Modify SSL/TLS Version for Jira Outbound Connections (Data Center)

Platform Notice: Data Center Only - This article only applies to Atlassian apps on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

This article applies when Jira performs secure connections to other services through SSL/TLS (for example, LDAPS). To configure SSL/TLS on your Jira instance, please refer to Running Jira applications over SSL or HTTPS.

Summary

When connecting as a client, Jira will start the SSL handshake based on the current Java version it's using.

Java 8 enables TLSv1.1 and TLSv1.2 in client mode and uses TLSv1.2 by default. The client's initial request (Jira) will be TLSv1.2. Since TLSv1.2 is backward compatible, if the destination responds to TLSv1.1, then they both agree to TLSV1.1 going forward.

Java 11 enables TLSv1.3 and TLSv1.2 in client mode. OpenJDK lower than 11.0.11 also allowed TLSv1.1, which is now disabled by default.

Enable Logging

You can verify the SSL handshake in Jira logs using the following steps

  • Navigate to Administration ⚙ > System

  • Select System support > Logging & Profiling to open the Logging page

  • Select Configure logging level for another package

  • Add the package org.apache.http set to DEBUG

  • This setting will stay activated until the next restart of Jira

You can also enable this using the following startup parameters:

-Djavax.net.debug=ssl:handshake:verbose 

The information will be written into the Jira Home Directory/log/atlassian-jira.log when a secure connection is established.

Configuration

  • If you wish to restrict TLS versions used by Jira when connecting as a client, you can set the value of the jdk.tls.disabledAlgorithms parameter in <JAVA_HOME>/lib/security/java.security.

  • The current <JAVA_HOME> can be found by navigating to Administration ⚙ >System > System Support > System Info. Look for java.home.

  • Additional information on JDK and JRE Cryptographic Algorithms can be found at https://www.java.com/en/configure_crypto.html

Alternatively, you may add the following startup properties to achieve these settings:

-Djdk.tls.client.protocols=TLSv1.1,TLSv1.2

Updated on May 21, 2025
Platform
Data Center only
Apps
Jira Software Data Center
Jira Core Data Center
Jira Service Management Data Center
On this pageSummaryEnable LoggingConfiguration

Still need help?

The Atlassian Community is here for you.
Ask the Community