-
Bug
-
Resolution: Fixed
-
Medium
-
5.9.11, 5.10, 5.10.5
-
12
-
Severity 3 - Minor
-
1
-
Summary
Confluence does not work properly with SNI. Server name is not being passed to the proxy to select the appropriate SSL Certificate.
The following error appears in the logs
ERROR [AtlassianEvent::CustomizableThreadFactory-1] [renderer.internal.http.HttpClientFetcher] fetch Unable to retrieve response
javax.net.ssl.SSLException: Certificate for <confluence.example.com> doesn't match any of the subject alternative names: [example.com, www.example.com]
SSL Handshake logs:
Client Hello
*** ClientHello, TLSv1.2
RandomCookie: GMT: 1465353185 bytes = { 111, 58, 239, 142, 180, 152, 9, 190, 64, 130, 163, 245, 181, 73, 113, 224, 245, 68, 59, 219, 122, 136, 158, 177, 0, 142, 88, 155 }
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
Extension server_name, server_name: [type=host_name (0), value=client.example.com]
Server Hello
*** ServerHello, TLSv1.2
RandomCookie: GMT: 1465353185 bytes = { 131, 239, 72, 124, 119, 210, 173, 215, 12, 33, 102, 219, 183, 39, 68, 243, 187, 234, 94, 9, 135, 219, 40, 96, 20, 230, 80, 238 }
Session ID: {195, 107, 250, 31, 122, 90, 54, 21, 173, 240, 134, 67, 193, 111, 83, 193, 9, 25, 205, 159, 226, 230, 43, 191, 49, 179, 27, 33, 248, 46, 207, 138}
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Compression Method: 0
Extension server_name, server_name:
Extension renegotiation_info, renegotiated_connection: <empty>
Extension ec_point_formats, formats: [uncompressed, ansiX962_compressed_prime, ansiX962_compressed_char2]
Environment
Java 1.8_74
Tomcat 8.0.33
Steps to Reproduce
- Setup proxy with SNI (certificate chain: root CA -> Intermediate cert -> confluence/jira certificates)
- Setup Jira for SSL using Jira Certificate
- Setup Confluence for SSL using Confluence Certificate
Expected Results
When you open Confluence, you should be able to see Confluence certificate being used for the SSL Connection
Actual Results
Confluence is using the default certificate (intermediate certificate) instead and throwing the above error message in the logs.
Workaround
No workaround at the moment.
- relates to
-
-
- Closed
-
| Form Name | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
[CONFSERVER-42948] Confluence SNI not working
https://jira.atlassian.com/browse/CONFSERVER-45964
Will there be any releases for earlier supported versions?
Hi I don't remember the source but I found a patch when investigating this committed by Atlassian in 4.4.x https://github.com/apache/httpclient/pull/47
Apply this to the 4.4.1 branch and rebuild the httpclient and you should be able to get around this issue.
This testing was done on 5.10.8 so the issue still persist there.
Hi There,
problem is fixed in apache httpclient 4.5.3-SNAPSHOT.
may rebuild confluence with apache httpclient version 4.5.3 the problem is resolved
I tried to work with fix 4.5.3-SNAPSHOT with https://bitbucket.org/atlassianlabs/httpclienttest and everything works correctly (httpclienttest works fine)
Hi rslaiby,
I also used https://bitbucket.org/atlassianlabs/httpclienttest/overview
the problem is caused when such an implementation httpclient
HttpClient client = new *DefaultHttpClient*(); HttpGet request = new HttpGet("https://" + args[0]); HttpResponse response = null; try { response = *client.execute*(request);
java *-Djavax.net.debug=ssl *-Djavax.net.ssl.trustStore... ...
when sending the request to the host server with nginx - we get the problem. connecting sni not processed and eventually should be loaded not the requested host, but default host on server
when using this code established connection correctly (https://hc.apache.org/httpcomponents-client-ga/httpclient/examples/org/apache/http/examples/client/ClientWithResponseHandler.java)
Dominic Hargreaves
added a comment - The workaround I used was to configure the connection between the two Confluence instances to use plain HTTP over a private network.
Dominic Hargreaves
added a comment - The workaround I used was to configure the connection between the two Confluence instances to use plain HTTP over a private network. Dominic Hargreaves
added a comment - For the record, the "(intermediate certificate)" part of this is incorrect: "Confluence is using the default certificate (intermediate certificate) instead and throwing the above error message in the logs." This issue has nothing to do with chains and could be replicated with a self-signed cert too if the trust stores in question had the relevant certs installed.
Dominic Hargreaves
added a comment - For the record, the "(intermediate certificate)" part of this is incorrect: "Confluence is using the default certificate (intermediate certificate) instead and throwing the above error message in the logs." This issue has nothing to do with chains and could be replicated with a self-signed cert too if the trust stores in question had the relevant certs installed.
Fixed in Confluence 6.6.0 and up by upgrading to httpclient 4.5.3.
Note that this version of httpclient has its own problem with Subject Alternative Name. This was fixed in httpclient 4.5.5, which is also bundled by atlassian-httpclient 1.0.1. These updates shipped in Confluence 6.6.4, 6.7.3 and 6.8.0.