$ JENKINS_HOME=/tmp/POODLE java -jar .../war/target/jenkins.war --httpsPort=4430 & # wait until started... $ if echo Q | openssl s_client -connect localhost:4430 -ssl3 2>&1 | grep -q "Cipher.*0000"; then echo "SSLv3 disabled"; else echo "SSLv3 enabled"; fi SSLv3 enabled
It ought to be blocked by default.
- is related to
-
JENKINS-23925 SSL weak ciphers
-
- Resolved
-
[JENKINS-25169] Winstone potentially vulnerable to POODLE (CVE-2014-3566)
Link |
New:
This issue is related to |
Resolution | New: Fixed [ 1 ] | |
Status | Original: Open [ 1 ] | New: Resolved [ 5 ] |
Resolution | Original: Fixed [ 1 ] | |
Status | Original: Resolved [ 5 ] | New: Reopened [ 4 ] |
Assignee | New: Kohsuke Kawaguchi [ kohsuke ] |
Summary | Original: Winstone potentially vulnerable to POODLE | New: Winstone potentially vulnerable to POODLE (CVE-2014-3566) |
Code changed in jenkins
User: christ66
Path:
src/java/winstone/HttpsConnectorFactory.java
http://jenkins-ci.org/commit/winstone/503ef47e817eda69fadf3e7e82aeded43409bb7f
Log:
[FIXED JENKINS-25169] Because of the POODLE vulnerability, we disabled SSLv3 by default.