$ JENKINS_HOME=/tmp/POODLE java -jar .../war/target/jenkins.war --httpsPort=4430 & # wait until started... $ if echo Q | openssl s_client -connect localhost:4430 -ssl3 2>&1 | grep -q "Cipher.*0000"; then echo "SSLv3 disabled"; else echo "SSLv3 enabled"; fi SSLv3 enabled
It ought to be blocked by default.
- is related to
-
JENKINS-23925 SSL weak ciphers
-
- Resolved
-
Code changed in jenkins
User: christ66
Path:
src/java/winstone/HttpsConnectorFactory.java
http://jenkins-ci.org/commit/winstone/503ef47e817eda69fadf3e7e82aeded43409bb7f
Log:
[FIXED JENKINS-25169] Because of the POODLE vulnerability, we disabled SSLv3 by default.