Use Specific TLS Settings in Confluence

The sslEnabledProtocols and sslProtocols attributes in Confluence's server.xml are set to TLSv1,TLSv1.1,TLSv1.2.  Is there any way to set them to just TLSv1 or TLSv1.1?  I'm asking because our LTM apparently does not support TLSv1.2.

1 answer

1 vote
Daniel Eads Community Champion Aug 31, 2017

Hi Craig,

Usually it's easier to do your SSL termination at the reverse proxy / balancer level than it is at Tomcat itself. Would it present any security issues in your environment to just run HTTP on Confluence itself and have your LTM do the termination?

Aside from that, I'm wondering if you might be looking at a problem with supported ciphers instead of with specific TLS versions. The endpoints (your LTM and Tomcat) should negotiate a mutually supported protocol. Even if TLS 1.2 is enabled, with TLS1.1 and 1.0 enabled by default, your LTM should just choose TLS1.1 if it doesn't support 1.2. It shouldn't require you to disable 1.2 at Tomcat.

We have to implement SSL on our side as well as the balancer.  The site is configured two different ways -- one inside our network, another way outside our network.  

The network team is doing SSL termination at the balancer.  The problem is that -- according to what they told me -- configuring it breaks the connection to Tomcat, and they claim that the break occurs because the SCHANNEL configuration (SSL library) on the target server requires higher strength (more secure) cipher suites and TLS versions than what their balancer currently supports.

Anyway, I just got a response back from the team confirming what you just wrote about the ciphers.  They also still recommend disabling tls1.2.  

Daniel Eads Community Champion Aug 31, 2017

Hmm, I call shenanigans on disabling TLS1.2, sounds like they just have a crappy LTM!

We are in a similar situation (something not supporting modern ciphers, in our case Cisco WAAS) at our organization. What I ended up doing was fronting Confluence with nginx as a reverse proxy and handling all the ciphers there. I published all my nginx configuration in this repo that you can take a peek at.

Not in the repo is the specific (non-modern) cipher set we had to enable for Cisco hardware... I expect you might need something similar to this:

# Protocol and Cipher configuration
### !!!! Note that TLSv1 and AES256-SHA are enabled !!!! This is not best-practice, and is only there because of Cisco WAAS / inter-office WAN Acceleration
### If you are reading this message, please follow up with Networking to see if TLSv1 and AES256-SHA can be removed
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;

It is possible to change the cipher set in Tomcat in your server.xml file, you'll just need to add a ciphers=" " option in the section where SSL is set up. Your network folks will need to tell you what ciphers they support so you can enable one that hopefully doesn't weaken your security too much. Here's an example of setting ciphers in Tomcat:

Suggest an answer

Log in or Sign up to answer
Atlassian Community Anniversary

Happy Anniversary, Atlassian Community!

This community is celebrating its one-year anniversary and Atlassian co-founder Mike Cannon-Brookes has all the feels.

Read more
Community showcase
Kesha Thillainayagam
Posted Apr 13, 2018 in Confluence

We want to hear how your non-technical teams are using Confluence!

Hi Community! Kesha (kay-sha) from the Confluence marketing team here! Can you share stories with us on how your non-technical (think Marketing, Sales, HR, legal, etc.) teams are using Confluen...

370 views 20 10
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you