Problem Definition

The current bundled Java version has a bug that will always fail to make a connection when trying to use Secure LDAP, JDK-8135194.

Specifically, the way Socket.createSocket() is used results in an SSLSocket without the hostname set in it. This results in use of an IP address to make the connection and since this is no longer allowed the connection fails. We have reported this problem to Oracle and also forwarded the information to the Java security dev list: http://mail.openjdk.java.net/pipermail/security-dev/2015-September/012845.html .

Because of this existing LDAPS connections are broken and users from that user directory are unable to login including non-local administrators.

This will affect any customer using secure LDAP that upgrades the JVM. Secure LDAP is very common to protect passwords on the internal network, particularly in enterprise environments. This is exacerbated by Confluence 5.8.8 which ships with Java 1.8.0u51.

Suggested Resolution

Bundle Java 8u65 with Confluence installer versions.