SSL cipher problems with browsers

Hi,

we have a Confluence server running on Windows Server 2012 R2 with Tomcat.

We want to secure our server with https. Because the port 443 is already used on our IP and firewall, we decided to use port 8091. HTTP is on port 8090 and works just fine btw.

For that we added a SSL wildcard certificate to a custom keystore.
Then we add a HTTPS connector to server.xml.
After that we changed the base url to https://doku.bios-tec.de:8091

But then we have problems accessing confluence via HTTPS. We get the following error message in several browsers:  ERR_SSL_VERSION_OR_CIPHER_MISMATCH

 

We have found some KB and forum threads online and update some cipher parameters to the configuration. see: https://confluence.atlassian.com/kb/security-tools-report-the-default-ssl-ciphers-are-too-weak-755140945.html

 

here an example of our connector section:

 

<Connector port="8091" maxhttpheadersize="8192" enablelookups="false" disableuploadtimeout="true" acceptCount="100" scheme="https" secure="true" clientAuth="false" SSLEnabled="true" sslProtocols="TLSv1,TLSv1.1,TLSv1.2" ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA" keystoreFile="ourKeystoreFile" keystorePass="******"/>;

 

How can we get our Confluence server running with the SSL/TLS ciphers that are compatible with browsers like Chrome, Firefox and so on?

2 answers

1 vote

I don't know if this would solve the error, but in general when using HTTPS it would benefit you in terns of performance to put a proxy in front of Confluence. On WinServer you could use IIS and let that web server handle the SSL handshake.

https://confluence.atlassian.com/kb/proxying-atlassian-server-applications-with-microsoft-internet-information-services-iis-833931378.html

I agree with Josh here. I do not understand why so many people struggle with tomcat and SSL when its just to put a proxy in front. 

If it helps: (This gives compatibility, and A+ rating)


SSLProtocol all -SSLv2 -SSLv3


SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"

0 vote

FYI, by default Confluence 6+ uses port 8091 for Synchrony. So you may want to consider a different port.

Suggest an answer

Log in or Sign up to answer
How to earn badges on the Atlassian Community

How to earn badges on the Atlassian Community

Badges are a great way to show off community activity, whether you’re a newbie or a Champion.

Learn more
Community showcase
Published yesterday in Confluence

Three common content challenges + how to manage them

An efficient enterprise content management system, or ECM, is a must-have for companies that create work online (cough   cough, all companies). If content calendars, marketing plans, and bu...

37 views 0 4
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you