-
Bug
-
Resolution: Fixed
-
Low
-
3.3.3
Confluence has a built-in component for connecting to other remote systems via HTTP (the HttpRetrievalService). Internally, this is built on top of the Apache Commons HttpClient (http://hc.apache.org).
Some user-facing components of Confluence, such as the JIRA Issues Macro, depend on this service to connect to remote systems and retrieve data for display.
There is a bug/limitation in the current version of Confluence's HttpRetrievalService that makes it unable to communicate with remote servers configured to use HTTPS that only accept SSLv3 as the encryption algorithm.
- is related to
-
-
- Closed
-
- mentioned in
-
![[Extranet] Page](/images/icons/generic_link_16.png "[Extranet] Page")
Wiki Page
Failed to load
-
Wiki Page
Failed to load
-
Wiki Page Failed to load
-
Wiki Page Failed to load
- relates to
-
BUILDENG-7675 Loading...
| Form Name | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
[CONFSERVER-24035] Allow Confluence to integrate over HTTPS with remote systems secured with SSLv3
Attached a patch with a proof-of-concept fix. Patch was written and compiled against Conf 3.3.3.
Patch is currently not suitable for production deployment - it will affect all servers connected to with HTTPS to use SSLv3 only.
There is also a race condition in this implementation if more than one HTTP connection is being made using the HttpRetrievalService at the same time.
It should be noted that as of Release 8u31, the Oracle JRE disables SSLv3 by default - see http://www.oracle.com/technetwork/java/javase/8u31-relnotes-2389094.html
It appears that this can be re-enabled as described in the above link, on a server-by-server basis.