Jira vulnerable to CVE-2011-1473 (DoS via repeated SSL session renegotiations)

Jira allows SSL renegotiation as shown in the following test. Feel free to try it:

% openssl s_client -connect lhce-jira.nlm.nih.gov:8443

...stuff deleted...

R

RENEGOTIATING

...after a request to renegotiate the connection, Jira maintains the connection instead of exiting with a handshake failure...

How can we configure Jira to not allow SSL renegotiation?

1 answer

1 accepted

I ended up using Apache as a reverse proxy following instructions here and Jira is no longer vulnerable:

https://confluence.atlassian.com/display/JIRA/Integrating+JIRA+with+Apache+using+SSL

Suggest an answer

Log in or Sign up to answer
How to earn badges on the Atlassian Community

How to earn badges on the Atlassian Community

Badges are a great way to show off community activity, whether you’re a newbie or a Champion.

Learn more
Community showcase
Published yesterday in Off-topic

Get to know our Atlassian User Group Leaders from Bengaluru, India

Meet @Dinesh Dhinakaran, @Vishnu Vasudeva, @Rajeev Verma, and Jamshid Nalakath: Our extraordinary AUG leaders from Bengaluru, India. These four work together to strengthen the bonds of their local co...

146 views 0 4
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you