Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-23925

SSL weak ciphers

XMLWordPrintable

    • Icon: Improvement Improvement
    • Resolution: Won't Fix
    • Icon: Major Major
    • core
    • None
    • Debian wheezy amd64

      sslscan detects following weak (<128bits) ciphers (when using jetty/https):

      Supported Server Cipher(s):
      Accepted SSLv3 56 bits EDH-RSA-DES-CBC-SHA
      Accepted SSLv3 56 bits DES-CBC-SHA
      Accepted SSLv3 40 bits EXP-EDH-RSA-DES-CBC-SHA
      Accepted SSLv3 40 bits EXP-DES-CBC-SHA
      Accepted SSLv3 40 bits EXP-RC4-MD5
      Accepted TLSv1 56 bits EDH-RSA-DES-CBC-SHA
      Accepted TLSv1 56 bits DES-CBC-SHA
      Accepted TLSv1 40 bits EXP-EDH-RSA-DES-CBC-SHA
      Accepted TLSv1 40 bits EXP-DES-CBC-SHA
      Accepted TLSv1 40 bits EXP-RC4-MD5

      Some IT departements are rather strict and do not allow weak ciphers.

      An option in /etc/default/jenkins allowing to set jetty's 'excludeCipherSuites' (or to disable all weak ciphers) would be great.

          [JENKINS-23925] SSL weak ciphers

          aeschbacher created issue -
          Daniel Beck made changes -
          Resolution New: Won't Fix [ 2 ]
          Status Original: Open [ 1 ] New: Resolved [ 5 ]
          Daniel Beck made changes -
          Link New: This issue is related to JENKINS-25169 [ JENKINS-25169 ]
          R. Tyler Croy made changes -
          Workflow Original: JNJira [ 156791 ] New: JNJira + In-Review [ 195508 ]

            Unassigned Unassigned
            aeschbacher aeschbacher
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: