How to change the SSL/TLS protocols used by Tomcat

お困りですか?

アトラシアン コミュニティをご利用ください。

コミュニティに質問

If JIRA is running behind a proxy that handles SSL then the following information does not apply. Instead you will need to modify the configuration of the proxy that is in front of JIRA to disable SSLv3. It is recommend to host JIRA behind a reverse-proxy as per the below documentation rather than host SSL on Tomcat:

目的

Admins may need to change the protocols used by Tomcat in response to a security scan that flags protocol versions such as TLSv1 and TLSv1.1 as insecure. 

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
              maxHttpHeaderSize="8192" SSLEnabled="true"
              maxThreads="150" minSpareThreads="25"
              enableLookups="false" disableUploadTimeout="true"
              acceptCount="100" scheme="https" secure="true"
              sslEnabledProtocols="TLSv1.2+TLSv1.3"
              clientAuth="false" useBodyEncodingForURI="true"
              keyAlias="jira" keystoreFile="<Jira_HOME>/jira.jks" keystorePass="changeit" keystoreType="JKS"/>

If you're running outdated SSL/TLS protocols, you may also notice that some web browsers, such as Google Chrome fail to browse to your SSL enabled instance, with the following error (or similar)

A secure connection cannot be established because this site uses an unsupported protocol

ソリューション

  • Edit one of the sslProtocol or sslEnabledProtocols attributes of the SSL connector in server.xml: 

    <Connector port="8443" maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" scheme="https" secure="true"
               clientAuth="false" sslEnabledProtocols="TLSv1+TLSv1.1+TLSv1.2" SSLEnabled="true"
               URIEncoding="UTF-8" keystorePass="<MY_CERTIFICATE_PASSWORD>"/>


    • In older versions of Tomcat (up to 6.0.32) the property sslEnabledProtocols didn't exist. If you're running JIRA 5.2.11 or older, please edit the SSL connector as follows instead:

      <Connector port="8443" maxHttpHeaderSize="8192"
                 maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
                 enableLookups="false" disableUploadTimeout="true"
                 acceptCount="100" scheme="https" secure="true"
                 clientAuth="false" sslProtocol="TLSv1+TLSv1.1+TLSv1.2" SSLEnabled="true"
                 URIEncoding="UTF-8" keystorePass="<MY_CERTIFICATE_PASSWORD>"/>
  • Make sure you use the + sign to add protocols. 
  • In some cases the - sign was necessary in order to restrict some protocols. For example: sslEnabledProtocols="-SSLv2-SSLv3-TLSv1+TLSv1.2+TLSv1.3"
  • For more information, refer to The HTTP Connector > SSL Support - SSLHostConfig


最終更新日 2022 年 6 月 6 日

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する
Powered by Confluence and Scroll Viewport.