How to secure Bamboo against Poodle by disabling SSLV3
Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Purpose
Disabling SSLV3 in Bamboo instances utilizing a Tomcat container in order to secure against the Poodle Exploit.
Solution
- Stop Bamboo server,
Edit the <Bamboo server installation directory>/conf/server.xml file:
server.xml<Connector port="8085" protocol="HTTP/1.1" maxThreads="150" minSpareThreads="25" connectionTimeout="20000" disableUploadTimeout="true" acceptCount="100" enableLookups="false" maxHttpHeaderSize="8192" useBodyEncodingForURI="true" URIEncoding="UTF-8" redirectPort="8443"> <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /> </Connector>
Please note these are default values, yours may look different.
Add the following to the connector:
sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"
Start Bamboo server.
This should do it for Bamboo running default in Tomcat container.
Extra Strength Protection
Consider updating the ciphers Tomcat is using