Jira vulnerable to CVE-2011-1473 (DoS via repeated SSL session renegotiations)

Jira allows SSL renegotiation as shown in the following test. Feel free to try it:

% openssl s_client -connect lhce-jira.nlm.nih.gov:8443

...stuff deleted...

R

RENEGOTIATING

...after a request to renegotiate the connection, Jira maintains the connection instead of exiting with a handshake failure...

How can we configure Jira to not allow SSL renegotiation?

1 answer

1 accepted

This widget could not be displayed.

I ended up using Apache as a reverse proxy following instructions here and Jira is no longer vulnerable:

https://confluence.atlassian.com/display/JIRA/Integrating+JIRA+with+Apache+using+SSL

Suggest an answer

Log in or Sign up to answer
Atlassian Summit 2018

Meet the community IRL

Atlassian Summit is an excellent opportunity for in-person support, training, and networking.

Learn more
Community showcase
Posted Wednesday in Teamwork

What teamwork quotes inspire you?

Hey everyone! My name is Natalie and I'm an editor of the Atlassian Blog and I've got a question for you: What's your favorite quote about teamwork?  We've compiled a list here, along with...

192 views 18 7
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you