Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
4,298,600
Community Members
 
Community Events
165
Community Groups

How do I disable TLS 1.0 and 1.1 for port 8443?

Edited

Hello and thank you for taking my question!

 

I'm a junior infrastructure specialist and I am trying to disable TLS 1.0 and 1.1.

We put in the slProtocol="TLSv1.2" in the $Catalina Home server.xml file but both tls 1.0 and tls 1.2 are showing up on port 8443.

I've tried to edit the xml file but if I change the connector, the server won't start.

I see there are 2 connector ports - that could be the issue?

I saved this on my desktop and edited the format so i could fit it all in the screenshot.

I am new to server.xml and I believe I'm almost there just need some guidance. I will attach screenshots with my server.xml file.

 

Thank you

JIRA_1.pngJIRA_2.pngJIRA_4.png

2 answers

Hello Megan, I ran into and had to fix the same problem myself. The issue is that the TLS connection header that gets pushed out in the JIRA server.xml uses the old Tomcat 5&6 format, and newer versions of JIRA use Tomcat 8.

When I first tried simply setting the sslProtocol to v1.2, our security scans (using Tenable) still showed the JIRA instance offering 1.0 and 1.1.

sslProtocl="TLSv1.2"

To fix it, I replaced sslProtocol with the supported Tomcat tag sslEnabledProtocols and then cycled the website.

sslEnabledProtocols="TLSv1.2"  

NOTE: This is all without a proxy.

0 votes
Daniel Ebers Community Leader Jan 16, 2021

Hi @Megan Larson

welcome to the Atlassian Community!

I believe the most important question is if there is a reverse proxy (IIS, Apache or nginx) running in front of Jira - in that case the configuration would have been to adjusted there.

In all other cases (especially if there is no reverse-proxy) the following guide should sort out things:
https://confluence.atlassian.com/jirakb/how-to-disable-sslv3-to-mitigate-against-poodle-exploit-for-jira-680395044.html

If it is then still offering TLS 1.0/1.1 please let us know - perhaps any further debug can then happen from the remote (although tricky).

Cheers,
Daniel

Suggest an answer

Log in or Sign up to answer
TAGS

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you