We have an older production server running JIRA 4.3.4 using Tomcat 6.0.20(?) and I'm trying to disable SSLv3 to remediate the POODLE vulnerability on that server. But it appears I can't do it unless I upgrade Tomcat to version 7 or newer. Will I be able to do that with that old version of JIRA? Or if you know of a way to disable SSLv3 in Tomcat 6 for JIRA 4.3.4, I would love to know how. I have already tried changing the sslProtocol="TLSv1.1" and it won't work. I also added the sslProtocols="TLSv1+TLSv1.1+TLSv1.2" and it did not work either. Qualys SSL Labs still reports the server has SSLv3 enabled and is vulnerable to POODLE.
Please help.
Thanks much!
~Dave
No.
JIRA 4.3 does not run (properly) on Tomcat 7. If you need to move to Tomcat 7, then you need to upgrade Jira.
Acording to http://wiki.apache.org/tomcat/Security/POODLE I think your sslProtocols string is wrong though. Commas, not plus signs
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.