-
Bug
-
Resolution: Fixed
-
Medium
-
5.9.11, 5.10, 5.10.5
-
12
-
Severity 3 - Minor
-
1
-
Summary
Confluence does not work properly with SNI. Server name is not being passed to the proxy to select the appropriate SSL Certificate.
The following error appears in the logs
ERROR [AtlassianEvent::CustomizableThreadFactory-1] [renderer.internal.http.HttpClientFetcher] fetch Unable to retrieve response
javax.net.ssl.SSLException: Certificate for <confluence.example.com> doesn't match any of the subject alternative names: [example.com, www.example.com]
SSL Handshake logs:
Client Hello
*** ClientHello, TLSv1.2
RandomCookie: GMT: 1465353185 bytes = { 111, 58, 239, 142, 180, 152, 9, 190, 64, 130, 163, 245, 181, 73, 113, 224, 245, 68, 59, 219, 122, 136, 158, 177, 0, 142, 88, 155 }
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
Extension server_name, server_name: [type=host_name (0), value=client.example.com]
Server Hello
*** ServerHello, TLSv1.2
RandomCookie: GMT: 1465353185 bytes = { 131, 239, 72, 124, 119, 210, 173, 215, 12, 33, 102, 219, 183, 39, 68, 243, 187, 234, 94, 9, 135, 219, 40, 96, 20, 230, 80, 238 }
Session ID: {195, 107, 250, 31, 122, 90, 54, 21, 173, 240, 134, 67, 193, 111, 83, 193, 9, 25, 205, 159, 226, 230, 43, 191, 49, 179, 27, 33, 248, 46, 207, 138}
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Compression Method: 0
Extension server_name, server_name:
Extension renegotiation_info, renegotiated_connection: <empty>
Extension ec_point_formats, formats: [uncompressed, ansiX962_compressed_prime, ansiX962_compressed_char2]
Environment
Java 1.8_74
Tomcat 8.0.33
Steps to Reproduce
- Setup proxy with SNI (certificate chain: root CA -> Intermediate cert -> confluence/jira certificates)
- Setup Jira for SSL using Jira Certificate
- Setup Confluence for SSL using Confluence Certificate
Expected Results
When you open Confluence, you should be able to see Confluence certificate being used for the SSL Connection
Actual Results
Confluence is using the default certificate (intermediate certificate) instead and throwing the above error message in the logs.
Workaround
No workaround at the moment.
- relates to
-
-
- Closed
-