Details
-
Bug
-
Resolution: Fixed
-
Low
-
None
-
5.6.5, 5.6-OD-38-053
-
None
Description
NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report.
SSLv3 is an old protocol and has been superseded by TLSv1.0, TLSv1.1 and TLSv1.2. TLSv1.0 was first defined in January 1999 and java 6 supports and uses it as the default client version in TLS handshake.
SSLv3 is old and limits the ciphers that can be used. SSLv3 is also vulnerable to POODLE. We should disable SSLv3 by default and provide a system property to re-enable it.
Note: Java 7 supports TLSv1.1 and TLSv1.2 in client mode but defaults to using TLSv1 in the TLS handshake. We should use TLSv1.1 and TLSv1.2 in client mode TLS in java 7 as well. Java 8 enables TLSv1.1 and TLSv1.2 in client mode(in addition to SSLv3 and TLSv1) and uses TLSv1.2 by default in TLS handshake.
Workaround:
Upgrade to Oracle Java 7 update 76 (or higher) or Java 8 update 31(or higher) as these versions disable SSLv3.
Alternatively, set jdk.tls.disabledAlgorithms in <JRE_HOME>/lib/security/java.security to include SSLv3 as per the following example:
# Example: # jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048 jdk.tls.disabledAlgorithms=SSLv3
Attachments
Issue Links
- is related to
-
JRASERVER-41664 Support secure session resumption when changes are made to SSL certificate
- Gathering Interest
- relates to
-
-
- Closed
-
-
-
- Closed
-
