When confluence uses ssl/https with TLS v1.2 protocol invoke-method fails

[darksidemilk]

Per atlassian's recommendation in the most recent update I changed my tomcat server.xml settings to only allow the TLS v 1.2 protocol. Now the ConfluencePS module (as well as other manual powershell methods of invoke-webrequest or invoke-restmethod) errors out.

Expected Behavior

The normal behavior of getting or setting anything is expected

Current Behavior

Running any command with -verbose outputs an error such as the following. This example is accessing the api of an add-on but it is a working rest call that uses the same authentication and base methods

 invoke-confluencemethod -URi "$BaseURI/rest/scaffolding/1.0/api/form/meta/189038670" -Method Get -verbose
VERBOSE: [Invoke-ConfluenceMethod] Function started
VERBOSE: [Invoke-ConfluenceMethod] Invoking method Get to URI https://kb.arrowheaddental.com/rest/scaffolding/1.0/api/form/meta/189038670
VERBOSE: [Invoke-ConfluenceMethod] Invoke-WebRequest with:

ErrorAction     : Stop
Headers         : {Accept-Charset, Accept}
ContentType     : application/json; charset=utf-8
Credential      : System.Management.Automation.PSCredential
Method          : Get
Uri             : https://kb.arrowheaddental.com/rest/scaffolding/1.0/api/form/meta/189038670
UseBasicParsing : True
Verbose         : False



VERBOSE: [Invoke-ConfluenceMethod] Failed to get an answer from the server
VERBOSE: [Invoke-ConfluenceMethod] No Web result object was returned from. This is unusual!
VERBOSE: [Invoke-ConfluenceMethod] Function ended

Possible Solution

This was also an issue in JiraPS, the manual solution I implented to fix there was given to me from @lipkau via slack, here's that conversation:

ok... first off:
in line 48 of Invoke-JiraMethod.ps1, please add a new line so it looks like this:

foreach ($item in $Headers.Key) { $_headers[$item] = $Headers[$item] }
Set-TlsLevel -Tls12

and in line 185 to look like this:

Set-TlsLevel -Revert
Write-Verbose "[$($MyInvocation.MyCommand.Name)] Function ended"

JJ Fullmer [10:31 AM]
okee dokee
lipkau [10:32 AM]
second:
re-import the module with -Force (or remove-module JiraPS; Import-Module JiraPS <--- prefered) (edited)
and now lets debug the server answer
run get-jiraproject -debug and press enter twice
you should now see the msg

DEBUG: [Test-ServerResponse] Investigating $InputObject.Headers['X-Seraph-LoginReason']
DEBUG: [Invoke-JiraMethod] Executed WebRequest. Access $webResponse to see details

enter Suspend mode (s if Powershell is in english)
and run
$webresponse

Steps to Reproduce (for bugs)

1. Set confluence server.xml https settings to only use TLSv1.2
   • i.e. follow the example of the unproxied https connector from the default server.xml

       <Connector port="8443" maxHttpHeaderSize="8192"
                  maxThreads="150" minSpareThreads="25"
                  protocol="org.apache.coyote.http11.Http11NioProtocol"
                  enableLookups="false" disableUploadTimeout="true"
                  acceptCount="100" scheme="https" secure="true"
                  clientAuth="false" sslProtocol="TLSv1.2" sslEnabledProtocols="TLSv1.2" SSLEnabled="true"
                  URIEncoding="UTF-8" keystorePass="<MY_CERTIFICATE_PASSWORD>"/>
   

2. Attempt to access the api via the confluencePS module
3. Watch nothing happen
4. Add -verbose to function calls to see error message

Context

I can't use the confluence ps module to run api commands at all. Wad about to start trying it out for easier creation of pages.

Your Environment

Get-Module ConfluencePS -ListAvailable | select version
$PSVersionTable

Get-Module ConfluencePS -ListAvailable | select version

Version
-------
2.3.6

$PSVersionTable

Name                           Value
----                           -----
PSVersion                      5.1.16299.492
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.16299.492
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

[brianbunke]

Related issue Jira #283 👍

[darksidemilk]

I think I have a workaround for anyone else effected.
Simply allow tls 1.1 on confluence again. I have a direct https connector. I changed these 2 properties in my server xml

sslProtocol="TLS"
sslEnabledProtocols="TLSv1.1,TLSv1.2"

(edited)

The confluenceps module appears to be working as it should again
The example for the direct https connector in the default server.xml for confluence still has TLSv1.2 as the only option for both those properties, which is what I had it set as, and is probably a good way to do it since tls 1.0 and 1.1 will be phases out in early 2020 according to wikipedia anyway.
So getting the module to use tls 1.2 as a default is still a desired feature but I now have a workaround