Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-87297

Remove TLSv1.1 and TLSv1.2 as default

    XMLWordPrintable

Details

    • Suggestion
    • Resolution: Unresolved
    • None
    • Security
    • None
    • We collect Confluence feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

    Description

      Problem Definition

      Remove TLSv1.1 as it is vulnerable to downgrade attacks since it uses SHA-1 hash to protect exchanged messages' integrity. Even authentication of handshakes is done based on SHA-1, which makes it easier for an attacker to impersonate a server for MITM attacks. This takes precedence as TLSv1.1 has been removed from the server.xml but is still accepted during a vulnerability scan.

      Suggested Solution

      Have as default the secure TLSv1.3, and then add, if needed, TLSv1.1 and TLSv1.2.

      Workaround

      This can be setup as shown in the How to change the SSL/TLS protocols used by Tomcat, but this request will improve the default security.

      Attachments

        Activity

          People

            Unassigned Unassigned
            a10ada9f39c1 betto
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated: