Use Specific TLS Settings in Confluence

The sslEnabledProtocols and sslProtocols attributes in Confluence's server.xml are set to TLSv1,TLSv1.1,TLSv1.2.  Is there any way to set them to just TLSv1 or TLSv1.1?  I'm asking because our LTM apparently does not support TLSv1.2.

1 answer

Hi Craig,

Usually it's easier to do your SSL termination at the reverse proxy / balancer level than it is at Tomcat itself. Would it present any security issues in your environment to just run HTTP on Confluence itself and have your LTM do the termination?

Aside from that, I'm wondering if you might be looking at a problem with supported ciphers instead of with specific TLS versions. The endpoints (your LTM and Tomcat) should negotiate a mutually supported protocol. Even if TLS 1.2 is enabled, with TLS1.1 and 1.0 enabled by default, your LTM should just choose TLS1.1 if it doesn't support 1.2. It shouldn't require you to disable 1.2 at Tomcat.

We have to implement SSL on our side as well as the balancer.  The site is configured two different ways -- one inside our network, another way outside our network.  

The network team is doing SSL termination at the balancer.  The problem is that -- according to what they told me -- configuring it breaks the connection to Tomcat, and they claim that the break occurs because the SCHANNEL configuration (SSL library) on the target server requires higher strength (more secure) cipher suites and TLS versions than what their balancer currently supports.

Anyway, I just got a response back from the team confirming what you just wrote about the ciphers.  They also still recommend disabling tls1.2.  

Hmm, I call shenanigans on disabling TLS1.2, sounds like they just have a crappy LTM!

We are in a similar situation (something not supporting modern ciphers, in our case Cisco WAAS) at our organization. What I ended up doing was fronting Confluence with nginx as a reverse proxy and handling all the ciphers there. I published all my nginx configuration in this repo that you can take a peek at.

Not in the repo is the specific (non-modern) cipher set we had to enable for Cisco hardware... I expect you might need something similar to this:

# Protocol and Cipher configuration
### !!!! Note that TLSv1 and AES256-SHA are enabled !!!! This is not best-practice, and is only there because of Cisco WAAS / inter-office WAN Acceleration
### If you are reading this message, please follow up with Networking to see if TLSv1 and AES256-SHA can be removed
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
ssl_prefer_server_ciphers on;

It is possible to change the cipher set in Tomcat in your server.xml file, you'll just need to add a ciphers=" " option in the section where SSL is set up. Your network folks will need to tell you what ciphers they support so you can enable one that hopefully doesn't weaken your security too much. Here's an example of setting ciphers in Tomcat: https://www.sslshopper.com/article-how-to-disable-weak-ciphers-and-ssl-2-in-tomcat.html

Suggest an answer

Log in or Sign up to answer
Community showcase
Posted Monday in Confluence

Organizing your space just got easier - Page Tree Drag & Drop is here

Hi Community! I’m Elaine, Confluence Product Manager. You may have read my earlier post about page tree in space navigation sidebar. I'm excited to share another improvement that helps you organize ...

68 views 3 2
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you