How to secure Bamboo against Poodle by disabling SSLV3

Related content

  • No related content found

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.

Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Purpose

Disabling SSLV3 in Bamboo instances utilizing a Tomcat container in order to secure against the Poodle Exploit.

Solution

  1. Stop Bamboo server,

  2. Edit the <Bamboo server installation directory>/conf/server.xml file:

    server.xml 
    <Connector
                port="8085"
                protocol="HTTP/1.1"

                maxThreads="150" minSpareThreads="25"
                connectionTimeout="20000"
                disableUploadTimeout="true"
                acceptCount="100"

                enableLookups="false"
                maxHttpHeaderSize="8192"

                useBodyEncodingForURI="true"
                URIEncoding="UTF-8"

                redirectPort="8443">
            <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
        </Connector>

    Please note these are default values, yours may look different.

  3. Add the following to the connector:

    sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"

  4. Start Bamboo server.

This should do it for Bamboo running default in Tomcat container.

Extra Strength Protection

Consider updating the ciphers Tomcat is using

In-Depth Linux SSLV3 Dive


Last modified on Jun 29, 2021

Was this helpful?

Yes
No
Provide feedback about this article

Related content

  • No related content found
Powered by Confluence and Scroll Viewport.