• Icon: Improvement Improvement
    • Resolution: Won't Fix
    • Icon: Major Major
    • core
    • None
    • Debian wheezy amd64

      sslscan detects following weak (<128bits) ciphers (when using jetty/https):

      Supported Server Cipher(s):
      Accepted SSLv3 56 bits EDH-RSA-DES-CBC-SHA
      Accepted SSLv3 56 bits DES-CBC-SHA
      Accepted SSLv3 40 bits EXP-EDH-RSA-DES-CBC-SHA
      Accepted SSLv3 40 bits EXP-DES-CBC-SHA
      Accepted SSLv3 40 bits EXP-RC4-MD5
      Accepted TLSv1 56 bits EDH-RSA-DES-CBC-SHA
      Accepted TLSv1 56 bits DES-CBC-SHA
      Accepted TLSv1 40 bits EXP-EDH-RSA-DES-CBC-SHA
      Accepted TLSv1 40 bits EXP-DES-CBC-SHA
      Accepted TLSv1 40 bits EXP-RC4-MD5

      Some IT departements are rather strict and do not allow weak ciphers.

      An option in /etc/default/jenkins allowing to set jetty's 'excludeCipherSuites' (or to disable all weak ciphers) would be great.

          [JENKINS-23925] SSL weak ciphers

          Daniel Beck added a comment -

          How can this be reproduced? I just tried with 1.574 and java -jar jenkins.war --httpsPort=8888, and sslscan reports:

          $ sslscan localhost:8888
                             _
                     ___ ___| |___  ___ __ _ _ __
                    / __/ __| / __|/ __/ _` | '_ \
                    \__ \__ \ \__ \ (_| (_| | | | |
                    |___/___/_|___/\___\__,_|_| |_|
          
                            Version 1.8.0
                       http://www.titania.co.uk
                  Copyright Ian Ventura-Whiting 2009
          
