Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

SSL cipher problems with browsers

Pierre Zentara
Pierre Zentara
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
November 30, 2017

Hi,

we have a Confluence server running on Windows Server 2012 R2 with Tomcat.

We want to secure our server with https. Because the port 443 is already used on our IP and firewall, we decided to use port 8091. HTTP is on port 8090 and works just fine btw.

For that we added a SSL wildcard certificate to a custom keystore.
Then we add a HTTPS connector to server.xml.
After that we changed the base url to https://doku.bios-tec.de:8091

But then we have problems accessing confluence via HTTPS. We get the following error message in several browsers:  ERR_SSL_VERSION_OR_CIPHER_MISMATCH

 

We have found some KB and forum threads online and update some cipher parameters to the configuration. see: https://confluence.atlassian.com/kb/security-tools-report-the-default-ssl-ciphers-are-too-weak-755140945.html

 

here an example of our connector section:

 

<Connector port="8091" maxhttpheadersize="8192" enablelookups="false" disableuploadtimeout="true" acceptCount="100" scheme="https" secure="true" clientAuth="false" SSLEnabled="true" sslProtocols="TLSv1,TLSv1.1,TLSv1.2" ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA" keystoreFile="ourKeystoreFile" keystorePass="******"/>;

 

How can we get our Confluence server running with the SSL/TLS ciphers that are compatible with browsers like Chrome, Firefox and so on?

Answer
Watch
Like Be the first to like this
2109 views

3 answers

1 vote
josh
Josh Steckler
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
November 30, 2017

I don't know if this would solve the error, but in general when using HTTPS it would benefit you in terns of performance to put a proxy in front of Confluence. On WinServer you could use IIS and let that web server handle the SSL handshake.

https://confluence.atlassian.com/kb/proxying-atlassian-server-applications-with-microsoft-internet-information-services-iis-833931378.html

View More Comments
Lars Olav Velle
Lars Olav Velle
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
November 30, 2017

I agree with Josh here. I do not understand why so many people struggle with tomcat and SSL when its just to put a proxy in front. 

If it helps: (This gives compatibility, and A+ rating)


SSLProtocol all -SSLv2 -SSLv3


SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"

Like
Reply
0 votes
Deleted user January 19, 2019

Hello!

I had this exact same problem. Turned out it was because I was trying to use a PKCS12 (.pfx) format keystore instead of the proprietary JKS format. The admin interface accepted my PKCS12 keystore but apparently the rest did not.

Follow this post on Stack Overflow to convert your keystore to JKS and try again. It should work fine.

I'm also posting this here because I had one heck of a time figuring this out on my own, so for you time travelers out there, this is for you. ;)

Regards,

Wes

Reply
0 votes
Davin Studer
Davin Studer
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
December 1, 2017

FYI, by default Confluence 6+ uses port 8091 for Synchrony. So you may want to consider a different port.

Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
TAGS
AUG Leaders

Atlassian Community Events

    See all events