Hi,
I follow the documentation https://confluence.atlassian.com/display/JIRA/How+To+Disable+SSLv3+to+Mitigate+Against+POODLE+Exploit+for+JIRA to disable the SSLv3 because of poodle fail.
But when I restart my JIRA I get in my catalina.out the following issues:
SEVERE: Failed to initialize end point associated with ProtocolHandler ["http-bio-444"]
java.io.IOException: TLSv1,TLSv1.1 SSLContext not available
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:459)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:181)
at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:394)
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:623)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:434)
at org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:981)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:559)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:814)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at org.apache.catalina.startup.Catalina.load(Catalina.java:640)
at org.apache.catalina.startup.Catalina.load(Catalina.java:665)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:281)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:455)
Caused by: java.security.NoSuchAlgorithmException: TLSv1,TLSv1.1 SSLContext not available
at sun.security.jca.GetInstance.getInstance(Unknown Source)
at javax.net.ssl.SSLContext.getInstance(Unknown Source)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSSLContext(JSSESocketFactory.java:472)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:433)
... 19 more
Mar 12, 2015 4:50:57 PM org.apache.catalina.core.StandardService initInternal
SEVERE: Failed to initialize connector [Connector[HTTP/1.1-444]]
org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-444]]
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:106)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:559)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:814)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at org.apache.catalina.startup.Catalina.load(Catalina.java:640)
at org.apache.catalina.startup.Catalina.load(Catalina.java:665)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:281)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:455)
Caused by: org.apache.catalina.LifecycleException: Protocol handler initialization failed
at org.apache.catalina.connector.Connector.initInternal(Connector.java:983)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
... 12 more
Caused by: java.io.IOException: TLSv1,TLSv1.1 SSLContext not available
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:459)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:181)
at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:394)
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:623)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:434)
at org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:981)
... 13 more
Caused by: java.security.NoSuchAlgorithmException: TLSv1,TLSv1.1 SSLContext not available
at sun.security.jca.GetInstance.getInstance(Unknown Source)
at javax.net.ssl.SSLContext.getInstance(Unknown Source)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSSLContext(JSSESocketFactory.java:472)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:433)
... 19 more
Mar 12, 2015 4:50:57 PM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 992 ms
Mar 12, 2015 4:50:57 PM org.apache.catalina.core.StandardService startInternal
INFO: Starting service Catalina
Mar 12, 2015 4:50:57 PM org.apache.catalina.core.StandardEngine startInternal
INFO: Starting Servlet Engine: Apache Tomcat/7.0.47
2015-03-12 16:51:07,019 localhost-startStop-1 INFO [atlassian.jira.startup.JiraStartupLogger]
And JIRA is unavailable then.
Please thanks to advise.
Best.
Hi thanks for your feedback. Unfortunately I can't test from outside, it's an internal use.
Hi Fabien,
I get the same type of results when I test as well. Try testing your site with https://www.ssllabs.com/ssltest/ and see what your results look like.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I made the modifications you provided. I haven't the warning message. And now when i test for vulnerability I do:
openssl s_client -connect myserver:8443 -ssl3
and get:
CONNECTED(00000003)
140010307163976:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:339:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 7 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1426258928
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
Is it ok to stop the POODLE vulnerability?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Fabien,
I did a bunch of testing and was able to get this to work with the following example connector:
<Connector SSLEnabled="true" acceptCount="100" clientAuth="false" connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false" keyAlias="jira" keystoreFile="jira.jks" keystorePass="xxxxx" keystoreType="JKS" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" port="8443" protocol="org.apache.coyote.http11.Http11Protocol" scheme="https" secure="true" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" useBodyEncodingForURI="true"/>
Try modifying this with your keystore information and see if you can connect on port 8443.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi I'just checked that I forget to add the "s" to sslProtocols
I added it but now I get in my catalinat.out:
Mar 12, 2015 9:31:49 PM org.apache.catalina.core.AprLifecycleListener init
INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: /usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib
Mar 12, 2015 9:31:49 PM org.apache.catalina.startup.SetAllPropertiesRule begin
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'maxSpareThreads' to '75' did not find a matching property.
Mar 12, 2015 9:31:49 PM org.apache.catalina.startup.SetAllPropertiesRule begin
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslProtocols' to 'TLSv1,TLSv1.1,TLSv1.2' did not find a matching property.
Mar 12, 2015 9:31:49 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["http-bio-444"]
Mar 12, 2015 9:31:50 PM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 1026 ms
Mar 12, 2015 9:31:50 PM org.apache.catalina.core.StandardService startInternal
INFO: Starting service Catalina
Mar 12, 2015 9:31:50 PM org.apache.catalina.core.StandardEngine startInternal
INFO: Starting Servlet Engine: Apache Tomcat/7.0.47
2015-03-12 21:31:59,051 localhost-startStop-1 INFO [atlassian.jira.startup.JiraStartupLogger]
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Fabien,
Can you share your server.xml with us so we can get a better sense of what you config looks like? You'll want to make sure you remove your keystore password.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.