Disabling SSLv3 JIRA 6.2.7

FabienA March 12, 2015

Hi,

I follow the documentation https://confluence.atlassian.com/display/JIRA/How+To+Disable+SSLv3+to+Mitigate+Against+POODLE+Exploit+for+JIRA to disable the SSLv3 because of poodle fail.

But when I restart my JIRA I get in my catalina.out the following issues:

SEVERE: Failed to initialize end point associated with ProtocolHandler ["http-bio-444"]
java.io.IOException: TLSv1,TLSv1.1 SSLContext not available
    at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:459)
    at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:181)
    at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:394)
    at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:623)
    at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:434)
    at org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119)
    at org.apache.catalina.connector.Connector.initInternal(Connector.java:981)
    at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
    at org.apache.catalina.core.StandardService.initInternal(StandardService.java:559)
    at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
    at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:814)
    at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
    at org.apache.catalina.startup.Catalina.load(Catalina.java:640)
    at org.apache.catalina.startup.Catalina.load(Catalina.java:665)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
    at java.lang.reflect.Method.invoke(Unknown Source)
    at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:281)
    at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:455)
Caused by: java.security.NoSuchAlgorithmException: TLSv1,TLSv1.1 SSLContext not available
    at sun.security.jca.GetInstance.getInstance(Unknown Source)
    at javax.net.ssl.SSLContext.getInstance(Unknown Source)
    at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSSLContext(JSSESocketFactory.java:472)
    at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:433)
    ... 19 more

Mar 12, 2015 4:50:57 PM org.apache.catalina.core.StandardService initInternal
SEVERE: Failed to initialize connector [Connector[HTTP/1.1-444]]
org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-444]]
    at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:106)
    at org.apache.catalina.core.StandardService.initInternal(StandardService.java:559)
    at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
    at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:814)
    at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
    at org.apache.catalina.startup.Catalina.load(Catalina.java:640)
    at org.apache.catalina.startup.Catalina.load(Catalina.java:665)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
    at java.lang.reflect.Method.invoke(Unknown Source)
    at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:281)
    at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:455)
Caused by: org.apache.catalina.LifecycleException: Protocol handler initialization failed
    at org.apache.catalina.connector.Connector.initInternal(Connector.java:983)
    at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
    ... 12 more
Caused by: java.io.IOException: TLSv1,TLSv1.1 SSLContext not available
    at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:459)
    at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:181)
    at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:394)
    at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:623)
    at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:434)
    at org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119)
    at org.apache.catalina.connector.Connector.initInternal(Connector.java:981)
    ... 13 more
Caused by: java.security.NoSuchAlgorithmException: TLSv1,TLSv1.1 SSLContext not available
    at sun.security.jca.GetInstance.getInstance(Unknown Source)
    at javax.net.ssl.SSLContext.getInstance(Unknown Source)
    at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSSLContext(JSSESocketFactory.java:472)
    at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:433)
    ... 19 more

Mar 12, 2015 4:50:57 PM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 992 ms
Mar 12, 2015 4:50:57 PM org.apache.catalina.core.StandardService startInternal
INFO: Starting service Catalina
Mar 12, 2015 4:50:57 PM org.apache.catalina.core.StandardEngine startInternal
INFO: Starting Servlet Engine: Apache Tomcat/7.0.47
2015-03-12 16:51:07,019 localhost-startStop-1 INFO      [atlassian.jira.startup.JiraStartupLogger]

 

And JIRA is unavailable then.

Please thanks to advise.

Best.

 

6 answers

0 votes
FabienA March 13, 2015

Hi thanks for your feedback. Unfortunately I can't test from outside, it's an internal use.

0 votes
David Di Blasio
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
March 13, 2015

Hi Fabien,

I get the same type of results when I test as well. Try testing your site with https://www.ssllabs.com/ssltest/ and see what your results look like. 

0 votes
FabienA March 13, 2015

I made the modifications you provided. I haven't the warning message. And now when i test for vulnerability I do:

openssl s_client -connect myserver:8443 -ssl3

and get:

CONNECTED(00000003)
140010307163976:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:339:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 7 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv3
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1426258928
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

Is it ok to stop the POODLE vulnerability?

 

 

0 votes
David Di Blasio
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
March 13, 2015

Hi Fabien, 

I did a bunch of testing and was able to get this to work with the following example connector:

<Connector SSLEnabled="true" acceptCount="100" clientAuth="false" connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false" keyAlias="jira" keystoreFile="jira.jks" keystorePass="xxxxx" keystoreType="JKS" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" port="8443" protocol="org.apache.coyote.http11.Http11Protocol" scheme="https" secure="true" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" useBodyEncodingForURI="true"/>

Try modifying this with your keystore information and see if you can connect on port 8443.

0 votes
FabienA March 12, 2015

Hi I'just checked that I forget to add the "s" to sslProtocols

I added it but now I get in my catalinat.out:

Mar 12, 2015 9:31:49 PM org.apache.catalina.core.AprLifecycleListener init
INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: /usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib
Mar 12, 2015 9:31:49 PM org.apache.catalina.startup.SetAllPropertiesRule begin
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'maxSpareThreads' to '75' did not find a matching property.
Mar 12, 2015 9:31:49 PM org.apache.catalina.startup.SetAllPropertiesRule begin
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslProtocols' to 'TLSv1,TLSv1.1,TLSv1.2' did not find a matching property.
Mar 12, 2015 9:31:49 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["http-bio-444"]
Mar 12, 2015 9:31:50 PM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 1026 ms
Mar 12, 2015 9:31:50 PM org.apache.catalina.core.StandardService startInternal
INFO: Starting service Catalina
Mar 12, 2015 9:31:50 PM org.apache.catalina.core.StandardEngine startInternal
INFO: Starting Servlet Engine: Apache Tomcat/7.0.47
2015-03-12 21:31:59,051 localhost-startStop-1 INFO      [atlassian.jira.startup.JiraStartupLogger]

0 votes
David Di Blasio
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
March 12, 2015

Hi Fabien, 

Can you share your server.xml with us so we can get a better sense of what you config looks like? You'll want to make sure you remove your keystore password. 

Suggest an answer

Log in or Sign up to answer