Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-35386

SSLv3 Is Not Disabled When sslProtocol is Set to TLS, Vulnerable to POODLE

XMLWordPrintable

      The default connector as written in <confluence_install>/conf/server.xml uses sslProtocol="TLS". This should only enable TLS connectors, but it also enables SSLv3. Our documentation and the included server.xml need to be updated to reflect the correct settings to enable only TLS.

      Reproduction steps:

      1. Follow the instructions at Running Confluence Over SSL or HTTPS to enable SSL for Confluence
      2. Use SSLScan to see what connections are available

      Expected behavior

      Only TLS connections should be available

      Actual behavior

      TLS and SSLv3 connections are available, shown in the following:

      Supported Server Cipher(s):
Rejected SSLv2 168 bits DES-CBC3-MD5
Rejected SSLv2 56 bits DES-CBC-MD5
Rejected SSLv2 128 bits IDEA-CBC-MD5
Rejected SSLv2 40 bits EXP-RC2-CBC-MD5
Rejected SSLv2 128 bits RC2-CBC-MD5
Rejected SSLv2 40 bits EXP-RC4-MD5
Rejected SSLv2 128 bits RC4-MD5
Rejected SSLv3 256 bits ADH-AES256-SHA
Rejected SSLv3 256 bits DHE-RSA-AES256-SHA
Rejected SSLv3 256 bits DHE-DSS-AES256-SHA
Rejected SSLv3 256 bits AES256-SHA
Rejected SSLv3 128 bits ADH-AES128-SHA
Accepted SSLv3 128 bits DHE-RSA-AES128-SHA
Rejected SSLv3 128 bits DHE-DSS-AES128-SHA
Accepted SSLv3 128 bits AES128-SHA
Rejected SSLv3 168 bits ADH-DES-CBC3-SHA
Rejected SSLv3 56 bits ADH-DES-CBC-SHA
Rejected SSLv3 40 bits EXP-ADH-DES-CBC-SHA
Rejected SSLv3 128 bits ADH-RC4-MD5
Rejected SSLv3 40 bits EXP-ADH-RC4-MD5
Accepted SSLv3 168 bits EDH-RSA-DES-CBC3-SHA
Accepted SSLv3 56 bits EDH-RSA-DES-CBC-SHA
Accepted SSLv3 40 bits EXP-EDH-RSA-DES-CBC-SHA
Rejected SSLv3 168 bits EDH-DSS-DES-CBC3-SHA
Rejected SSLv3 56 bits EDH-DSS-DES-CBC-SHA
Rejected SSLv3 40 bits EXP-EDH-DSS-DES-CBC-SHA
Accepted SSLv3 168 bits DES-CBC3-SHA
Accepted SSLv3 56 bits DES-CBC-SHA
Accepted SSLv3 40 bits EXP-DES-CBC-SHA
Rejected SSLv3 128 bits IDEA-CBC-SHA
Rejected SSLv3 40 bits EXP-RC2-CBC-MD5
Accepted SSLv3 128 bits RC4-SHA
Accepted SSLv3 128 bits RC4-MD5
Accepted SSLv3 40 bits EXP-RC4-MD5
Rejected SSLv3 0 bits NULL-SHA
Rejected SSLv3 0 bits NULL-MD5
Rejected TLSv1 256 bits ADH-AES256-SHA
Rejected TLSv1 256 bits DHE-RSA-AES256-SHA
Rejected TLSv1 256 bits DHE-DSS-AES256-SHA
Rejected TLSv1 256 bits AES256-SHA
Rejected TLSv1 128 bits ADH-AES128-SHA
Accepted TLSv1 128 bits DHE-RSA-AES128-SHA
Rejected TLSv1 128 bits DHE-DSS-AES128-SHA
Accepted TLSv1 128 bits AES128-SHA
Rejected TLSv1 168 bits ADH-DES-CBC3-SHA
Rejected TLSv1 56 bits ADH-DES-CBC-SHA
Rejected TLSv1 40 bits EXP-ADH-DES-CBC-SHA
Rejected TLSv1 128 bits ADH-RC4-MD5
Rejected TLSv1 40 bits EXP-ADH-RC4-MD5
Accepted TLSv1 168 bits EDH-RSA-DES-CBC3-SHA
Accepted TLSv1 56 bits EDH-RSA-DES-CBC-SHA
Accepted TLSv1 40 bits EXP-EDH-RSA-DES-CBC-SHA
Rejected TLSv1 168 bits EDH-DSS-DES-CBC3-SHA
Rejected TLSv1 56 bits EDH-DSS-DES-CBC-SHA
Rejected TLSv1 40 bits EXP-EDH-DSS-DES-CBC-SHA
Accepted TLSv1 168 bits DES-CBC3-SHA
Accepted TLSv1 56 bits DES-CBC-SHA
Accepted TLSv1 40 bits EXP-DES-CBC-SHA
Rejected TLSv1 128 bits IDEA-CBC-SHA
Rejected TLSv1 40 bits EXP-RC2-CBC-MD5
Accepted TLSv1 128 bits RC4-SHA
Accepted TLSv1 128 bits RC4-MD5
Accepted TLSv1 40 bits EXP-RC4-MD5
Rejected TLSv1 0 bits NULL-SHA
Rejected TLSv1 0 bits NULL-MD5
Prefered Server Cipher(s):
SSLv3 128 bits DHE-RSA-AES128-SHA
TLSv1 128 bits DHE-RSA-AES128-SHA

      Related Notes

            [CONFSERVER-35386] SSLv3 Is Not Disabled When sslProtocol is Set to TLS, Vulnerable to POODLE

            Renata Dornelas made changes -
            Remote Link Original: This issue links to "Page (Atlassian Documentation)" [ 83862 ]
            Katherine Yabut made changes -
            Workflow Original: JAC Bug Workflow v3 [ 2896431 ] New: CONFSERVER Bug Workflow v4 [ 2989183 ]
            Owen made changes -
            Workflow Original: JAC Bug Workflow v2 [ 2787688 ] New: JAC Bug Workflow v3 [ 2896431 ]
            Status Original: Resolved [ 5 ] New: Closed [ 6 ]
            Owen made changes -
            Workflow Original: JAC Bug Workflow [ 2736003 ] New: JAC Bug Workflow v2 [ 2787688 ]
            Owen made changes -
            Workflow Original: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2392211 ] New: JAC Bug Workflow [ 2736003 ]
            Alex Yakovlev (Inactive) made changes -
            Labels Original: affects-server bugfix loyalty no-cvss-required security ssl New: affects-server loyalty no-cvss-required security ssl
            Alex Yakovlev (Inactive) made changes -
            Labels Original: affects-server bugfix no-cvss-required security ssl New: affects-server bugfix loyalty no-cvss-required security ssl
            Katherine Yabut made changes -
            Workflow Original: Confluence Workflow - Public Facing - Restricted v5 [ 2273186 ] New: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2392211 ]
            Katherine Yabut made changes -
            Workflow Original: Confluence Workflow - Public Facing - Restricted v5.1 - TEMP [ 2223680 ] New: Confluence Workflow - Public Facing - Restricted v5 [ 2273186 ]
            Katherine Yabut made changes -
            Workflow Original: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2183601 ] New: Confluence Workflow - Public Facing - Restricted v5.1 - TEMP [ 2223680 ]

              tthanhdang Tung Dang
              sbrannen@atlassian.com Branno (Inactive)
              Affected customers:
              6 This affects my team
              Watchers:
              9 Start watching this issue

                Created:
                Updated:
                Resolved: