Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-36731

The fix for CONF-24035 hard-codes SSLv3 and TLSv1 protocols and explicitly retries with SSLv3 which is not needed

    XMLWordPrintable

Details

    Description

      The fix for CONF-24035 hard-codes SSLv3 and TLSv1 protocols and explicitly retries with SSLv3 which is not needed. The SSLv3 communication problem in java & confluence is actually caused by java changing its 'client_version' in the TLS handshake. This can be fixed by setting the ' com.sun.net.ssl.rsaPreMasterSecretFix' system property to 'true' or by enabling TLSv1.1 or higher (in java 7+). See https://ecosystem.atlassian.net/browse/SAL-280 & https://ecosystem.atlassian.net/browse/SAL-299.

      I suggest that this issue be fixed by updating SAL and using the httpclient SAL provides instead of creating a new instance. Note: because of SAL-300 if confluence wants to support SSLv3 then it will need to set the https.protocols system property to one that contains SSLv3. We suggest not enabling SSLv3 as it is an old and insecure protocol.

      Attachments

        Issue Links

          duplicates

          Suggestion - CONFSERVER-36250 Drop SSlv3 retry and copied CustomSSLProtocolSocketFactory.java from SAL

          • Closed
          relates to

          Bug - A problem which impairs or prevents the functions of the product. CONFSERVER-24035 Allow Confluence to integrate over HTTPS with remote systems secured with SSLv3

          • Low - Low priority issues
          • Closed

          Activity

            People

              Unassigned Unassigned
              dblack David Black
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: