Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Use Specific TLS Settings in Confluence

Craig Moran
Craig Moran August 31, 2017

The sslEnabledProtocols and sslProtocols attributes in Confluence's server.xml are set to TLSv1,TLSv1.1,TLSv1.2.  Is there any way to set them to just TLSv1 or TLSv1.1?  I'm asking because our LTM apparently does not support TLSv1.2.

Answer
Watch
Like Be the first to like this
3190 views

1 answer

1 vote
Daniel Eads _unmonitored account_
Daniel Eads _unmonitored account_
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
August 31, 2017

Hi Craig,

Usually it's easier to do your SSL termination at the reverse proxy / balancer level than it is at Tomcat itself. Would it present any security issues in your environment to just run HTTP on Confluence itself and have your LTM do the termination?

Aside from that, I'm wondering if you might be looking at a problem with supported ciphers instead of with specific TLS versions. The endpoints (your LTM and Tomcat) should negotiate a mutually supported protocol. Even if TLS 1.2 is enabled, with TLS1.1 and 1.0 enabled by default, your LTM should just choose TLS1.1 if it doesn't support 1.2. It shouldn't require you to disable 1.2 at Tomcat.

View More Comments
Craig Moran
Craig Moran August 31, 2017

We have to implement SSL on our side as well as the balancer.  The site is configured two different ways -- one inside our network, another way outside our network.  

The network team is doing SSL termination at the balancer.  The problem is that -- according to what they told me -- configuring it breaks the connection to Tomcat, and they claim that the break occurs because the SCHANNEL configuration (SSL library) on the target server requires higher strength (more secure) cipher suites and TLS versions than what their balancer currently supports.

Anyway, I just got a response back from the team confirming what you just wrote about the ciphers.  They also still recommend disabling tls1.2.  

Like
Daniel Eads _unmonitored account_
Daniel Eads _unmonitored account_
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
August 31, 2017

Hmm, I call shenanigans on disabling TLS1.2, sounds like they just have a crappy LTM!

We are in a similar situation (something not supporting modern ciphers, in our case Cisco WAAS) at our organization. What I ended up doing was fronting Confluence with nginx as a reverse proxy and handling all the ciphers there. I published all my nginx configuration in this repo that you can take a peek at.

Not in the repo is the specific (non-modern) cipher set we had to enable for Cisco hardware... I expect you might need something similar to this:

# Protocol and Cipher configuration
### !!!! Note that TLSv1 and AES256-SHA are enabled !!!! This is not best-practice, and is only there because of Cisco WAAS / inter-office WAN Acceleration
### If you are reading this message, please follow up with Networking to see if TLSv1 and AES256-SHA can be removed
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
ssl_prefer_server_ciphers on;

It is possible to change the cipher set in Tomcat in your server.xml file, you'll just need to add a ciphers=" " option in the section where SSL is set up. Your network folks will need to tell you what ciphers they support so you can enable one that hopefully doesn't weaken your security too much. Here's an example of setting ciphers in Tomcat: https://www.sslshopper.com/article-how-to-disable-weak-ciphers-and-ssl-2-in-tomcat.html

Like
Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
TAGS
AUG Leaders

Atlassian Community Events

    See all events