The sslEnabledProtocols and sslProtocols attributes in Confluence's server.xml are set to TLSv1,TLSv1.1,TLSv1.2. Is there any way to set them to just TLSv1 or TLSv1.1? I'm asking because our LTM apparently does not support TLSv1.2.
Usually it's easier to do your SSL termination at the reverse proxy / balancer level than it is at Tomcat itself. Would it present any security issues in your environment to just run HTTP on Confluence itself and have your LTM do the termination?
Aside from that, I'm wondering if you might be looking at a problem with supported ciphers instead of with specific TLS versions. The endpoints (your LTM and Tomcat) should negotiate a mutually supported protocol. Even if TLS 1.2 is enabled, with TLS1.1 and 1.0 enabled by default, your LTM should just choose TLS1.1 if it doesn't support 1.2. It shouldn't require you to disable 1.2 at Tomcat.
We have to implement SSL on our side as well as the balancer. The site is configured two different ways -- one inside our network, another way outside our network.
The network team is doing SSL termination at the balancer. The problem is that -- according to what they told me -- configuring it breaks the connection to Tomcat, and they claim that the break occurs because the SCHANNEL configuration (SSL library) on the target server requires higher strength (more secure) cipher suites and TLS versions than what their balancer currently supports.
Anyway, I just got a response back from the team confirming what you just wrote about the ciphers. They also still recommend disabling tls1.2.
Hmm, I call shenanigans on disabling TLS1.2, sounds like they just have a crappy LTM!
We are in a similar situation (something not supporting modern ciphers, in our case Cisco WAAS) at our organization. What I ended up doing was fronting Confluence with nginx as a reverse proxy and handling all the ciphers there. I published all my nginx configuration in this repo that you can take a peek at.
Not in the repo is the specific (non-modern) cipher set we had to enable for Cisco hardware... I expect you might need something similar to this:
# Protocol and Cipher configuration
### !!!! Note that TLSv1 and AES256-SHA are enabled !!!! This is not best-practice, and is only there because of Cisco WAAS / inter-office WAN Acceleration
### If you are reading this message, please follow up with Networking to see if TLSv1 and AES256-SHA can be removed
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
It is possible to change the cipher set in Tomcat in your server.xml file, you'll just need to add a ciphers=" " option in the section where SSL is set up. Your network folks will need to tell you what ciphers they support so you can enable one that hopefully doesn't weaken your security too much. Here's an example of setting ciphers in Tomcat: https://www.sslshopper.com/article-how-to-disable-weak-ciphers-and-ssl-2-in-tomcat.html
Hi my Community friends! For those who don't know me, I'm a product marketer on the Confluence Cloud team - nice to meet you! For those of you who do, you know that I've been all up in your Co...
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG
You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs