JIRA Mail initiates TLSv1 connection only


アトラシアン コミュニティをご利用ください。


プラットフォームについて: サーバーと Data Center のみ。この記事は、サーバーおよび Data Center プラットフォームのアトラシアン製品にのみ適用されます。


JIRA Mail initiates Transport Layer Security (TLS) connection to Mail server, this includes IMAPS/POP3S or SMTPS protocols. It's TLSv1 connection and it's doesn't initiate TLSv1.1 or TLSv1.2. Taking into account that TLSv1 doesn't offer all the newest encryption cyphers, it's preferable to switch to TLSv1.2 protocol



  • JIRA with configured Incoming and/or Outgoing mail.


  • Enable SSL debug option and check logs: 


    You can see JIRA mail initiating TLSv1 connection:

    *** ClientHello, TLSv1
    http-bio-8080-exec-25 , WRITE: TLSv1 Handshake, length = 160
    http-bio-8080-exec-25 , READ: TLSv1 Handshake, length = 91
    *** ServerHello, TLSv1

    in some cases connection can fail due to parametr mismatch: 

    *** ClientHello, TLSv1
    atlassian-scheduler-quartz1.clustered_Worker-2, WRITE: TLSv1 Handshake, length = 163
    atlassian-scheduler-quartz1.clustered_Worker-2, READ: SSLv3 Alert, length = 2
    atlassian-scheduler-quartz1.clustered_Worker-2, RECV TLSv1.2 ALERT:  fatal, illegal_parameter
    atlassian-scheduler-quartz1.clustered_Worker-2, called closeSocket()
    atlassian-scheduler-quartz1.clustered_Worker-2, handling exception: javax.net.ssl.SSLException: Received fatal alert: illegal_parameter

    or fail due to No negotiable cipher suite:

    *** ClientHello, TLSv1
    atlassian-scheduler-quartz1.clustered_Worker-1, handling exception: javax.net.ssl.SSLHandshakeException: No negotiable cipher suite
    atlassian-scheduler-quartz1.clustered_Worker-1, SEND TLSv1.2 ALERT:  fatal, description = handshake_failure
    atlassian-scheduler-quartz1.clustered_Worker-1, WRITE: TLSv1.2 Alert, length = 2


JIRA for Incoming Mail (atlassian.mail.incoming.mailfetcherservice) and similar for outgoing uses javax.mail 1.4.5. This library uses it's own defaults for for TLS: 'sslsocket.setEnabledProtocols(new String[] {"TLSv1"});' and not global Java one. 


You can override Java mail setting and set TLS to specific version, please add following JVM option to the  startup parameters (see Setting Properties and Options on startup) :


See Package-summary.html#mail.imap.ssl.protocols for more details. Similar setting for SMTP: Smtp - package-summary

This should change TLS behaviour:

*** ClientHello, TLSv1.2
http-bio-8080-exec-25 , WRITE: TLSv1.2 Handshake, length = 216
http-bio-8080-exec-25 , READ: TLSv1.2 Handshake, length = 91
*** ServerHello, TLSv1.2

最終更新日 2022 年 8 月 30 日


Powered by Confluence and Scroll Viewport.