Hello and thank you for taking my question!
I'm a junior infrastructure specialist and I am trying to disable TLS 1.0 and 1.1.
We put in the slProtocol="TLSv1.2" in the $Catalina Home server.xml file but both tls 1.0 and tls 1.2 are showing up on port 8443.
I've tried to edit the xml file but if I change the connector, the server won't start.
I see there are 2 connector ports - that could be the issue?
I saved this on my desktop and edited the format so i could fit it all in the screenshot.
I am new to server.xml and I believe I'm almost there just need some guidance. I will attach screenshots with my server.xml file.
Thank you
Hello Megan, I ran into and had to fix the same problem myself. The issue is that the TLS connection header that gets pushed out in the JIRA server.xml uses the old Tomcat 5&6 format, and newer versions of JIRA use Tomcat 8.
When I first tried simply setting the sslProtocol to v1.2, our security scans (using Tenable) still showed the JIRA instance offering 1.0 and 1.1.
sslProtocl="TLSv1.2"
To fix it, I replaced sslProtocol with the supported Tomcat tag sslEnabledProtocols and then cycled the website.
sslEnabledProtocols="TLSv1.2"
NOTE: This is all without a proxy.
welcome to the Atlassian Community!
I believe the most important question is if there is a reverse proxy (IIS, Apache or nginx) running in front of Jira - in that case the configuration would have been to adjusted there.
In all other cases (especially if there is no reverse-proxy) the following guide should sort out things:
https://confluence.atlassian.com/jirakb/how-to-disable-sslv3-to-mitigate-against-poodle-exploit-for-jira-680395044.html
If it is then still offering TLS 1.0/1.1 please let us know - perhaps any further debug can then happen from the remote (although tricky).
Cheers,
Daniel
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.