How to disable SSLv3 to mitigate against POODLE exploit for Confluence 5.7.0 or below

Related content

  • No related content found

Still need help?

The Atlassian Community is here for you.

Ask the community

Purpose

If you have enabled the SSL connector for Confluence using <confluence_install>/conf/server.xml, the default settings do not block SSLv3 connections which can be exploited by the POODLE fallback attack. There are two changes that need to be made to the SSL connector. By default, the SSL connector sets sslProtocol="TLS" which starts both TLS connectors and SSLv3 connectors. You can tell if you are affected by opening <confluence_install>/conf/server.xml and find the SSL connector, example follows:

<Connector port="8443" maxHttpHeaderSize="8192"
           maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
           enableLookups="false" disableUploadTimeout="true"
           acceptCount="100" scheme="https" secure="true"
           clientAuth="false" sslProtocol="TLS" SSLEnabled="true"
           URIEncoding="UTF-8" keystorePass="<MY_CERTIFICATE_PASSWORD>"/>

You may also notice that some web browsers, such as Google Chrome fail to browse to your SSL enabled instance, with the following error (or similar)

A secure connection cannot be established because this site uses an unsupported protocol

Workaround

  • Edit the SSL connector in server.xml as follows:

    <Connector port="8443" maxHttpHeaderSize="8192"
           maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
           enableLookups="false" disableUploadTimeout="true"
           acceptCount="100" scheme="https" secure="true"
           clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1" SSLEnabled="true"
           URIEncoding="UTF-8" keystorePass="<MY_CERTIFICATE_PASSWORD>"/>

  • In older versions of Tomcat (up to 6.0.32) the property sslEnabledProtocols didn't exist. If you're running Confluence 4.0.X or older, please edit the SSL connector as follows instead:

    <Connector port="8443" maxHttpHeaderSize="8192"
           maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
           enableLookups="false" disableUploadTimeout="true"
           acceptCount="100" scheme="https" secure="true"
           clientAuth="false" sslProtocols="TLSv1,TLSv1.1,TLSv1.2" SSLEnabled="true"
           URIEncoding="UTF-8" keystorePass="<MY_CERTIFICATE_PASSWORD>"/>
  • At this point, you can start Confluence and use something like SSLScan to verify that connections can only be made through TLS and not SSLv3.


Solution

  • Install Confluence 5.7.1 or higher as it includes a bundled Tomcat that is not affected by POODLE
  • CONF-35386 - Getting issue details... STATUS
Last modified on Jun 14, 2016

Was this helpful?

Yes
No
Provide feedback about this article

Related content

  • No related content found
Powered by Confluence and Scroll Viewport.