Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-35386

SSLv3 Is Not Disabled When sslProtocol is Set to TLS, Vulnerable to POODLE


      The default connector as written in <confluence_install>/conf/server.xml uses sslProtocol="TLS". This should only enable TLS connectors, but it also enables SSLv3. Our documentation and the included server.xml need to be updated to reflect the correct settings to enable only TLS.

      Reproduction steps:

      1. Follow the instructions at Running Confluence Over SSL or HTTPS to enable SSL for Confluence
      2. Use SSLScan to see what connections are available

      Expected behavior

      Only TLS connections should be available

      Actual behavior

      TLS and SSLv3 connections are available, shown in the following:

      Supported Server Cipher(s):
      Rejected SSLv2 168 bits DES-CBC3-MD5
      Rejected SSLv2 56 bits DES-CBC-MD5
      Rejected SSLv2 128 bits IDEA-CBC-MD5
      Rejected SSLv2 40 bits EXP-RC2-CBC-MD5
      Rejected SSLv2 128 bits RC2-CBC-MD5
      Rejected SSLv2 40 bits EXP-RC4-MD5
      Rejected SSLv2 128 bits RC4-MD5
      Rejected SSLv3 256 bits ADH-AES256-SHA
      Rejected SSLv3 256 bits DHE-RSA-AES256-SHA
      Rejected SSLv3 256 bits DHE-DSS-AES256-SHA
      Rejected SSLv3 256 bits AES256-SHA
      Rejected SSLv3 128 bits ADH-AES128-SHA
      Accepted SSLv3 128 bits DHE-RSA-AES128-SHA
      Rejected SSLv3 128 bits DHE-DSS-AES128-SHA
      Accepted SSLv3 128 bits AES128-SHA
      Rejected SSLv3 168 bits ADH-DES-CBC3-SHA
      Rejected SSLv3 56 bits ADH-DES-CBC-SHA
      Rejected SSLv3 40 bits EXP-ADH-DES-CBC-SHA
      Rejected SSLv3 128 bits ADH-RC4-MD5
      Rejected SSLv3 40 bits EXP-ADH-RC4-MD5
      Accepted SSLv3 168 bits EDH-RSA-DES-CBC3-SHA
      Accepted SSLv3 56 bits EDH-RSA-DES-CBC-SHA
      Accepted SSLv3 40 bits EXP-EDH-RSA-DES-CBC-SHA
      Rejected SSLv3 168 bits EDH-DSS-DES-CBC3-SHA
      Rejected SSLv3 56 bits EDH-DSS-DES-CBC-SHA
      Rejected SSLv3 40 bits EXP-EDH-DSS-DES-CBC-SHA
      Accepted SSLv3 168 bits DES-CBC3-SHA
      Accepted SSLv3 56 bits DES-CBC-SHA
      Accepted SSLv3 40 bits EXP-DES-CBC-SHA
      Rejected SSLv3 128 bits IDEA-CBC-SHA
      Rejected SSLv3 40 bits EXP-RC2-CBC-MD5
      Accepted SSLv3 128 bits RC4-SHA
      Accepted SSLv3 128 bits RC4-MD5
      Accepted SSLv3 40 bits EXP-RC4-MD5
      Rejected SSLv3 0 bits NULL-SHA
      Rejected SSLv3 0 bits NULL-MD5
      Rejected TLSv1 256 bits ADH-AES256-SHA
      Rejected TLSv1 256 bits DHE-RSA-AES256-SHA
      Rejected TLSv1 256 bits DHE-DSS-AES256-SHA
      Rejected TLSv1 256 bits AES256-SHA
      Rejected TLSv1 128 bits ADH-AES128-SHA
      Accepted TLSv1 128 bits DHE-RSA-AES128-SHA
      Rejected TLSv1 128 bits DHE-DSS-AES128-SHA
      Accepted TLSv1 128 bits AES128-SHA
      Rejected TLSv1 168 bits ADH-DES-CBC3-SHA
      Rejected TLSv1 56 bits ADH-DES-CBC-SHA
      Rejected TLSv1 40 bits EXP-ADH-DES-CBC-SHA
      Rejected TLSv1 128 bits ADH-RC4-MD5
      Rejected TLSv1 40 bits EXP-ADH-RC4-MD5
      Accepted TLSv1 168 bits EDH-RSA-DES-CBC3-SHA
      Accepted TLSv1 56 bits EDH-RSA-DES-CBC-SHA
      Accepted TLSv1 40 bits EXP-EDH-RSA-DES-CBC-SHA
      Rejected TLSv1 168 bits EDH-DSS-DES-CBC3-SHA
      Rejected TLSv1 56 bits EDH-DSS-DES-CBC-SHA
      Rejected TLSv1 40 bits EXP-EDH-DSS-DES-CBC-SHA
      Accepted TLSv1 168 bits DES-CBC3-SHA
      Accepted TLSv1 56 bits DES-CBC-SHA
      Accepted TLSv1 40 bits EXP-DES-CBC-SHA
      Rejected TLSv1 128 bits IDEA-CBC-SHA
      Rejected TLSv1 40 bits EXP-RC2-CBC-MD5
      Accepted TLSv1 128 bits RC4-SHA
      Accepted TLSv1 128 bits RC4-MD5
      Accepted TLSv1 40 bits EXP-RC4-MD5
      Rejected TLSv1 0 bits NULL-SHA
      Rejected TLSv1 0 bits NULL-MD5
      Prefered Server Cipher(s):
      SSLv3 128 bits DHE-RSA-AES128-SHA
      TLSv1 128 bits DHE-RSA-AES128-SHA

      Related Notes

            tthanhdang Tung Dang
            sbrannen@atlassian.com Branno
            6 Vote for this issue
            9 Start watching this issue