Summary

After upgrading Confluence, LDAP sync failed due to the server attempting to use TLS 1.0, which is not supported by the newer Confluence version. Initial attempts to resolve the issue by modifying the `setenv.sh` file to accept TLSv1 were not successful.

Environment

Confluence 8.5.3+

Diagnosis

The following errors are seen in the Security.log.

2024-01-26 14:03:36,343 ERROR [Caesium-1-3] [atlassian.crowd.directory.DbCachingDirectoryPoller] pollChanges Error occurred while refreshing the cache for directory [ 753665 ].
com.atlassian.crowd.exception.OperationFailedException: org.springframework.ldap.CommunicationException: <LDAP ADDRESS>.local:636; nested exception is javax.naming.CommunicationException: <LDAP ADDRESS>.local:636 [Root exception is javax.net.ssl.SSLHandshakeException: The server selected protocol version TLS10 is not accepted by client preferences [TLS13, TLS12]]

Caused by: javax.net.ssl.SSLHandshakeException: The server selected protocol version TLS10 is not accepted by client preferences [TLS13, TLS12]

The issue continues even if we see that the Java option to accept TLSv1 is being passed at startup.

Cause

Further investigation revealed that the Java 17 security settings disabled TLSv1 by default according to the article TLSv1 and TLSv1.1 Disabled by Default in Java after April 2021.

Solution

The issue was resolved by modifying the `java.security` file to enable TLSv1 support.

1. Stop Confluence
2. Open the file $CONFLUENCE_INSTALL/jre/conf/security/java.security in a text editor
   • Make a copy of it as a backup

3. Find the following section in that file:

   jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
       DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL

4. Remove the TLSv1, TLSv1.1 options
5. Save the file
6. Start Confluence