          Testing SSL server localhost on port 8888
          
            Supported Server Cipher(s):
              Rejected  N/A              SSLv2  168 bits  DES-CBC3-MD5
              Rejected  N/A              SSLv2  56 bits   DES-CBC-MD5
              Rejected  N/A              SSLv2  40 bits   EXP-RC2-CBC-MD5
              Rejected  N/A              SSLv2  128 bits  RC2-CBC-MD5
              Rejected  N/A              SSLv2  40 bits   EXP-RC4-MD5
              Rejected  N/A              SSLv2  128 bits  RC4-MD5
              Rejected  N/A              SSLv3  128 bits  ADH-SEED-SHA
              Rejected  N/A              SSLv3  128 bits  DHE-RSA-SEED-SHA
              Rejected  N/A              SSLv3  128 bits  DHE-DSS-SEED-SHA
              Rejected  N/A              SSLv3  128 bits  SEED-SHA
              Rejected  N/A              SSLv3  256 bits  ADH-AES256-SHA
              Rejected  N/A              SSLv3  256 bits  DHE-RSA-AES256-SHA
              Rejected  N/A              SSLv3  256 bits  DHE-DSS-AES256-SHA
              Rejected  N/A              SSLv3  256 bits  AES256-SHA
              Rejected  N/A              SSLv3  128 bits  ADH-AES128-SHA
              Accepted  SSLv3  128 bits  DHE-RSA-AES128-SHA
              Rejected  N/A              SSLv3  128 bits  DHE-DSS-AES128-SHA
              Accepted  SSLv3  128 bits  AES128-SHA
              Rejected  N/A              SSLv3  168 bits  ADH-DES-CBC3-SHA
              Rejected  N/A              SSLv3  56 bits   ADH-DES-CBC-SHA
              Rejected  N/A              SSLv3  40 bits   EXP-ADH-DES-CBC-SHA
              Rejected  N/A              SSLv3  128 bits  ADH-RC4-MD5
              Rejected  N/A              SSLv3  40 bits   EXP-ADH-RC4-MD5
              Accepted  SSLv3  168 bits  EDH-RSA-DES-CBC3-SHA
              Rejected  N/A              SSLv3  56 bits   EDH-RSA-DES-CBC-SHA
              Rejected  N/A              SSLv3  40 bits   EXP-EDH-RSA-DES-CBC-SHA
              Rejected  N/A              SSLv3  168 bits  EDH-DSS-DES-CBC3-SHA
              Rejected  N/A              SSLv3  56 bits   EDH-DSS-DES-CBC-SHA
              Rejected  N/A              SSLv3  40 bits   EXP-EDH-DSS-DES-CBC-SHA
              Accepted  SSLv3  168 bits  DES-CBC3-SHA
              Rejected  N/A              SSLv3  56 bits   DES-CBC-SHA
              Rejected  N/A              SSLv3  40 bits   EXP-DES-CBC-SHA
              Rejected  N/A              SSLv3  40 bits   EXP-RC2-CBC-MD5
              Accepted  SSLv3  128 bits  RC4-SHA
              Accepted  SSLv3  128 bits  RC4-MD5
              Rejected  N/A              SSLv3  40 bits   EXP-RC4-MD5
              Rejected  N/A              SSLv3  0 bits    NULL-SHA
              Rejected  N/A              SSLv3  0 bits    NULL-MD5
              Rejected  N/A              TLSv1  128 bits  ADH-SEED-SHA
              Rejected  N/A              TLSv1  128 bits  DHE-RSA-SEED-SHA
              Rejected  N/A              TLSv1  128 bits  DHE-DSS-SEED-SHA
              Rejected  N/A              TLSv1  128 bits  SEED-SHA
              Rejected  N/A              TLSv1  256 bits  ADH-AES256-SHA
              Rejected  N/A              TLSv1  256 bits  DHE-RSA-AES256-SHA
              Rejected  N/A              TLSv1  256 bits  DHE-DSS-AES256-SHA
              Rejected  N/A              TLSv1  256 bits  AES256-SHA
              Rejected  N/A              TLSv1  128 bits  ADH-AES128-SHA
              Accepted  TLSv1  128 bits  DHE-RSA-AES128-SHA
              Rejected  N/A              TLSv1  128 bits  DHE-DSS-AES128-SHA
              Accepted  TLSv1  128 bits  AES128-SHA
              Rejected  N/A              TLSv1  168 bits  ADH-DES-CBC3-SHA
              Rejected  N/A              TLSv1  56 bits   ADH-DES-CBC-SHA
              Rejected  N/A              TLSv1  40 bits   EXP-ADH-DES-CBC-SHA
              Rejected  N/A              TLSv1  128 bits  ADH-RC4-MD5
              Rejected  N/A              TLSv1  40 bits   EXP-ADH-RC4-MD5
              Accepted  TLSv1  168 bits  EDH-RSA-DES-CBC3-SHA
              Rejected  N/A              TLSv1  56 bits   EDH-RSA-DES-CBC-SHA
              Rejected  N/A              TLSv1  40 bits   EXP-EDH-RSA-DES-CBC-SHA
              Rejected  N/A              TLSv1  168 bits  EDH-DSS-DES-CBC3-SHA
              Rejected  N/A              TLSv1  56 bits   EDH-DSS-DES-CBC-SHA
              Rejected  N/A              TLSv1  40 bits   EXP-EDH-DSS-DES-CBC-SHA
              Accepted  TLSv1  168 bits  DES-CBC3-SHA
              Rejected  N/A              TLSv1  56 bits   DES-CBC-SHA
              Rejected  N/A              TLSv1  40 bits   EXP-DES-CBC-SHA
              Rejected  N/A              TLSv1  40 bits   EXP-RC2-CBC-MD5
              Accepted  TLSv1  128 bits  RC4-SHA
              Accepted  TLSv1  128 bits  RC4-MD5
              Rejected  N/A              TLSv1  40 bits   EXP-RC4-MD5
              Rejected  N/A              TLSv1  0 bits    NULL-SHA
              Rejected  N/A              TLSv1  0 bits    NULL-MD5
          
            Prefered Server Cipher(s):
              SSLv3  128 bits  DHE-RSA-AES128-SHA
              TLSv1  128 bits  DHE-RSA-AES128-SHA
          
            SSL Certificate:
              Version: 2
              Serial Number: 1658787448
              Signature Algorithm: sha1WithRSAEncryption
              Issuer: /C=Unknown/O=Unknown/OU=Unknown/CN=Test site
              Not valid before: Aug 22 03:04:14 2014 GMT
              Not valid after: Aug 19 03:04:14 2024 GMT
              Subject: /C=Unknown/O=Unknown/OU=Unknown/CN=Test site
              Public Key Algorithm: rsaEncryption
              RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:8c:4c:61:a4:a7:c5:7d:db:75:b5:4e:45:e5:70:
                    6d:9e:84:f3:f5:47:58:77:c3:ab:bb:8b:38:a1:87:
                    2d:76:f5:38:cb:37:dc:f8:a4:ea:ac:f2:0a:f9:e1:
                    1a:e3:72:f7:9c:15:99:58:0e:cf:21:a0:15:45:7d:
                    58:79:a0:87:5e:69:1c:f5:b9:3b:8a:9a:a9:4a:4f:
                    91:b5:f2:d2:15:99:7f:d7:98:bd:30:ff:88:ee:9a:
                    c3:c6:e4:36:e0:be:4a:a1:64:17:e8:33:1b:79:2c:
                    67:2b:91:e8:76:2e:d5:bf:c3:c9:8c:e9:d8:a9:67:
                    30:76:e3:fa:51:7e:86:77:d3
                Exponent: 65537 (0x10001)
            Verify Certificate:
              self signed certificate
          

