Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

SSL Error no Cypher Overlap

Athman Boukhaoua
Athman Boukhaoua May 18, 2020

I'm trying to upgrade our Confluence install from 6.6 to 7.4. This generally works, and the HTTP site starts without any issue, but after the upgrade we can't connect to Confluence over HTTPS anymore. If we try, we get an SSL cypher error. In Firefox that is SSL_ERROR_NO_CYPHER_OVERLAP, but Chrome and IE11 display similar errors about not allowing the connection because of insufficient SSL settings.

If I query the HTTPS server with nmap I get the following list of offered cyphers:

| ssl-enum-ciphers:

| TLSv1.2:

| ciphers:

| TLS_DHE_DSS_WITH_AES_128_CBC_SHA (dh 1024) - A

| TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (dh 1024) - A

| TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 (dh 1024) - A

| TLS_DHE_DSS_WITH_AES_256_CBC_SHA (dh 1024) - A

| TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 (dh 1024) - A

| TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 (dh 1024) - A

| compressors:

| NULL

| cipher preference: client

| warnings:

| Key exchange (dh 1024) of lower strength than certificate key

|_ least strength: A

 

Which really seems woefully inadequate. If I query one of our IIS Webservers that is using the same certificate I get a lot more results including modern cyphers like:

| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp384r1) - A

| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519) - A

| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A

 

I have tried a few solutions that come up when searching for this issue, such as converting the keystore between PKCS12 and JKS, adding a "ciphers" parameter to the HTTPS connector and adding a keystoreType parameter to the connector. But none of them help.

Answer
Watch
Like Be the first to like this
1422 views

1 answer

0 votes
Kurt Klinner
Kurt Klinner
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
May 18, 2020

@Athman Boukhaoua 

 

Hi Peter

welcome to the Atlassian community.

So i would assume you are reusing the cert that you had in place for confluence 6.6. - right?

Could you by chance share your ssl config.

 

https://confluence.atlassian.com/kb/security-tools-report-the-default-ssl-ciphers-are-too-weak-755140945.html?_ga=2.64455471.1662637765.1589745316-2005217296.1589745316  has some information around the ciphers, might be helpful

 

Cheers

Kurt

View More Comments
Athman Boukhaoua
Athman Boukhaoua May 19, 2020

Yes, we use the same cert that we used for Confluence 6.6.0. My SSL connector currently is this:

<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25"
protocol="org.apache.coyote.http11.Http11Nio2Protocol"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLSv1.2" sslEnabledProtocols="TLSv1.2" SSLEnabled="true"
URIEncoding="UTF-8" keystorePass="a" keystoreFile="C:\ProgramData\jkskeystore" useCipherSuitesOrder="true"
ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,
TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA,TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA,
TLS_SRP_SHA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,
TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA,TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA,
TLS_SRP_SHA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,TLS_RSA_WITH_CAMELLIA_128_CBC_SHA" />

I have since restored 6.6.0 to a different server and have checked the offered cyphers with nmap and additionally to the six I get with 7.4.0 I get these three too:

| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A

| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A

| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A

When I check the connection settings in Firefox I see that it chooses the TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 cypher on Confluence 6.6.0

I have tried adding the "ciphers" value in the linked article but that didn't change anything.

I'm currently trying another install with Confluence 6.15.10 to see if that works better and if it's an issue with version 7 in general.

Like
Athman Boukhaoua
Athman Boukhaoua May 19, 2020

Ok, 6.15.10 has the same issue.

Like
Athman Boukhaoua
Athman Boukhaoua May 19, 2020

I checked some more versions. In 6.6.17 this still works. Ironically, it exposes even more cyphers than 6.6.0

|   TLSv1.2:

|     ciphers:

|       TLS_DHE_DSS_WITH_AES_128_CBC_SHA (dh 1024) - A

|       TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (dh 1024) - A

|       TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 (dh 1024) - A

|       TLS_DHE_DSS_WITH_AES_256_CBC_SHA (dh 1024) - A

|       TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 (dh 1024) - A

|       TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 (dh 1024) - A

|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A

|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 1024) - A

|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 1024) - A

|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A

|      TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 1024) - A

|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 1024) - A

|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A

|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A

|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A

|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A

|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A

|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A

 

But in 6.13.0 it doesn't work anymore, then I only get the six insecure cyphers.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Notice at Collection Terms Security