How to modify the SSL/TLS version Jira uses for outbound connections (Server and Data Center)
プラットフォームについて: Server および Data Center のみ。この記事は、Server および Data Center プラットフォームのアトラシアン製品にのみ適用されます。
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Fisheye および Crucible は除く
要約
When connecting as a client Jira will start the SSL handshake based off the current Java it's using, Java 8 enables TLSv1.1 and TLSv1.2 in client mode and uses TLSv1.2 by default. The initial request from the client (Jira) will go as TLSv1.2 and since TLSv1.2 is backward compatible, if destination responds on TLSv1.1, then they both agree on TLSV1.1 going forward.
Java 11 enables TLSv1.3 and TLSv1.2 in client mode. OpenJDK lower than 11.0.11 also allowed TLSv1.1, which is now disabled by default.
ログ
You can verify the SSL handshake in Jira logs, on Logging and Profiling please add the package org.apache.http set to DEBUG. You may also enable this through the following startup parameters:
-Djavax.net.debug=ssl:handshake:verbose
The information will be written into JIRA Home Directory/log/atlassian-jira.log when a secure connection is stablished.
構成
If you wish to restrict TLS versions used by Jira when connecting as a client, you can set the value of the jdk.tls.disabledAlgorithms parameter in <JAVA_HOME>/lib/security/java.security.
The current <JAVA_HOME> is available at Administration > System > System Support > System Info > java.home. More Info: https://www.java.com/en/configure_crypto.html
Alternatively, you may add the following startup properties to achieve these settings:
-Djdk.tls.client.protocols=TLSv1.1,TLSv1.2