LDAP sync issues after upgrading from Confluence due to an SSL handshake error related to TLS protocol versions.

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

After upgrading Confluence, LDAP sync failed due to the server attempting to use TLS 1.0, which is not supported by the newer Confluence version. Initial attempts to resolve the issue by modifying the `setenv.sh` file to accept TLSv1 were not successful.

Environment

Confluence 8.5.3+

Diagnosis

The following errors are seen in the Security.log.

1 2 3 4 2024-01-26 14:03:36,343 ERROR [Caesium-1-3] [atlassian.crowd.directory.DbCachingDirectoryPoller] pollChanges Error occurred while refreshing the cache for directory [ 753665 ]. com.atlassian.crowd.exception.OperationFailedException: org.springframework.ldap.CommunicationException: <LDAP ADDRESS>.local:636; nested exception is javax.naming.CommunicationException: <LDAP ADDRESS>.local:636 [Root exception is javax.net.ssl.SSLHandshakeException: The server selected protocol version TLS10 is not accepted by client preferences [TLS13, TLS12]] Caused by: javax.net.ssl.SSLHandshakeException: The server selected protocol version TLS10 is not accepted by client preferences [TLS13, TLS12]

The issue continues even if we see that the Java option to accept TLSv1 is being passed at startup.

Cause

Further investigation revealed that the Java 17 security settings disabled TLSv1 by default according to the article TLSv1 and TLSv1.1 Disabled by Default in Java after April 2021.

Solution

The issue was resolved by modifying the `java.security` file to enable TLSv1 support.

  1. Stop Confluence

  2. Open the file $CONFLUENCE_INSTALL/jre/conf/security/java.security in a text editor

    • Make a copy of it as a backup

  3. Find the following section in that file:

    1 2 jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \ DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL

  4. Remove the TLSv1, TLSv1.1 options

  5. Save the file

  6. Start Confluence

Updated on March 5, 2025
Platform
Data Center only
Product
Confluence Data Center
On this pageSummaryDiagnosisCauseSolution

Still need help?

The Atlassian Community is here for you.
Ask the Community