How To Disable SSLv3 to Mitigate Against POODLE Exploit for Crowd

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Use Case

If you have enabled the SSL connector for Crowd using <Crowd_install>/conf/server.xml, the default settings do not block SSLv3 connections which can be exploited by the POODLE fallback attack. There are two changes that need to be made to the SSL connector. By default, the SSL connector sets sslProtocol="TLS" which starts both TLS connectors and SSLv3 connectors. You can tell if you are affected by opening <Crowd_install>/conf/server.xml and find the SSL connector that might have been added previously, example follows:

1 2 3 4 <Connector port="8443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" SSLEnabled="true" keystorePass="<MY_CERTIFICATE_PASSWORD>" />

Resolution

  • Edit the SSL connector in server.xml as follows:

    1 2 3 4 5 6 <Connector port="8443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" clientAuth="false" sslProtocols="TLSv1,TLSv1.1,TLSv1.2" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" SSLEnabled="true" URIEncoding="UTF-8" keystorePass="<MY_CERTIFICATE_PASSWORD>" />

  • In older versions of Tomcat (up to 6.0.32) the property sslEnabledProtocols didn't exist. If you're running Crowd 2.6.X or older, please edit the SSL connector as follows instead:

    1 2 3 4 5 6 <Connector port="8443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" clientAuth="false" sslProtocols="TLSv1,TLSv1.1,TLSv1.2" SSLEnabled="true" URIEncoding="UTF-8" keystorePass="<MY_CERTIFICATE_PASSWORD>" />

  • At this point you can start Crowd and use something like SSLScan to verify that connections can only be made through TLS and not SSLv3.

Updated on April 8, 2025
Platform
Data Center only
Product
Crowd Data Center
On this pageUse CaseResolution

Still need help?

The Atlassian Community is here for you.
Ask the Community