Forums

Articles
Create
cancel
Showing results for 
Search instead for 
Did you mean: 

Disabling SSLv3 JIRA 6.2.7

FabienA March 12, 2015

Hi,

I follow the documentation https://confluence.atlassian.com/display/JIRA/How+To+Disable+SSLv3+to+Mitigate+Against+POODLE+Exploit+for+JIRA to disable the SSLv3 because of poodle fail.

But when I restart my JIRA I get in my catalina.out the following issues:

SEVERE: Failed to initialize end point associated with ProtocolHandler ["http-bio-444"]
java.io.IOException: TLSv1,TLSv1.1 SSLContext not available
    at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:459)
    at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:181)
    at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:394)
    at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:623)
    at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:434)
    at org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119)
    at org.apache.catalina.connector.Connector.initInternal(Connector.java:981)
    at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
    at org.apache.catalina.core.StandardService.initInternal(StandardService.java:559)
    at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
    at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:814)
    at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
    at org.apache.catalina.startup.Catalina.load(Catalina.java:640)
    at org.apache.catalina.startup.Catalina.load(Catalina.java:665)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
    at java.lang.reflect.Method.invoke(Unknown Source)
    at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:281)
    at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:455)
Caused by: java.security.NoSuchAlgorithmException: TLSv1,TLSv1.1 SSLContext not available
    at sun.security.jca.GetInstance.getInstance(Unknown Source)
    at javax.net.ssl.SSLContext.getInstance(Unknown Source)
    at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSSLContext(JSSESocketFactory.java:472)
    at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:433)
    ... 19 more

Mar 12, 2015 4:50:57 PM org.apache.catalina.core.StandardService initInternal
SEVERE: Failed to initialize connector [Connector[HTTP/1.1-444]]
org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-444]]
    at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:106)
    at org.apache.catalina.core.StandardService.initInternal(StandardService.java:559)
    at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
    at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:814)
    at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
    at org.apache.catalina.startup.Catalina.load(Catalina.java:640)
    at org.apache.catalina.startup.Catalina.load(Catalina.java:665)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
    at java.lang.reflect.Method.invoke(Unknown Source)
    at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:281)
    at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:455)
Caused by: org.apache.catalina.LifecycleException: Protocol handler initialization failed
    at org.apache.catalina.connector.Connector.initInternal(Connector.java:983)
    at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
    ... 12 more
Caused by: java.io.IOException: TLSv1,TLSv1.1 SSLContext not available
    at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:459)
    at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:181)
    at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:394)
    at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:623)
    at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:434)
    at org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119)
    at org.apache.catalina.connector.Connector.initInternal(Connector.java:981)
    ... 13 more
Caused by: java.security.NoSuchAlgorithmException: TLSv1,TLSv1.1 SSLContext not available
    at sun.security.jca.GetInstance.getInstance(Unknown Source)
    at javax.net.ssl.SSLContext.getInstance(Unknown Source)
    at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSSLContext(JSSESocketFactory.java:472)
    at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:433)
    ... 19 more

Mar 12, 2015 4:50:57 PM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 992 ms
Mar 12, 2015 4:50:57 PM org.apache.catalina.core.StandardService startInternal
INFO: Starting service Catalina
Mar 12, 2015 4:50:57 PM org.apache.catalina.core.StandardEngine startInternal
INFO: Starting Servlet Engine: Apache Tomcat/7.0.47
2015-03-12 16:51:07,019 localhost-startStop-1 INFO      [atlassian.jira.startup.JiraStartupLogger]

 

And JIRA is unavailable then.

Please thanks to advise.

Best.

 

6 answers

0 votes
FabienA March 13, 2015

Hi thanks for your feedback. Unfortunately I can't test from outside, it's an internal use.

0 votes
David Di Blasio
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
March 13, 2015

Hi Fabien,

I get the same type of results when I test as well. Try testing your site with https://www.ssllabs.com/ssltest/ and see what your results look like. 

0 votes
FabienA March 13, 2015

I made the modifications you provided. I haven't the warning message. And now when i test for vulnerability I do:

openssl s_client -connect myserver:8443 -ssl3

and get:

CONNECTED(00000003)
140010307163976:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:339:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 7 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv3
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1426258928
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

Is it ok to stop the POODLE vulnerability?

 

 

0 votes
David Di Blasio
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
March 13, 2015

Hi Fabien, 

I did a bunch of testing and was able to get this to work with the following example connector:

<Connector SSLEnabled="true" acceptCount="100" clientAuth="false" connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false" keyAlias="jira" keystoreFile="jira.jks" keystorePass="xxxxx" keystoreType="JKS" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" port="8443" protocol="org.apache.coyote.http11.Http11Protocol" scheme="https" secure="true" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" useBodyEncodingForURI="true"/>

Try modifying this with your keystore information and see if you can connect on port 8443.

0 votes
FabienA March 12, 2015

Hi I'just checked that I forget to add the "s" to sslProtocols

I added it but now I get in my catalinat.out:

Mar 12, 2015 9:31:49 PM org.apache.catalina.core.AprLifecycleListener init
INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: /usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib
Mar 12, 2015 9:31:49 PM org.apache.catalina.startup.SetAllPropertiesRule begin
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'maxSpareThreads' to '75' did not find a matching property.
Mar 12, 2015 9:31:49 PM org.apache.catalina.startup.SetAllPropertiesRule begin
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslProtocols' to 'TLSv1,TLSv1.1,TLSv1.2' did not find a matching property.
Mar 12, 2015 9:31:49 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["http-bio-444"]
Mar 12, 2015 9:31:50 PM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 1026 ms
Mar 12, 2015 9:31:50 PM org.apache.catalina.core.StandardService startInternal
INFO: Starting service Catalina
Mar 12, 2015 9:31:50 PM org.apache.catalina.core.StandardEngine startInternal
INFO: Starting Servlet Engine: Apache Tomcat/7.0.47
2015-03-12 21:31:59,051 localhost-startStop-1 INFO      [atlassian.jira.startup.JiraStartupLogger]

0 votes
David Di Blasio
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
March 12, 2015

Hi Fabien, 

Can you share your server.xml with us so we can get a better sense of what you config looks like? You'll want to make sure you remove your keystore password. 

Suggest an answer

Log in or Sign up to answer
TAGS
atlassian, jira product discovery, jpd premium, product management, idea management, product discovery, jira premium, product planning, atlassian community, product development, roadmap planning, product prioritization, feature management

Introducing Jira Product Discovery Premium ✨

Jira Product Discovery Premium is now available! Get more visibility, control, and support to build products at scale.

Learn more
AUG Leaders

Atlassian Community Events