll let you know.
Badges are a great way to show off community activity, whether you’re a newbie or a Champion.Learn more
@Rachel Wright (Jira Genie), @Billy Poggi (AUG NOVA, DC), and @Dana Jansen (Confluence Queen) are just some of the folks that lead one of the world's most active Atlassian User Group (AUG)....
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG
You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs