How to disable SSLv3

Rachel Smith October 29, 2014

Hello,

 

Here is my current server.xml

 

<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
maxHttpHeaderSize="8192" SSLEnabled="true"
maxThreads="150" minSpareThreads="25"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" useBodyEncodingForURI="true"

 

 

i tried to replace sslProtocol with

sslProtocol="TLSv1.1″ sslEnabledProtocols="TLSv1.1″


But it did not work. Is there anything else I need to remove from this configuration? How about the "protocol" parameter, should I change it or remove it?

 

I am following this article:

http://blogs.atlassian.com/2014/10/ssl-poodle/

 

My Server info:

Server version: Apache Tomcat/7.0.29
OS Name: Linux
OS Version: 2.6.18-308.8.2.el5
Architecture: amd64
JVM Version: 1.7.0_05-b05
JVM Vendor: Oracle Corporation

 

 

Thanks a lot!

 

 

 

 

2 answers

0 votes
Rachel Smith November 18, 2014

Hi L.F

 

Thanks for your response!

Yes I followed that link also. I have no errors but when I scan ssl it is still using sslv3.

We are currently trying other way around by using nginx. And disable sslv3 in nginx 

0 votes
Luciano Fagundes
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
November 3, 2014

Rachel

I believe the documentation below will help you on that matter. Please let us know in case you have any questions.

https://confluence.atlassian.com/display/JIRA/How+To+Disable+SSLv3+to+Mitigate+Against+POODLE+Exploit+for+JIRA

Cheers!

L.F

Suggest an answer

Log in or Sign up to answer