-
Type:
Improvement
-
Resolution: Won't Fix
-
Priority:
Major
-
Component/s: core
-
Environment:Debian wheezy amd64
sslscan detects following weak (<128bits) ciphers (when using jetty/https):
Supported Server Cipher(s):
Accepted SSLv3 56 bits EDH-RSA-DES-CBC-SHA
Accepted SSLv3 56 bits DES-CBC-SHA
Accepted SSLv3 40 bits EXP-EDH-RSA-DES-CBC-SHA
Accepted SSLv3 40 bits EXP-DES-CBC-SHA
Accepted SSLv3 40 bits EXP-RC4-MD5
Accepted TLSv1 56 bits EDH-RSA-DES-CBC-SHA
Accepted TLSv1 56 bits DES-CBC-SHA
Accepted TLSv1 40 bits EXP-EDH-RSA-DES-CBC-SHA
Accepted TLSv1 40 bits EXP-DES-CBC-SHA
Accepted TLSv1 40 bits EXP-RC4-MD5
Some IT departements are rather strict and do not allow weak ciphers.
An option in /etc/default/jenkins allowing to set jetty's 'excludeCipherSuites' (or to disable all weak ciphers) would be great.
- is related to
-
JENKINS-25169 Winstone potentially vulnerable to POODLE (CVE-2014-3566)
-
- Resolved
-
