-
Suggestion
-
Resolution: Obsolete
NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion.
See http://tomcat.apache.org/tomcat-7.0-doc/changelog.html for details
Notably related to OFBIZ-5848 (Poodle) changes in Coyot
- support for TLSv1.1 and TLSv1.2 for APR connector. Based upon a patch by Marcel Šebek. This feature requires Tomcat Native library 1.1.32 or later.
- Disable SSLv3 by default for JSSE based HTTPS connectors (BIO and NIO). The change also ensures that SSLv2 is disabled for these connectors although SSLv2 should already be disabled by default by the JRE.
- Disable SSLv3 by default for the APR/native HTTPS connector.
- relates to
-
- Closed
-
- Closed
- supersedes
-
JRASERVER-41685 Disable SSLv3 in the commented out TLS tomcat configuration
-
- Closed
-
[JRASERVER-42347] Update embedded Tomcat to 7.0.58+
michael.litwak, you could also install your own tomcat and java, if you just download the war bundle instead of the bin installer.
It includes an JRE 8.
For upgrade Tomcat by your own, take a look at the 2nd comment from 27/Mar/2015.
Still the same procedure.
Thanks, Robert. I haven't yet upgraded JIRA from version 6.3, so I cannot check myself. Tomcat 8.0.24 should be fine, though there are numerous fixes to SSL/TLS (and support for the newest OpenSSL release features) in the Coyote portion of Tomcat through version 8.0.29.
Do you know whether JIRA 7.0 includes a Java 8 JRE?
Also, does anyone know whether it is possible to upgrade the Tomcat 8.0.24 that comes with JIRA 7.0 to the latest build offerred by Apache?
Looks like Tomcat 8.0.21 or newer is required. Older versions of Tomcat 8.0 lack the ability to properly set SSL cipher suite order. See https://tomcat.apache.org/tomcat-8.0-doc/changelog.html, and specifically https://bz.apache.org/bugzilla/show_bug.cgi?id=55988. Thjis requires running Tomcat 8 on Java 8.
What specific version of Tomcat 8.0.X comes with JIRA Software 7.0? Does it come with a Java 8 JRE?
Workaround (on own risk):
Download lastest Tomcat 7 (tar or zip), and copy the content of bin into /opt/atlassian/jira/bin and the content of lib into /opt/atlassian/jira/lib
The APR connector seems to be the best way to precisely configure SSL for Tomcat within JIRA (in particular, specifying ciphers and cipher order to mitigate CRIME, POODLE and other exploits).
But the lack of TLS v1.1 and 1.2 support means that client connections are not as secure as they could be.
Updating the Tomcat version would permit the APR connector to be configured with SSLProtocol="TLSv1+TLSv1.1+TLSv1.2". The same configuration statement under older versions of Tomcat causes the APR connector to fail to load.
Thanks again, Robert. I thinkl I'll stick with the JIRA bin installers. I'll try overwriting the latest Tomcat 8 bin and lib contents, as you described in your second comment here. I'll do this only when a newer Tomcat 8 release has a compelling security improvement or bugfix (I'll have to study the Tomcat 8 changelog at https://tomcat.apache.org/tomcat-8.0-doc/changelog.html, and keep up with new releases). Fortunately, I have a test server I can try this out on before puitting a newer Tomcat 8 into production.
My JIRA servers run Linux. I downloaded the latest Linux binary installer for JIRA Software 7.0.3, and extracted it (on a Windows PC using 7-Zip). The README.html says to manually install Oracle Java JDK or JRE version 1.8, so I guess a JRE is not included within the Linux installers. But installing (upgrading) the JRE manually should be easy.