Users cannot login Jira due to the TLS 1.0/1.1 changes in OpenJDK v8u291, v11.0.11 and newer

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Problem

Users cannot log in to Jira. The error below is thrown in atlassian-jira.log during the login:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 022-04-30 20:36:58,507+1000 https-jsse-nio-8443-exec-20 WARN anonymous 1236x357x1 9crypu 10.220.238.240,10.46.170.88 / [o.k.atlaskerb.hostapp.DefaultRemoteUserUpdater] Could not authenticate 'xxxxx' in ': javax.net.ssl.SSLHandshakeException: The server selected protocol version TLS11 is not accepted by client preferences [TLS12]'. Not updating account: Crowd Server 2022-04-30 20:37:51,267+1000 https-jsse-nio-8443-exec-3 ERROR anonymous 1237x409x1 9crypu 10.220.238.240,10.46.170.88 /rest/gadget/1.0/login [c.a.c.manager.application.ApplicationServiceGeneric] Directory 'Crowd Server (10200)' is not functional during authentication of 'xxxxx'. Skipped. 2022-04-30 20:37:51,268+1000 https-jsse-nio-8443-exec-3 ERROR anonymous 1237x409x1 9crypu 10.220.238.240,10.46.170.88 /rest/gadget/1.0/login [c.a.j.security.login.JiraSeraphAuthenticator] Error occurred while trying to authenticate user 'xxxxx'. com.atlassian.crowd.exception.runtime.OperationFailedException at com.atlassian.crowd.embedded.core.CrowdServiceImpl.convertOperationFailedException(CrowdServiceImpl.java:676) at com.atlassian.crowd.embedded.core.CrowdServiceImpl.authenticate(CrowdServiceImpl.java:76) at com.atlassian.jira.security.login.JiraSeraphAuthenticator.crowdServiceAuthenticate(JiraSeraphAuthenticator.java:75) at com.atlassian.jira.security.login.JiraSeraphAuthenticator.authenticate(JiraSeraphAuthenticator.java:49) at com.atlassian.seraph.auth.DefaultAuthenticator.login(DefaultAuthenticator.java:90) ... 13 filtered at com.atlassian.plugins.rest.module.servlet.RestSeraphFilter.doFilter(RestSeraphFilter.java:38) ... 3 filtered at com.atlassian.pats.web.filter.TokenBasedAuthenticationFilter.doFilter(TokenBasedAuthenticationFilter.java:83) ... 7 filtered at org.kantega.atlaskerb.AtlasKerberosFilter.doFilter(AtlasKerberosFilter.java:110) ... 3 filtered at org.kantega.atlaskerb.AtlasKerberosFilter.doFilter(AtlasKerberosFilter.java:110) ... 3 filtered at org.kantega.atlaskerb.AtlasKerberosFilter.doFilter(AtlasKerberosFilter.java:234) ... 3 filtered at org.kantega.atlaskerb.AtlasKerberosFilter.doFilter(AtlasKerberosFilter.java:110) ... 15 filtered at com.atlassian.jira.servermetrics.CorrelationIdPopulatorFilter.doFilter(CorrelationIdPopulatorFilter.java:30) ... 5 filtered at com.atlassian.plugins.authentication.impl.basicauth.filter.DisableBasicAuthFilter.doFilter(DisableBasicAuthFilter.java:70) ... 3 filtered at org.kantega.atlaskerb.AtlasKerberosPreFilter.doFilter(AtlasKerberosPreFilter.java:83) ... 8 filtered at com.atlassian.ratelimiting.internal.filter.RateLimitPreAuthFilter.doFilter(RateLimitPreAuthFilter.java:71) ... 3 filtered at com.atlassian.web.servlet.plugin.request.RedirectInterceptingFilter.doFilter(RedirectInterceptingFilter.java:21) ... 4 filtered at com.atlassian.troubleshooting.thready.filter.AbstractThreadNamingFilter.doFilter(AbstractThreadNamingFilter.java:46) ... 3 filtered at com.atlassian.web.servlet.plugin.LocationCleanerFilter.doFilter(LocationCleanerFilter.java:36) ... 26 filtered at com.atlassian.jira.servermetrics.MetricsCollectorFilter.doFilter(MetricsCollectorFilter.java:25) ... 25 filtered at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191) at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.base/java.lang.Thread.run(Unknown Source) Caused by: javax.net.ssl.SSLHandshakeException: The server selected protocol version TLS11 is not accepted by client preferences [TLS12]

Cause

Starting on April 20, 2021, quarterly update releases of OpenJDK are disabling TLS1.0 and TLS1.1 availability by default in all versions of OpenJDK. More details can be found here: TLS 1.0/1.1 changes in OpenJDK and Amazon Corretto

Workaround

  • Navigate to JAVA_HOME/conf/security folder

  • Find java.security file and open it via a text editor

  • Search for jdk.tls.disabledAlgorithms parameter and delete TLSv1.1 (we remove only this value as it's the only one thrown in the error message)

  • Restart Jira

Updated on April 8, 2025
Platform
Data Center only
Product
Jira Software Data Center
On this pageProblemCauseWorkaround

Still need help?

The Atlassian Community is here for you.
Ask the Community