          This is with a temporary, self-signed certificate as I didn't bother creating a real one.

          Daniel Beck added a comment - How can this be reproduced? I just tried with 1.574 and java -jar jenkins.war --httpsPort=8888 , and sslscan reports: $ sslscan localhost:8888 _ ___ ___| |___ ___ __ _ _ __ / __/ __| / __|/ __/ _` | '_ \ \__ \__ \ \__ \ (_| (_| | | | | |___/___/_|___/\___\__,_|_| |_| Version 1.8.0 http: //www.titania.co.uk Copyright Ian Ventura-Whiting 2009 Testing SSL server localhost on port 8888 Supported Server Cipher(s): Rejected N/A SSLv2 168 bits DES-CBC3-MD5 Rejected N/A SSLv2 56 bits DES-CBC-MD5 Rejected N/A SSLv2 40 bits EXP-RC2-CBC-MD5 Rejected N/A SSLv2 128 bits RC2-CBC-MD5 Rejected N/A SSLv2 40 bits EXP-RC4-MD5 Rejected N/A SSLv2 128 bits RC4-MD5 Rejected N/A SSLv3 128 bits ADH-SEED-SHA Rejected N/A SSLv3 128 bits DHE-RSA-SEED-SHA Rejected N/A SSLv3 128 bits DHE-DSS-SEED-SHA Rejected N/A SSLv3 128 bits SEED-SHA Rejected N/A SSLv3 256 bits ADH-AES256-SHA Rejected N/A SSLv3 256 bits DHE-RSA-AES256-SHA Rejected N/A SSLv3 256 bits DHE-DSS-AES256-SHA Rejected N/A SSLv3 256 bits AES256-SHA Rejected N/A SSLv3 128 bits ADH-AES128-SHA Accepted SSLv3 128 bits DHE-RSA-AES128-SHA Rejected N/A SSLv3 128 bits DHE-DSS-AES128-SHA Accepted SSLv3 128 bits AES128-SHA Rejected N/A SSLv3 168 bits ADH-DES-CBC3-SHA Rejected N/A SSLv3 56 bits ADH-DES-CBC-SHA Rejected N/A SSLv3 40 bits EXP-ADH-DES-CBC-SHA Rejected N/A SSLv3 128 bits ADH-RC4-MD5 Rejected N/A SSLv3 40 bits EXP-ADH-RC4-MD5 Accepted SSLv3 168 bits EDH-RSA-DES-CBC3-SHA Rejected N/A SSLv3 56 bits EDH-RSA-DES-CBC-SHA Rejected N/A SSLv3 40 bits EXP-EDH-RSA-DES-CBC-SHA Rejected N/A SSLv3 168 bits EDH-DSS-DES-CBC3-SHA Rejected N/A SSLv3 56 bits EDH-DSS-DES-CBC-SHA Rejected N/A SSLv3 40 bits EXP-EDH-DSS-DES-CBC-SHA Accepted SSLv3 168 bits DES-CBC3-SHA Rejected N/A SSLv3 56 bits DES-CBC-SHA Rejected N/A SSLv3 40 bits EXP-DES-CBC-SHA Rejected N/A SSLv3 40 bits EXP-RC2-CBC-MD5 Accepted SSLv3 128 bits RC4-SHA Accepted SSLv3 128 bits RC4-MD5 Rejected N/A SSLv3 40 bits EXP-RC4-MD5 Rejected N/A SSLv3 0 bits NULL-SHA Rejected N/A SSLv3 0 bits NULL-MD5 Rejected N/A TLSv1 128 bits ADH-SEED-SHA Rejected N/A TLSv1 128 bits DHE-RSA-SEED-SHA Rejected N/A TLSv1 128 bits DHE-DSS-SEED-SHA Rejected N/A TLSv1 128 bits SEED-SHA Rejected N/A TLSv1 256 bits ADH-AES256-SHA Rejected N/A TLSv1 256 bits DHE-RSA-AES256-SHA Rejected N/A TLSv1 256 bits DHE-DSS-AES256-SHA Rejected N/A TLSv1 256 bits AES256-SHA Rejected N/A TLSv1 128 bits ADH-AES128-SHA Accepted TLSv1 128 bits DHE-RSA-AES128-SHA Rejected N/A TLSv1 128 bits DHE-DSS-AES128-SHA Accepted TLSv1 128 bits AES128-SHA Rejected N/A TLSv1 168 bits ADH-DES-CBC3-SHA Rejected N/A TLSv1 56 bits ADH-DES-CBC-SHA Rejected N/A TLSv1 40 bits EXP-ADH-DES-CBC-SHA Rejected N/A