Issue
If the SSL certificate of a system that JIRA connects with such as LDAP or crowd changes such that the certificate is issued to different DNS name or IP address or the issuer of the certificate is different then the following exception can occur, even though certificate is valid: "javax.net.ssl.SSLHandshakeException: server certificate change is restricted during renegotiation".

Cause
The fix for CVE-2014-6457, "Triple Handshake attack against TLS/SSL connections (JSSE, 8037066)", prevents peer certificates changing during renegotiation. However, if endpoint identification (see SSLParameters.getEndpointIdentificationAlgorithm) is enabled for a connection or the potentially changed certificate is for the same 'identity' as the last certificate seen then the connection is permitted. If the identity of the certificate has changed then a "javax.net.ssl.SSLHandshakeException: server certificate change is restricted during renegotiation" exception is raised.

Note: two identities are considered equal in this case if:
a) There is a subject alternative name specified in both certificates which is an IP address and the IP address in both certificates is the same.
b) There is a subject alternative name specified in both certificates which is a DNS name and the DNS name in both certificates is the same.
c) The subject and issuer fields are present in both certificates and contain identical subject and issuer values.

Possible solution
If you encounter a "javax.net.ssl.SSLHandshakeException: server certificate change is restricted during renegotiation" error try restarting JIRA. If the issue persists open a support issue.

Workarounds

• It is possible to disable the unsafe server certificate protection by applying the following JVM argument:

  -Djdk.tls.allowUnsafeServerCertChange=true