As of Java 1.8u51+ (also 1.7.0_85+ and 1.6.0_101+) making SSL connections to an IP address is no longer allowed. Previously the JVM would do a reverse lookup of the hostname using the IP then complete the connection using that hostname. This was a security vulnerability because an attacker that gained control of DNS could route traffic to their own server. This change is a security feature of Java.
We have found there is a problem with the way Java creates LDAPS connections. The way Socket.createSocket() is used results in an SSLSocket without the hostname set in it. This results in use of an IP address to make the connection and since this is no longer allowed the connection fails. We have reported this problem to Oracle and also forwarded the information to the Java security dev list: http://mail.openjdk.java.net/pipermail/security-dev/2015-September/012845.html .
Because of this existing LDAPS connections are broken and users from that user directory are unable to login including non-local administrators.
This will affect any customer using secure LDAP that upgrades the JVM. Secure LDAP is very common to protect passwords on the internal network, particularly in enterprise environments. This is exacerbated by Confluence 5.8.8 which ships with Java 1.8.0u51.
- Any version of Confluence using one of the noted Java versions.
- Configure a user directory using a secure LDAP connection
- Upgrade the JDK to a noted Java version.
Logins and LDAP syncs should work as normal.
Users will be unable to authenticate and LDAP syncs will fail.
Errors like this will occur in the logs:
- Add JVM startup parameter -Djdk.tls.trustNameService=true
- This reverts back to the older Java behavior while preserving all the other security related changes in the newer Java release.
- Your LDAP data will still be encrypted. The risk is described by Oracle in their explanation of the change at http://www.oracle.com/technetwork/java/javase/8u51-relnotes-2587590.html :
If an application does need to perform reverse name lookup for raw IP addresses in SSL/TLS connections, and encounter endpoint identification compatibility issue, System property "jdk.tls.trustNameService" can be used to switch on reverse name lookup. Note that if the name service is not trustworthy, enabling reverse name lookup may be susceptible to MITM attacks.
- Under the LDAP connection "Advanced Settings" set "Secure SSL" to disabled
- As stated in the UI this will disable all verification of the SSL certificate. Your LDAP data will still be encrypted.
- This workaround may represent a greater vulnerability as any SSL cert could be substituted with no need to compromise a DNS server.
- Upgrade Java to Java 8u65 (if running Confluence 5.7 or above)
- This version includes a fix for the bug that causes this issue JDK-8135194