TLSv1 128 bits ADH-RC4-MD5 Rejected N/A TLSv1 40 bits EXP-ADH-RC4-MD5 Accepted TLSv1 168 bits EDH-RSA-DES-CBC3-SHA Rejected N/A TLSv1 56 bits EDH-RSA-DES-CBC-SHA Rejected N/A TLSv1 40 bits EXP-EDH-RSA-DES-CBC-SHA Rejected N/A TLSv1 168 bits EDH-DSS-DES-CBC3-SHA Rejected N/A TLSv1 56 bits EDH-DSS-DES-CBC-SHA Rejected N/A TLSv1 40 bits EXP-EDH-DSS-DES-CBC-SHA Accepted TLSv1 168 bits DES-CBC3-SHA Rejected N/A TLSv1 56 bits DES-CBC-SHA Rejected N/A TLSv1 40 bits EXP-DES-CBC-SHA Rejected N/A TLSv1 40 bits EXP-RC2-CBC-MD5 Accepted TLSv1 128 bits RC4-SHA Accepted TLSv1 128 bits RC4-MD5 Rejected N/A TLSv1 40 bits EXP-RC4-MD5 Rejected N/A TLSv1 0 bits NULL-SHA Rejected N/A TLSv1 0 bits NULL-MD5 Prefered Server Cipher(s): SSLv3 128 bits DHE-RSA-AES128-SHA TLSv1 128 bits DHE-RSA-AES128-SHA SSL Certificate: Version: 2 Serial Number : 1658787448 Signature Algorithm: sha1WithRSAEncryption Issuer: /C=Unknown/O=Unknown/OU=Unknown/CN=Test site Not valid before: Aug 22 03:04:14 2014 GMT Not valid after: Aug 19 03:04:14 2024 GMT Subject: /C=Unknown/O=Unknown/OU=Unknown/CN=Test site Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:8c:4c:61:a4:a7:c5:7d:db:75:b5:4e:45:e5:70: 6d:9e:84:f3:f5:47:58:77:c3:ab:bb:8b:38:a1:87: 2d:76:f5:38:cb:37:dc:f8:a4:ea:ac:f2:0a:f9:e1: 1a:e3:72:f7:9c:15:99:58:0e:cf:21:a0:15:45:7d: 58:79:a0:87:5e:69:1c:f5:b9:3b:8a:9a:a9:4a:4f: 91:b5:f2:d2:15:99:7f:d7:98:bd:30:ff:88:ee:9a: c3:c6:e4:36:e0:be:4a:a1:64:17:e8:33:1b:79:2c: 67:2b:91:e8:76:2e:d5:bf:c3:c9:8c:e9:d8:a9:67: 30:76:e3:fa:51:7e:86:77:d3 Exponent: 65537 (0x10001) Verify Certificate: self signed certificate This is with a temporary, self-signed certificate as I didn't bother creating a real one.

          aeschbacher added a comment -

          After further investigation, it appears that sslscan discovers weak ciphers only if jenkins.war is started with java6. It is not the case with java7.

          For Debian Wheezy, this means
          java 6: 1.6.0_32 (weak ciphers discovered by sslscan)
          java 7: 1.7.0_65 (no weak ciphers)

          So I guess the ticket can be closed.

          aeschbacher added a comment - After further investigation, it appears that sslscan discovers weak ciphers only if jenkins.war is started with java6. It is not the case with java7. For Debian Wheezy, this means java 6: 1.6.0_32 (weak ciphers discovered by sslscan) java 7: 1.7.0_65 (no weak ciphers) So I guess the ticket can be closed.

          Daniel Beck added a comment -

          No pressing need to implement this as a change in Java version is sufficient.

          Daniel Beck added a comment - No pressing need to implement this as a change in Java version is sufficient.

            Unassigned Unassigned
            aeschbacher aeschbacher
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: