Details
-
Bug
-
Resolution: Duplicate
-
Medium
-
None
-
5.6.6
-
None
Description
The fix for CONF-24035 hard-codes SSLv3 and TLSv1 protocols and explicitly retries with SSLv3 which is not needed. The SSLv3 communication problem in java & confluence is actually caused by java changing its 'client_version' in the TLS handshake. This can be fixed by setting the ' com.sun.net.ssl.rsaPreMasterSecretFix' system property to 'true' or by enabling TLSv1.1 or higher (in java 7+). See https://ecosystem.atlassian.net/browse/SAL-280 & https://ecosystem.atlassian.net/browse/SAL-299.
I suggest that this issue be fixed by updating SAL and using the httpclient SAL provides instead of creating a new instance. Note: because of SAL-300 if confluence wants to support SSLv3 then it will need to set the https.protocols system property to one that contains SSLv3. We suggest not enabling SSLv3 as it is an old and insecure protocol.
Attachments
Issue Links
- duplicates
-
CONFSERVER-36250 Drop SSlv3 retry and copied CustomSSLProtocolSocketFactory.java from SAL
- Closed
- relates to
-
CONFSERVER-24035 Allow Confluence to integrate over HTTPS with remote systems secured with SSLv3
- Closed