Details

Bug

Resolution: Fixed

Medium

5.6.3, 5.6.5, 5.7

None
Description
The default connector as written in <confluence_install>/conf/server.xml uses sslProtocol="TLS". This should only enable TLS connectors, but it also enables SSLv3. Our documentation and the included server.xml need to be updated to reflect the correct settings to enable only TLS.
Reproduction steps:
 Follow the instructions at Running Confluence Over SSL or HTTPS to enable SSL for Confluence
 Use SSLScan to see what connections are available
Expected behavior
Only TLS connections should be available
Actual behavior
TLS and SSLv3 connections are available, shown in the following:
Supported Server Cipher(s): Rejected SSLv2 168 bits DESCBC3MD5 Rejected SSLv2 56 bits DESCBCMD5 Rejected SSLv2 128 bits IDEACBCMD5 Rejected SSLv2 40 bits EXPRC2CBCMD5 Rejected SSLv2 128 bits RC2CBCMD5 Rejected SSLv2 40 bits EXPRC4MD5 Rejected SSLv2 128 bits RC4MD5 Rejected SSLv3 256 bits ADHAES256SHA Rejected SSLv3 256 bits DHERSAAES256SHA Rejected SSLv3 256 bits DHEDSSAES256SHA Rejected SSLv3 256 bits AES256SHA Rejected SSLv3 128 bits ADHAES128SHA Accepted SSLv3 128 bits DHERSAAES128SHA Rejected SSLv3 128 bits DHEDSSAES128SHA Accepted SSLv3 128 bits AES128SHA Rejected SSLv3 168 bits ADHDESCBC3SHA Rejected SSLv3 56 bits ADHDESCBCSHA Rejected SSLv3 40 bits EXPADHDESCBCSHA Rejected SSLv3 128 bits ADHRC4MD5 Rejected SSLv3 40 bits EXPADHRC4MD5 Accepted SSLv3 168 bits EDHRSADESCBC3SHA Accepted SSLv3 56 bits EDHRSADESCBCSHA Accepted SSLv3 40 bits EXPEDHRSADESCBCSHA Rejected SSLv3 168 bits EDHDSSDESCBC3SHA Rejected SSLv3 56 bits EDHDSSDESCBCSHA Rejected SSLv3 40 bits EXPEDHDSSDESCBCSHA Accepted SSLv3 168 bits DESCBC3SHA Accepted SSLv3 56 bits DESCBCSHA Accepted SSLv3 40 bits EXPDESCBCSHA Rejected SSLv3 128 bits IDEACBCSHA Rejected SSLv3 40 bits EXPRC2CBCMD5 Accepted SSLv3 128 bits RC4SHA Accepted SSLv3 128 bits RC4MD5 Accepted SSLv3 40 bits EXPRC4MD5 Rejected SSLv3 0 bits NULLSHA Rejected SSLv3 0 bits NULLMD5 Rejected TLSv1 256 bits ADHAES256SHA Rejected TLSv1 256 bits DHERSAAES256SHA Rejected TLSv1 256 bits DHEDSSAES256SHA Rejected TLSv1 256 bits AES256SHA Rejected TLSv1 128 bits ADHAES128SHA Accepted TLSv1 128 bits DHERSAAES128SHA Rejected TLSv1 128 bits DHEDSSAES128SHA Accepted TLSv1 128 bits AES128SHA Rejected TLSv1 168 bits ADHDESCBC3SHA Rejected TLSv1 56 bits ADHDESCBCSHA Rejected TLSv1 40 bits EXPADHDESCBCSHA Rejected TLSv1 128 bits ADHRC4MD5 Rejected TLSv1 40 bits EXPADHRC4MD5 Accepted TLSv1 168 bits EDHRSADESCBC3SHA Accepted TLSv1 56 bits EDHRSADESCBCSHA Accepted TLSv1 40 bits EXPEDHRSADESCBCSHA Rejected TLSv1 168 bits EDHDSSDESCBC3SHA Rejected TLSv1 56 bits EDHDSSDESCBCSHA Rejected TLSv1 40 bits EXPEDHDSSDESCBCSHA Accepted TLSv1 168 bits DESCBC3SHA Accepted TLSv1 56 bits DESCBCSHA Accepted TLSv1 40 bits EXPDESCBCSHA Rejected TLSv1 128 bits IDEACBCSHA Rejected TLSv1 40 bits EXPRC2CBCMD5 Accepted TLSv1 128 bits RC4SHA Accepted TLSv1 128 bits RC4MD5 Accepted TLSv1 40 bits EXPRC4MD5 Rejected TLSv1 0 bits NULLSHA Rejected TLSv1 0 bits NULLMD5 Prefered Server Cipher(s): SSLv3 128 bits DHERSAAES128SHA TLSv1 128 bits DHERSAAES128SHA
Related Notes
 I have documented the correct settings at How To Disable SSLv3 to Mitigate Against POODLE Exploit for Confluence
 This affects every version of Confluence that is running over HTTPS as explained in our documentation
Attachments
Issue Links
 is related to

CWD4214 Disable SSLv3 in the commented out TLS tomcat configuration
 Closed

JRASERVER41685 Disable SSLv3 in the commented out TLS tomcat configuration
 Closed
 relates to

CONFSERVER36800 Update embedded Tomcat to 7.0.57+
 Closed
 mentioned in

Page Loading...

Page Loading...

Page Loading...

Page Loading...

Page Loading...

Page Loading...

Page Loading...