Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

How to enable sslv3 protocol on Confluence tomcat server?

Rahul Aich [Nagra]
Rahul Aich [Nagra]
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
November 9, 2017

Hi All

I have confluence 5.10 installed on with the packaged tomcat on windows platform.

We have a third party application which can communicate to confluence only over sslv3 protocol. 

My question is how can enable the tomcat on confluence server to accept handshakes in sslv3 protocol (in addition to tlsv1, tlsv1.1 and tlsv1.2).

Rahul

Answer
Watch
Like Be the first to like this
1327 views

3 answers

2 votes
Nic Brough -Adaptavist-
Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
November 9, 2017

I would stop using this third party application until it is made safe.

sslv3 is broken and not secure.  It's regularly probed by bots looking for security holes and when found, used as an attack vector.

You really do not want to enable sslv3.

Reply
0 votes
AnnWorley
AnnWorley
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
November 14, 2017

@Rahul Aich [Nagra] If you are running Confluence as a service on Windows the setenv.bat parameters are ignored so you will need to add the option as described in: Configuring System Properties There is a command line and a registry method in the guide as well as screen shots.

Reply
0 votes
Mizan
Mizan
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
November 9, 2017

This protocol is disabled at jvm level you will need to enable it using the below jvm argument

-Djdk.tls.disabledAlgorithms=

No value, it means SSLv2 and SSLv3 are now enabled as they are disabled by default.

In the Tomcat configuration add SSLv3 to the ssl protocols

Please try on test first.  I am assuming you are using Tomcat 8 as it is the only compatible version with 5.10

View More Comments
Nic Brough -Adaptavist-
Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
November 9, 2017

Please, don't do this.

They are disabled for good reasons - you will be opening yourself up for easy attacks.

Like
Rahul Aich [Nagra]
Rahul Aich [Nagra]
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
November 9, 2017

Thanks Mizan and Nic i understand the risks involved and will not disable them permanently. But in order to confirm my root cause of our connectivity issue i would like to disable them on my test confluence server.

Do you know how to do it on windows platform?

Like
Nic Brough -Adaptavist-
Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
November 9, 2017

Good good.  Yes, it's pretty much the same in all operating systems.

Find the setenv.bat (setenv.sh on Unix-like systems).  Open it up with a text editor and look for where -D is used.  Jira's setenv files tend to have a line near the top which says "put debug arguments in here", followed by JVM_ARG="", and it's best to use that for Jira.

Confluence varies by version.  In 6.3, there's a lot of lines like

CATALINA_OPTS="-Djava.awt.headless=true ${CATALINA_OPTS}"

You can add one for this:

CATALINA_OPTS="-Djdk.tls.disabledAlgorithms=

${CATALINA_OPTS}"

 

Note that this enables a number of other insecure protocols, not just sslv3

Like
Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
TAGS
AUG Leaders

Atlassian Community Events

    See all events