Jira vulnerable to CVE-2011-1473 (DoS via repeated SSL session renegotiations)

Jira allows SSL renegotiation as shown in the following test. Feel free to try it:

% openssl s_client -connect lhce-jira.nlm.nih.gov:8443

...stuff deleted...

R

RENEGOTIATING

...after a request to renegotiate the connection, Jira maintains the connection instead of exiting with a handshake failure...

How can we configure Jira to not allow SSL renegotiation?

1 answer

1 accepted

Accepted Answer
0 votes

I ended up using Apache as a reverse proxy following instructions here and Jira is no longer vulnerable:

https://confluence.atlassian.com/display/JIRA/Integrating+JIRA+with+Apache+using+SSL

Suggest an answer

Log in or Sign up to answer
Community showcase
Posted Tuesday in Featured Groups

Tuesday tips & tricks: What is the Atlassian Community?

It's officially Tuesday, which means it's officially time for another tip to help you better navigate this space we call the Atlassian Community. 😄 I got a great question from community member, Sa...

135 views 6 8
View post

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you